ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity

converted man pages to docbook and cleaned them up.

Browse Source
This commit is contained in:
Brian Wellington
2001-03-30 22:50:27 +00:00
parent 3efd690413
commit 0b062f4990
13 changed files with 3443 additions and 956 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
bin/dnssec/Makefile.in
View File

@@ -13,7 +13,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.17 2001/02/04 15:52:38 bwelling Exp $
# $Id: Makefile.in,v 1.18 2001/03/30 22:50:20 bwelling Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -55,6 +55,13 @@ MANPAGES = dnssec-keygen.8 \
dnssec-signkey.8 \
dnssec-signzone.8
HTMLPAGES = dnssec-keygen.html \
dnssec-makekeyset.html \
dnssec-signkey.html \
dnssec-signzone.html
MANOBJS = ${MANPAGES} ${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-keygen: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
@@ -72,8 +79,10 @@ dnssec-signzone.@O@: dnssec-signzone.c
dnssec-signzone: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS}
clean distclean::
rm -f ${TARGETS}
doc man:: ${MANOBJS}
docclean manclean maintainer-clean::
rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -82,3 +91,7 @@ installdirs:
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
for m in ${MANPAGES}; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8; done
clean distclean::
rm -f ${TARGETS}

432
bin/dnssec/dnssec-keygen.8
View File

@@ -12,298 +12,146 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
.SH NAME
dnssec-keygen \- DNSSEC key generation tool
.SH SYNOPSIS
.sp
\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR
.SH "DESCRIPTION"
.PP
\fBdnssec-keygen\fR generates keys for DNSSEC
(Secure DNS), as defined in RFC 2535. It can also generate
keys for use with TSIG (Transaction Signatures), as
defined in RFC 2845.
.SH "OPTIONS"
.TP
\fB-a \fIalgorithm\fB\fR
Selects the cryptographic algorithm. The value of
\fBalgorithm\fR must be one of RSAMD5 or RSA,
DSA, DH (Diffie Hellman), or HMAC-MD5. These values
are case insensitive.
.\" $Id: dnssec-keygen.8,v 1.12 2001/01/09 21:47:21 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-KEYGEN 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-keygen
.Nd key generation tool for DNSSEC
.Sh SYNOPSIS
.Nm dnssec-keygen
.Fl a Ar algorithm
.Fl b Ar keysize
.Op Fl c Ar class
.Op Fl e
.Op Fl g Ar generator
.Op Fl h
.Fl n Ar nametype
.Op Fl p Ar protocol-value
.Op Fl r Ar randomdev
.Op Fl s Ar strength-value
.Op Fl t Ar type
.Op Fl v Ar level
.Ar name
.Sh DESCRIPTION
.Nm dnssec-keygen
generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
It also generates keys for use in Transaction Signatures, TSIG, which
is defined in RFC2845.
.Pp
A short summary of the options and arguments to
.Nm dnssec-keygen
is printed by the
.Fl h
(help) option.
.Pp
The
.Fl a ,
.Fl b ,
and
.Fl n
options and their arguments must be supplied when generating keys.
The domain name that the key has to be generated for is given by
.Ar name .
.Pp
The choice of encryption algorithm is selected by the
.Fl a
option to
.Nm dnssec-keygen .
.Ar algorithm
must be one of
.Dv RSAMD5 ,
.Dv DH ,
.Dv DSA
or
.Dv HMAC-MD5
to indicate that an RSA, Diffie-Hellman, Digital Signature
Algorithm or HMAC-MD5 key is required.
An argument of
.Dv RSA
can also be given, which is equivalent to
.Dv RSAMD5 .
The argument identifying the encryption algorithm is case-insensitive.
DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
Implementations of TSIG must support HMAC-MD5.
.Pp
The number of bits in the key is determined by the
.Ar keysize
argument following the
.Fl b
option.
The choice of key size depends on the algorithm that is used.
RSA keys must be between 512 and 2048 bits.
Diffie-Hellman keys must be between 128 and 4096 bits.
For DSA, the key size must be between 512 and 1024 bits and a multiple
of 64.
The length of an HMAC-MD5 key can be between 1 and 512 bits.
.Pp
The
.Fl n
option specifies how the generated key will be used.
.Ar nametype
can be either
.Dv ZONE ,
.Dv HOST ,
.Dv ENTITY ,
or
.Dv USER
to indicate that the key will be used for signing a zone, host,
