dnssec-signkey(1Mtcp)


dnssec-signkey -- DNSSEC keyset signing tool

SYNOPSIS

dnssec-signkey -h -s start-time -e end-time -c class -p -r randomdev -v level keyset keyfile ...

DESCRIPTION

dnssec-signkey is used to sign a key set for a child zone. Typically this would be provided by a keyset file generated by dnssec-makekeyset(1Mtcp). This provides a mechanism for a DNSSEC-aware zone to sign the keys of any DNSSEC-aware child zones. The child zone's key set gets signed with the zone keys for its parent zone. keyset will be the pathname of the child zone's keyset file. Each keyfile argument will be a key identification string as reported by dnssec-keygen(1Mtcp) for the parent zone. This allows the child's keys to be signed by more than one parent zone key.

The -h option makes dnssec-signkey print a short summary of its command line options and arguments.

By default, the validity period of the generated SIG records is copied from that of the signatures in the input key set. This may be overriden with the -s and -e options, both of which must be present if either is. The start of the validity period is specified with the -s option. start-time can either be an absolute or relative date. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is supplied when start-time is given as +N: N seconds from the current time. If no -s option is supplied, the current date and time is used for the start time of the SIG records.

The expiry date for the SIG records can be set by the -e option. Note that in this context, the expiry date specifies when the SIG records are no longer valid, not when they are deleted from caches on name servers. end-date also represents an absolute or relative date. YYYYMMDDHHMMSS notation is used as before to indicate an absolute date and time. When end-date is +N, it indicates that the SIG records will expire in N seconds after their start date. If end-date is written as now+N, the SIG records will expire in N seconds after the current time.

The -c option specifies that the KEY records in the input and output key sets should have the specified class instead of IN.

dnssec-signkey may need random numbers in the process of generating keys. If the system does not have a /dev/random device that can be used for generating random numbers, dnssec-signkey will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. The -r option overrides this behaviour, making dnssec-signkey use randomdev as a source of random data.

The -p option instructs dnssec-signkey to use pseudo-random data when signing the keys. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when there are many child zone keysets to sign or if the entropy source is limited. It could also be used for short-lived keys and signatures that don't require as much protection against cryptanalysis, such as when the key will be discarded long before it could be compromised.

The -v option can be used to make dnssec-signkey more verbose. As the debugging/tracing level level increases, dnssec-signkey generates increasingly detailed reports about what it is doing. The default level is zero.

When dnssec-signkey completes successfully, it generates a file called signedkey-nnnn. containing the signed keys for child zone nnnn . The keys from the keyset file will have been signed by the parent zone's key or keys which were supplied as keyfile arguments. This file should be sent to the DNS administrator of the child zone. They arrange for its contents to be incorporated into the zone file when it next gets signed with dnssec-signzone(1Mtcp). A copy of the generated signedkey file should be kept by the parent zone's DNS administrator, since it will be needed when signing the parent zone.

EXAMPLE

The DNS administrator for a DNSSEC-aware .com zone would use the following command to make dnssec-signkey sign the keyset file for example.com created in the example shown in the man page for dnssec-makekeyset(1Mtcp):
   # dnssec-signkey keyset-example.com. Kcom.+003+51944

where Kcom.+003+51944 was a key file identifier that was produced when dnssec-keygen(1Mtcp) generated a key for the .com zone.

dnssec-signkey will produce a file called signedkey-example.com. which has the keys for example.com signed by the com zone's zone key.

FILES

/dev/random

SEE ALSO

RFC2535, dnssec-keygen(1Mtcp), dnssec-makekeyset(1Mtcp), dnssec-signzone(1Mtcp).


© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004