DNSSEC-SIGNKEY(8) DNSSEC-SIGNKEY(8) NAME dnssec-signkey - DNSSEC key set signing tool SYNOPSIS dnssec-signkey [ -a ] [ -c class ] [ -s start-time ] [ -e end-time ] [ -h ] [ -p ] [ -r randomdev ] [ -v level ] keyset key... DESCRIPTION dnssec-signkey signs a keyset. Typically the keyset will be for a child zone, and will have been generated by dnssec-makekeyset. The child zone's keyset is signed with the zone keys for its parent zone. The output file is of the form signedkey-nnnn., where nnnn is the zone name. OPTIONS -a Verify all generated signatures. -c class Specifies the DNS class of the key sets. -s start-time Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time is used. -e end-time Specify the date and time when the generated SIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time realtive to the current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default. -h Prints a short summary of the options and arguments to dnssec-signkey. -p Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be use- ful when signing large zones or when the entropy source is limited. -r randomdev Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -v level Sets the debugging level. keyset The file containing the child's keyset. key The keys used to sign the child's keyset. EXAMPLE The DNS administrator for a DNSSEC-aware .com zone would use the following command to sign the keyset file for example.com created by dnssec-makekeyset with a key generated by dnssec-keygen: dnssec-signkey keyset-example.com. Kcom.+003+51944 In this example, dnssec-signkey creates the file signedkey-example.com., which contains the example.com keys and the signatures by the .com keys. SEE ALSO dnssec-keygen(8), dnssec-makekeyset(8), dnssec-signzone(8). AUTHOR Internet Software Consortium BIND9 June 30, 2000 DNSSEC-SIGNKEY(8)