entity or user respectively.
In this context
.Dv HOST
and
.Dv ENTITY
are identical.
.Ar nametype
is case-insensitive.
.Pp
The
.Fl c
option specifies that the when creating a KEY record, the specified class
should be used instead of IN.
.Pp
The
.Fl e
option can only be used when generating RSA keys.
It tells
.Nm dnssec-keygen
to use a large exponent.
When creating Diffie-Hellman keys, the
.Fl g
option selects the Diffie-Hellman generator
.Ar generator
that is to be used.
The only supported values value of
.Ar generator
are 2 and 5.
If no Diffie-Hellman generator is supplied, a known prime
from RFC2539 will be used if possible; otherwise 2 will be used as the
generator.
.Pp
The
.Fl p
option sets the protocol value for the generated key to
.Ar protocol-value .
The default is 2 (email) for keys of type
.Dv USER
and 3 (DNSSEC) for all other key types.
Other possible values for this argument are listed in RFC2535 and its
successors.
.Pp
.Nm dnssec-keygen
uses random numbers to seed the process
of generating keys.
If the system does not have a
.Pa /dev/random
device that can be used for generating random numbers,
.Nm dnssec-keygen
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-keygen
use
.Ar randomdev
as a source of random data.
.Pp
The key's strength value can be set with the
.Fl s
option.
The generated key will sign DNS resource records
with a strength value of
.Ar strength-value .
It should be a number between 0 and 15.
The default strength is zero.
The key strength field currently has no defined purpose in DNSSEC.
.Pp
The
.Fl t
option indicates if the key is to be used for authentication or
confidentiality.
.Ar type
can be one of
.Dv AUTHCONF ,
.Dv NOAUTHCONF ,
.Dv NOAUTH
or
.Dv NOCONF .
The default is
.Dv AUTHCONF .
If type is
.Dv AUTHCONF
the key can be used for authentication and confidentialty.
Setting
.Ar type
to
.Dv NOAUTHCONF
indicates that the key cannot be used for authentication or confidentialty.
A value of
.Dv NOAUTH
means the key can be used for confidentiality but not for
authentication.
Similarly,
.Dv NOCONF
defines that the key cannot be used for confidentiality though it can
be used for authentication.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-keygen
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-keygen
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Sh GENERATED KEYS
When
.Nm dnssec-keygen
completes it prints a string of the form
.Ar Knnnn.+aaa+iiiii
on the standard output.
This is an identification string for the key it has generated.
These strings can be supplied as arguments to
.Xr dnssec-makekeyset 8 .
.Pp
The
.Ar nnnn.
part is the dot-terminated domain name given by
.Ar name .
The DNSSEC algorithm identifier is indicated by
.Ar aaa -
001 for RSA, 002 for Diffie-Hellman, 003 for DSA or 157 for HMAC-MD5.
.Ar iiiii
is a five-digit number identifying the key.
.Pp
.Nm dnssec-keygen
creates two files.
The file names are adapted from the key identification string above.
They have names of the form:
.Ar Knnnn.+aaa+iiiii.key
and
.Ar Knnnn.+aaa+iiiii.private .
These contain the public and private parts of the key respectively.
The files generated by
.Nm dnssec-keygen
obey this naming convention to
make it easy for the signing tool
.Xr dnssec-signzone 8
to identify which file(s) have to be read to find the necessary
key(s) for generating or validating signatures.
.Pp
The
.Ar .key
file contains a KEY resource record that can be inserted into a zone file
with a
.Dv $INCLUDE
statement.
The private part of the key is in the
.Ar .private
file.
It contains details of the encryption algorithm that was used and any
relevant parameters: prime number, exponent, modulus, subprime, etc.
For obvious security reasons, this file does not have general read
permission.
The private part of the key is used by
.Xr dnssec-signzone 8
to generate signatures and the public part is used to verify the
signatures.
Both
.Ar .key
and
.Ar .private
key files are generated for symmetric encryption algorithm such as
Note that for DNSSEC, DSA is a mandatory to implement algorithm,
and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
