DNSSEC-SIGNKEY(8) DNSSEC-SIGNKEY(8)
NAME
dnssec-signkey - DNSSEC key set signing tool
SYNOPSIS
dnssec-signkey [ -a ] [ -c class ] [ -s start-time ] [ -e end-time ] [ -h ] [ -p ] [ -r randomdev ] [ -v level ] keyset key...
DESCRIPTION
dnssec-signkey signs a keyset. Typically the keyset will be for a child zone, and will have been generated by dnssec-makekeyset. The child
zone's keyset is signed with the zone keys for its parent zone. The output file is of the form signedkey-nnnn., where nnnn is the zone
name.
OPTIONS
-a Verify all generated signatures.
-c class
Specifies the DNS class of the key sets.
-s start-time
Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute
start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
start time is indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time is used.
-e end-time
Specify the date and time when the generated SIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS
notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time realtive to the
current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default.
-h Prints a short summary of the options and arguments to dnssec-signkey.
-p Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be use-
ful when signing large zones or when the entropy source is limited.
-r randomdev
Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source
of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used
instead of the default. The special value keyboard indicates that keyboard input should be used.
-v level
Sets the debugging level.
keyset The file containing the child's keyset.
key The keys used to sign the child's keyset.
EXAMPLE
The DNS administrator for a DNSSEC-aware .com zone would use the following command to sign the keyset file for example.com created by
dnssec-makekeyset with a key generated by dnssec-keygen:
dnssec-signkey keyset-example.com. Kcom.+003+51944
In this example, dnssec-signkey creates the file signedkey-example.com., which contains the example.com keys and the signatures by the .com
keys.
SEE ALSO
dnssec-keygen(8), dnssec-makekeyset(8), dnssec-signzone(8).
AUTHOR
Internet Software Consortium
BIND9 June 30, 2000 DNSSEC-SIGNKEY(8)