.TP
\fB-b \fIkeysize\fB\fR
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be between
512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
between 1 and 512 bits.
.TP
\fB-n \fInametype\fB\fR
Specifies the owner type of the key. The value of
\fBnametype\fR must either be ZONE (for a DNSSEC
zone key), HOST or ENTITY (for a key associated with a host),
or USER (for a key associated with a user). These values are
case insensitive.
.TP
\fB-c \fIclass\fB\fR
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
.TP
\fB-e\fR
If generating an RSA key, use a large exponent.
.TP
\fB-g \fIgenerator\fB\fR
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
.TP
\fB-h\fR
Prints a short summary of the options and arguments to
\fBdnssec-keygen\fR.
.TP
\fB-p \fIprotocol\fB\fR
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 2 (email) for
keys of type USER and 3 (DNSSEC) for all other key types.
Other possible values for this argument are listed in
RFC 2535 and its successors.
.TP
\fB-r \fIrandomdev\fB\fR
Specifies the source of randomness. If the operating
system does not provide a \fI/dev/random\fR
or equivalent device, the default source of randomness
is keyboard input. \fIrandomdev\fR specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
\fIkeyboard\fR indicates that keyboard
input should be used.
.TP
\fB-s \fIstrength\fB\fR
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
.TP
\fB-t \fItype\fB\fR
Indicates the use of the key. \fBtype\fR must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
.TP
\fB-v \fIlevel\fB\fR
Sets the debugging level.
.SH "GENERATED KEYS"
.PP
When \fBdnssec-keygen\fR completes successfully,
it prints a string of the form \fIKnnnn.+aaa+iiiii\fR
to the standard output. This is an identification string for
the key it has generated. These strings can be used as arguments
to \fBdnssec-makekeyset\fR.
.PP
\fInnnn\fR is the key name.
.PP
\fIaaa\fR is the numeric representation of the algorithm.
.PP
\fIiiiii\fR is the key identifier (or footprint).
.PP
\fBdnssec-keygen\fR creates two file, with names based
on the printed string. \fIKnnnn.+aaa+iiiii.key\fR
contains the public key, and
\fIKnnnn.+aaa+iiiii.private\fR contains the private
key.
.PP
The \fI.key\fR file contains a DNS KEY record that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
.PP
The \fI.private\fR file contains algorithm specific
fields. For obvious security reasons, this file does not have
general read permission.
.PP
Both \fI.key\fR and \fI.private\fR
files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
.Sh EXAMPLE
.SH "EXAMPLE"
.PP
To generate a 768-bit DSA key for the domain
.Dv example.com ,
the following command would be issued:
.Pp
.Dl # dnssec-keygen -a DSA -b 768 -n ZONE example.com
.Dl Kexample.com.+003+26160
.Pp
.Nm dnssec-keygen
has printed the key identification string
.Dv Kexample.com.+003+26160 ,
indicating a DSA key with identifier 26160.
It will also have created the files
.Pa Kexample.com.+003+26160.key
and
.Pa Kexample.com.+003+26160.private
containing respectively the public and private keys for the generated
DSA key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2535,
.Xr RFC2845,
.Xr RFC2539,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 ,
.Xr dnssec-signzone 8 .
.Sh BUGS
The naming convention for the public and private key files is a little
clumsy.
It won't work for domain names that are longer than 236 characters
because of the
.Ar .+aaa+iiiii.private
suffix results in filenames that are too long for most
.Ux
systems.
\fBexample.com\fR, the following command would be
issued:
.PP
\fBdnssec-keygen -a DSA -b 768 -n ZONE example.com\fR
.PP
The command would print a string of the form:
.PP
\fBKexample.com.+003+26160\fR
.PP
In this example, \fBdnssec-keygen\fR creates
the files \fIKexample.com.+003+26160.key\fR and
\fIKexample.com.+003+26160.private\fR
.SH "SEE ALSO"
.PP
\fBdnssec-makekeyset\fR(8),
\fBdnssec-signkey\fR(8),
\fBdnssec-signzone\fR(8),
\fIBIND 9 Administrator Reference Manual\fR,
\fIRFC 2535\fR,
\fIRFC 2845\fR,
\fIRFC 2539\fR.
.SH "AUTHOR"
.PP
Internet Software Consortium

300
bin/dnssec/dnssec-keygen.docbook Normal file
View File

@@ -0,0 +1,300 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<refentry>
<refentryinfo>
<date>June 30, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-keygen</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-keygen</application></refname>
<refpurpose>DNSSEC key generation tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-keygen</command>
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
<arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
<arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>
<command>dnssec-keygen</command> generates keys for DNSSEC
(Secure DNS), as defined in RFC 2535. It can also generate
keys for use with TSIG (Transaction Signatures), as
defined in RFC 2845.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 or RSA,
DSA, DH (Diffie Hellman), or HMAC-MD5. These values
are case insensitive.
</para>
<para>
Note that for DNSSEC, DSA is a mandatory to implement algorithm,
and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be between
512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
between 1 and 512 bits.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key), HOST or ENTITY (for a key associated with a host),
or USER (for a key associated with a user). These values are
case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e</term>
<listitem>
<para>
If generating an RSA key, use a large exponent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 2 (email) for
keys of type USER and 3 (DNSSEC) for all other key types.
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>GENERATED KEYS</title>
<para>
When <command>dnssec-keygen</command> completes successfully,
it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
to the standard output. This is an identification string for
the key it has generated. These strings can be used as arguments
to <command>dnssec-makekeyset</command>.
</para>
<para>
<filename>nnnn</filename> is the key name.
</para>
<para>
<filename>aaa</filename> is the numeric representation of the algorithm.
</para>
<para>
<filename>iiiii</filename> is the key identifier (or footprint).
</para>
<para>
<command>dnssec-keygen</command> creates two file, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the private
key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</para>
<para>
The <filename>.private</filename> file contains algorithm specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
<para>
Both <filename>.key</filename> and <filename>.private</filename>
files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
</para>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
To generate a 768-bit DSA key for the domain
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para>
<userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para>
<userinput>Kexample.com.+003+26160</userinput>
</para>
<para>
In this example, <command>dnssec-keygen</command> creates
the files <filename>Kexample.com.+003+26160.key</filename> and
<filename>Kexample.com.+003+26160.private</filename>
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-makekeyset</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signkey</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2535</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 2539</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>
<corpauthor>Internet Software Consortium</corpauthor>
</para>
</refsect1>
</refentry>
<!--
- Local variables:
- mode: sgml
- End:
-->

561
bin/dnssec/dnssec-keygen.html Normal file
View File

@@ -0,0 +1,561 @@
<!--
- Copyright (C) 2000, 2001 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-->
<HTML
><HEAD
><TITLE
>dnssec-keygen</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
><SPAN
CLASS="APPLICATION"
>dnssec-keygen</SPAN
></A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>dnssec-keygen</SPAN
>&nbsp;--&nbsp;DNSSEC key generation tool</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>dnssec-keygen</B
> {-a <TT
CLASS="REPLACEABLE"
><I
>algorithm</I
></TT
>} {-b <TT
CLASS="REPLACEABLE"
><I
>keysize</I
></TT
>} {-n <TT
CLASS="REPLACEABLE"
><I
>nametype</I
></TT
>} [<TT
CLASS="OPTION"
>-c <TT
CLASS="REPLACEABLE"
><I
>class</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-e</TT
>] [<TT
CLASS="OPTION"
>-g <TT
CLASS="REPLACEABLE"
><I
>generator</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-h</TT
>] [<TT
CLASS="OPTION"
>-p <TT
CLASS="REPLACEABLE"
><I
>protocol</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-s <TT
CLASS="REPLACEABLE"
><I
>strength</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-t <TT
CLASS="REPLACEABLE"
><I
>type</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></TT
>] {name}</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN48"
></A
><H2
>DESCRIPTION</H2
><P
> <B
CLASS="COMMAND"
>dnssec-keygen</B
> generates keys for DNSSEC
(Secure DNS), as defined in RFC 2535. It can also generate
keys for use with TSIG (Transaction Signatures), as
defined in RFC 2845.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN52"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a <TT
CLASS="REPLACEABLE"
><I
>algorithm</I
></TT
></DT
><DD
><P
> Selects the cryptographic algorithm. The value of
<TT
CLASS="OPTION"
>algorithm</TT
> must be one of RSAMD5 or RSA,
DSA, DH (Diffie Hellman), or HMAC-MD5. These values
are case insensitive.
</P
><P
> Note that for DNSSEC, DSA is a mandatory to implement algorithm,
and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
</P
></DD
><DT
>-b <TT
CLASS="REPLACEABLE"
><I
>keysize</I
></TT
></DT
><DD
><P
> Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be between
512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
between 1 and 512 bits.
</P
></DD
><DT
>-n <TT
CLASS="REPLACEABLE"
><I
>nametype</I
></TT
></DT
><DD
><P
> Specifies the owner type of the key. The value of
<TT
CLASS="OPTION"
>nametype</TT
> must either be ZONE (for a DNSSEC
zone key), HOST or ENTITY (for a key associated with a host),
or USER (for a key associated with a user). These values are
case insensitive.
</P
></DD
><DT
>-c <TT
CLASS="REPLACEABLE"
><I
>class</I
></TT
></DT
><DD
><P
> Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</P
></DD
><DT
>-e</DT
><DD
><P
> If generating an RSA key, use a large exponent.
</P
></DD
><DT
>-g <TT
CLASS="REPLACEABLE"
><I
>generator</I
></TT
></DT
><DD
><P
> If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</P
></DD
><DT
>-h</DT
><DD
><P
> Prints a short summary of the options and arguments to
<B
CLASS="COMMAND"
>dnssec-keygen</B
>.
</P
></DD
><DT
>-p <TT
CLASS="REPLACEABLE"
><I
>protocol</I
></TT
></DT
><DD
><P
> Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 2 (email) for
keys of type USER and 3 (DNSSEC) for all other key types.
Other possible values for this argument are listed in
RFC 2535 and its successors.
</P
></DD
><DT
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></DT
><DD
><P
> Specifies the source of randomness. If the operating
system does not provide a <TT
CLASS="FILENAME"
>/dev/random</TT
>
or equivalent device, the default source of randomness
is keyboard input. <TT
CLASS="FILENAME"
>randomdev</TT
> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<TT
CLASS="FILENAME"
>keyboard</TT
> indicates that keyboard
input should be used.
</P
></DD
><DT
>-s <TT
CLASS="REPLACEABLE"
><I
>strength</I
></TT
></DT
><DD
><P
> Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</P
></DD
><DT
>-t <TT
CLASS="REPLACEABLE"
><I
>type</I
></TT
></DT
><DD
><P
> Indicates the use of the key. <TT
CLASS="OPTION"
>type</TT
> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</P
></DD
><DT
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></DT
><DD
><P
> Sets the debugging level.
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN121"
></A
><H2
>GENERATED KEYS</H2
><P
> When <B
CLASS="COMMAND"
>dnssec-keygen</B
> completes successfully,
it prints a string of the form <TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii</TT
>
to the standard output. This is an identification string for
the key it has generated. These strings can be used as arguments
to <B
CLASS="COMMAND"
>dnssec-makekeyset</B
>.
</P
><P
> <TT
CLASS="FILENAME"
>nnnn</TT
> is the key name.
</P
><P
> <TT
CLASS="FILENAME"
>aaa</TT
> is the numeric representation of the algorithm.
</P
><P
> <TT
CLASS="FILENAME"
>iiiii</TT
> is the key identifier (or footprint).
</P
><P
> <B
CLASS="COMMAND"
>dnssec-keygen</B
> creates two file, with names based
on the printed string. <TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii.key</TT
>
contains the public key, and
<TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii.private</TT
> contains the private
key.
</P
><P
> The <TT
CLASS="FILENAME"
>.key</TT
> file contains a DNS KEY record that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</P
><P
> The <TT
CLASS="FILENAME"
>.private</TT
> file contains algorithm specific
fields. For obvious security reasons, this file does not have
general read permission.
</P
><P
> Both <TT
CLASS="FILENAME"
>.key</TT
> and <TT
CLASS="FILENAME"
>.private</TT
>
files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN144"
></A
><H2
>EXAMPLE</H2
><P
> To generate a 768-bit DSA key for the domain
<TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
>, the following command would be
issued:
</P
><P
> <TT
CLASS="USERINPUT"
><B
>dnssec-keygen -a DSA -b 768 -n ZONE example.com</B
></TT
>
</P
><P
> The command would print a string of the form:
</P
><P
> <TT
CLASS="USERINPUT"
><B
>Kexample.com.+003+26160</B
></TT
>
</P
><P
> In this example, <B
CLASS="COMMAND"
>dnssec-keygen</B
> creates
the files <TT
CLASS="FILENAME"
>Kexample.com.+003+26160.key</TT
> and
<TT
CLASS="FILENAME"
>Kexample.com.+003+26160.private</TT
>
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN157"
></A
><H2
>SEE ALSO</H2
><P
> <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-makekeyset</SPAN
>(8)</SPAN
>,
<SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signkey</SPAN
>(8)</SPAN
>,
<SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signzone</SPAN
>(8)</SPAN
>,
<I
CLASS="CITETITLE"
>BIND 9 Administrator Reference Manual</I
>,
<I
CLASS="CITETITLE"
>RFC 2535</I
>,
<I
CLASS="CITETITLE"
>RFC 2845</I
>,
<I
CLASS="CITETITLE"
>RFC 2539</I
>.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN173"
></A
><H2
>AUTHOR</H2
><P
> Internet Software Consortium
</P
></DIV
></BODY
></HTML
>

292
bin/dnssec/dnssec-makekeyset.8
View File

@@ -12,199 +12,99 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" $Id: dnssec-makekeyset.8,v 1.10 2001/01/09 21:47:23 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-makekeyset
.Nd produce a set of DNSSEC keys
.Sh SYNOPSIS
.Nm dnssec-makekeyset
.Op Fl h
.Op Fl s Ar start-time
.Op Fl e Ar end-time
.Op Fl t Ar TTL
.Op Fl r Ar randomdev
.Op Fl p
.Op Fl v Ar level
.Ar keyfile ....
.Sh DESCRIPTION
.Nm dnssec-makekeyset
generates a key set from one or more keys created by
.Xr dnssec-keygen 8 .
It creates a file containing KEY and SIG records for some zone which
can then be signed by the zone's parent if the parent zone is
DNSSEC-aware.
.Ar keyfile
should be a key identification string as reported by
.Xr dnssec-keygen 8 :
i.e.
.Ar Knnnn.+aaa+iiiii
where
.Ar nnnn
is the name of the key,
.Ar aaa
is the encryption algorithm and
.Ar iiiii
is the key identifier.
Multiple
.Ar keyfile
arguments can be supplied when there are several keys to be combined
by
.Nm dnssec-makekeyset
into a key set.
.Pp
For any SIG records that are in the key set, the start time when the
SIG records become valid is specified with the
.Fl s
option.
.Ar start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
.Ar start-time
is given as +N: N seconds from the current time.
If no
.Fl s
option is supplied, the current date and time is used for the start
time of the SIG records.
.Pp
The expiry date for the SIG records can be set by the
.Fl e
option.
Note that in this context, the expiry date specifies when the SIG
records are no longer valid, not when they are deleted from caches on name
servers.
.Ar end-date
also represents an absolute or relative date.
YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
and time.
When
.Ar end-date
is +N,
it indicates that the SIG records will expire in N seconds after their
start date.
If
.Ar end-date
is written as now+N,
the SIG records will expire in N seconds after the current time.
When no expiry date is set for the SIG records,
.Nm dnssec-makekeyset
defaults to an expire time of 30 days from the start time of the SIG
records.
.Pp
An alternate source of random data can be specified with the
.Fl r
option.
.Ar randomdev
is the name of the file to use to obtain random data.
By default
.Pa /dev/random
is used if this device is available.
If it is not provided by the operating system and no
.Fl r
option is used,
.Nm dnssec-makekeyset
will prompt the user for input from the keyboard and use the time
between keystrokes to derive some random data.
.Pp
The
.Fl p
option instructs
.Nm dnssec-makekeyset
to use pseudo-random data when self-signing the keyset. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when the entropy source is limited.
.Pp
The
.Fl t
option is followed by a time-to-live argument
.Ar TTL
which indicates the TTL value that will be assigned to the assembled KEY
and SIG records in the output file.
.Ar TTL
is expressed in seconds.
If no
.Fl t
option is provided,
.Nm dnssec-makekeyset
prints a warning and uses a default TTL of 3600 seconds.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-makekeyset
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-makekeyset
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
The
.Fl h
option makes
.Nm dnssec-makekeyset
to print a short summary of its options and arguments.
.Pp
If
.Nm dnssec-makekeyset
is successful, it creates a file name of the form
.Ar keyset-nnnn. .
This file contains the KEY and SIG records for domain
.Dv nnnn ,
the domain name part from the key file identifier produced when
.Nm dnssec-keygen
created the domain's public and private keys.
The
.Ar keyset
file can then be transferred to the DNS administrator of the parent
zone for them to sign the contents with
.Xr dnssec-signkey 8 .
.Sh EXAMPLE
The following command generates a key set for the DSA key for
.Dv example.com
that was shown in the
.Xr dnssec-keygen 8
man page.
The backslash is for typographic reasons and would not be provided on
the command line when running
.Nm dnssec-makekeyset .
.nf
.Dl # dnssec-makekeyset -t 86400 -s 20000701120000 \e\p
.Dl -e +2592000 Kexample.com.+003+26160
.fi
.Pp
.Nm dnssec-makekeyset
will create a file called
.Pa keyset-example.com.
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 86400 seconds (1 day).
The SIG record becomes valid at noon UTC on July 1st 2000 and expires
30 days (2592000 seconds) later.
.Pp
The DNS administrator for
.Dv example.com
could then send
.Pa keyset-example.com.
to the DNS administrator for
.Dv .com
so that they could sign the resource records in the file.
This assumes that the
.Dv .com
zone is DNSSEC-aware and the administrators of the two zones have some
mechanism for authenticating each other and exchanging the keys and
signatures securely.
.Sh FILES
.Pa /dev/random .
.Sh SEE ALSO
.Xr RFC2535 ,
.Xr dnssec-keygen 8 ,
.Xr dnssec-signkey 8 .
.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
.SH NAME
dnssec-makekeyset \- DNSSEC zone signing tool
.SH SYNOPSIS
.sp
\fBdnssec-makekeyset\fR [ \fB-a\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fIttl\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkey\fR\fI...\fR
.SH "DESCRIPTION"
.PP
\fBdnssec-makekeyset\fR generates a key set from one
or more keys created by \fBdnssec-keygen\fR. It creates
a file containing a KEY record for each key, and self-signs the key
set with each zone key. The output file is of the form
\fIkeyset-nnnn.\fR, where \fInnnn\fR
is the zone name.
.SH "OPTIONS"
.TP
\fB-a\fR
Verify all generated signatures.
.TP
\fB-s \fIstart-time\fB\fR
Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no \fBstart-time\fR is specified, the current
time is used.
.TP
\fB-e \fIend-time\fB\fR
Specify the date and time when the generated SIG records
expire. As with \fBstart-time\fR, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no \fBend-time\fR is
specified, 30 days from the start time is used as a default.
.TP
\fB-h\fR
Prints a short summary of the options and arguments to
\fBdnssec-makekeyset\fR.
.TP
\fB-p\fR
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
.TP
\fB-r \fIrandomdev\fB\fR
Specifies the source of randomness. If the operating
system does not provide a \fI/dev/random\fR
or equivalent device, the default source of randomness
is keyboard input. \fIrandomdev\fR specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
\fIkeyboard\fR indicates that keyboard
input should be used.
.TP
\fB-t \fIttl\fB\fR
Specify the TTL (time to live) of the KEY and SIG records.
The default is 3600 seconds.
.TP
\fB-v \fIlevel\fB\fR
Sets the debugging level.
.TP
\fBkey\fR
Lists the keys included in the keyset file. These keys
are expressed in the form \fIKnnnn.+aaa+iiiii\fR
as generated by \fBdnssec-keygen\fR.
.SH "EXAMPLE"
.PP
The following command generates a keyset containing the DSA key for
\fBexample.com\fR generated in the
\fBdnssec-keygen\fR man page.
.PP
\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
.PP
In this example, \fBdnssec-makekeyset\fR creates
the file \fIkeyset-example.com.\fR. This file
contains the specified key and a self-generated signature.
.PP
The DNS administrator for \fBexample.com\fR could
send \fIkeyset-example.com.\fR to the DNS
administrator for \fB.com\fR for signing, if the
\&.com zone is DNSSEC-aware and the administrators of the two zones
have some mechanism for authenticating each other and exchanging
the keys and signatures securely.
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-signkey\fR(8),
\fIBIND 9 Administrator Reference Manual\fR,
\fIRFC 2535\fR.
.SH "AUTHOR"
.PP
Internet Software Consortium

215
bin/dnssec/dnssec-makekeyset.docbook Normal file
View File

@@ -0,0 +1,215 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<refentry>
<refentryinfo>
<date>June 30, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-makekeyset</application></refname>
<refpurpose>DNSSEC zone signing tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-makekeyset</command>
<arg><option>-a</option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-p</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req" rep="repeat">key</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>
<command>dnssec-makekeyset</command> generates a key set from one
or more keys created by <command>dnssec-keygen</command>. It creates
a file containing a KEY record for each key, and self-signs the key
set with each zone key. The output file is of the form
<filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
is the zone name.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Verify all generated signatures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <option>start-time</option> is specified, the current
time is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e <replaceable class="parameter">end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated SIG records
expire. As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-makekeyset</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">ttl</replaceable></term>
<listitem>
<para>
Specify the TTL (time to live) of the KEY and SIG records.
The default is 3600 seconds.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>key</term>
<listitem>
<para>
Lists the keys included in the keyset file. These keys
are expressed in the form <filename>Knnnn.+aaa+iiiii</filename>
as generated by <command>dnssec-keygen</command>.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
The following command generates a keyset containing the DSA key for
<userinput>example.com</userinput> generated in the
<command>dnssec-keygen</command> man page.
</para>
<para>
<userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>
</para>
<para>
In this example, <command>dnssec-makekeyset</command> creates
the file <filename>keyset-example.com.</filename>. This file
contains the specified key and a self-generated signature.
</para>
<para>
The DNS administrator for <userinput>example.com</userinput> could
send <filename>keyset-example.com.</filename> to the DNS
administrator for <userinput>.com</userinput> for signing, if the
.com zone is DNSSEC-aware and the administrators of the two zones
have some mechanism for authenticating each other and exchanging
the keys and signatures securely.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signkey</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2535</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>
<corpauthor>Internet Software Consortium</corpauthor>
</para>
</refsect1>
</refentry>
<!--
- Local variables:
- mode: sgml
- End:
-->

404
bin/dnssec/dnssec-makekeyset.html Normal file
View File

@@ -0,0 +1,404 @@
<!--
- Copyright (C) 2000, 2001 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-->
<HTML
><HEAD
><TITLE
>dnssec-makekeyset</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
><SPAN
CLASS="APPLICATION"
>dnssec-makekeyset</SPAN
></A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>dnssec-makekeyset</SPAN
>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>dnssec-makekeyset</B
> [<TT
CLASS="OPTION"
>-a</TT
>] [<TT
CLASS="OPTION"
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-h</TT
>] [<TT
CLASS="OPTION"
>-p</TT
>] [<TT
CLASS="OPTION"
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-t</TT
><TT
CLASS="REPLACEABLE"
><I
>ttl</I
></TT
>] [<TT
CLASS="OPTION"
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></TT
>] {key...}</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN38"
></A
><H2
>DESCRIPTION</H2
><P
> <B
CLASS="COMMAND"
>dnssec-makekeyset</B
> generates a key set from one
or more keys created by <B
CLASS="COMMAND"
>dnssec-keygen</B
>. It creates
a file containing a KEY record for each key, and self-signs the key
set with each zone key. The output file is of the form
<TT
CLASS="FILENAME"
>keyset-nnnn.</TT
>, where <TT
CLASS="FILENAME"
>nnnn</TT
>
is the zone name.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN45"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a</DT
><DD
><P
> Verify all generated signatures.
</P
></DD
><DT
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></DT
><DD
><P
> Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <TT
CLASS="OPTION"
>start-time</TT
> is specified, the current
time is used.
</P
></DD
><DT
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></DT
><DD
><P
> Specify the date and time when the generated SIG records
expire. As with <TT
CLASS="OPTION"
>start-time</TT
>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no <TT
CLASS="OPTION"
>end-time</TT
> is
specified, 30 days from the start time is used as a default.
</P
></DD
><DT
>-h</DT
><DD
><P
> Prints a short summary of the options and arguments to
<B
CLASS="COMMAND"
>dnssec-makekeyset</B
>.
</P
></DD
><DT
>-p</DT
><DD
><P
> Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</P
></DD
><DT
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></DT
><DD
><P
> Specifies the source of randomness. If the operating
system does not provide a <TT
CLASS="FILENAME"
>/dev/random</TT
>
or equivalent device, the default source of randomness
is keyboard input. <TT
CLASS="FILENAME"
>randomdev</TT
> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<TT
CLASS="FILENAME"
>keyboard</TT
> indicates that keyboard
input should be used.
</P
></DD
><DT
>-t <TT
CLASS="REPLACEABLE"
><I
>ttl</I
></TT
></DT
><DD
><P
> Specify the TTL (time to live) of the KEY and SIG records.
The default is 3600 seconds.
</P
></DD
><DT
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></DT
><DD
><P
> Sets the debugging level.
</P
></DD
><DT
>key</DT
><DD
><P
> Lists the keys included in the keyset file. These keys
are expressed in the form <TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii</TT
>
as generated by <B
CLASS="COMMAND"
>dnssec-keygen</B
>.
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN98"
></A
><H2
>EXAMPLE</H2
><P
> The following command generates a keyset containing the DSA key for
<TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
> generated in the
<B
CLASS="COMMAND"
>dnssec-keygen</B
> man page.
</P
><P
> <TT
CLASS="USERINPUT"
><B
>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
></TT
>
</P
><P
> In this example, <B
CLASS="COMMAND"
>dnssec-makekeyset</B
> creates
the file <TT
CLASS="FILENAME"
>keyset-example.com.</TT
>. This file
contains the specified key and a self-generated signature.
</P
><P
> The DNS administrator for <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
> could
send <TT
CLASS="FILENAME"
>keyset-example.com.</TT
> to the DNS
administrator for <TT
CLASS="USERINPUT"
><B
>.com</B
></TT
> for signing, if the
.com zone is DNSSEC-aware and the administrators of the two zones
have some mechanism for authenticating each other and exchanging
the keys and signatures securely.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN112"
></A
><H2
>SEE ALSO</H2
><P
> <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-keygen</SPAN
>(8)</SPAN
>,
<SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signkey</SPAN
>(8)</SPAN
>,
<I
CLASS="CITETITLE"
>BIND 9 Administrator Reference Manual</I
>,
<I
CLASS="CITETITLE"
>RFC 2535</I
>.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN123"
></A
><H2
>AUTHOR</H2
><P
> Internet Software Consortium
</P
></DIV
></BODY
></HTML
>

286
bin/dnssec/dnssec-signkey.8
View File

@@ -12,198 +12,94 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\" $Id: dnssec-signkey.8,v 1.12 2001/01/09 21:47:24 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-signkey
.Nd DNSSEC keyset signing tool
.Sh SYNOPSIS
.Nm dnssec-signkey
.Op Fl h
.Op Fl s Ar start-time
.Op Fl e Ar end-time
.Op Fl c Ar class
.Op Fl p
.Op Fl r Ar randomdev
.Op Fl v Ar level
.Ar keyset
.Ar keyfile ...
.Sh DESCRIPTION
.Nm dnssec-signkey
is used to sign a key set for a child zone.
Typically this would be provided by a
.Ar keyset
file generated by
.Xr dnssec-makekeyset 8 .
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
any DNSSEC-aware child zones.
The child zone's key set gets signed with the zone keys for its parent
zone.
.Ar keyset
will be the pathname of the child zone's
.Ar keyset
file.
Each
.Ar keyfile
argument will be a key identification string as reported by
.Xr dnssec-keygen 8
for the parent zone.
This allows the child's keys to be signed by more than one
parent zone key.
.Pp
The
.Fl h
option makes
.Nm dnssec-signkey
print a short summary of its command line options
and arguments.
.Pp
By default, the validity period of the generated SIG records is copied
from that of the signatures in the input key set. This may be overriden
with the
.Fl s
and
.Fl e
options, both of which must be present if either is.
The start of the validity period is specified with the
.Fl s
option.
.Ar start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
.Ar start-time
is given as +N: N seconds from the current time.
If no
.Fl s
option is supplied, the current date and time is used for the start
time of the SIG records.
.Pp
The expiry date for the SIG records can be set by the
.Fl e
option.
Note that in this context, the expiry date specifies when the SIG
records are no longer valid, not when they are deleted from caches on name
servers.
.Ar end-date
also represents an absolute or relative date.
YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
and time.
When
.Ar end-date
is +N,
it indicates that the SIG records will expire in N seconds after their
start date.
If
.Ar end-date
is written as now+N,
the SIG records will expire in N seconds after the current time.
.Pp
The
.Fl c
option specifies that the KEY records in the input and output key sets should
have the specified class instead of IN.
.Pp
.Nm dnssec-signkey
may need random numbers in the process of generating keys.
If the system does not have a
.Pa /dev/random
device that can be used for generating random numbers,
.Nm dnssec-signkey
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-signkey
use
.Ar randomdev
as a source of random data.
.Pp
The
.Fl p
option instructs
.Nm dnssec-signkey
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone keysets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-signkey
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-signkey
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
When
.Nm dnssec-signkey
completes successfully, it generates a file called
.Ar signedkey-nnnn.
containing the signed keys for child zone
.Ar nnnn .
The keys from the
.Ar keyset
file will have been signed by the parent zone's key or keys which were
supplied as
.Ar keyfile
arguments.
This file should be sent to the DNS administrator of the child zone.
They arrange for its contents to be incorporated into the zone file
when it next gets signed with
.Xr dnssec-signzone 8 .
A copy of the generated
.Ar signedkey
file should be kept by the parent zone's DNS administrator, since
it will be needed when signing the parent zone.
.Sh EXAMPLE
The DNS administrator for a DNSSEC-aware
.Dv .com
zone would use the following command to make
.Nm dnssec-signkey
sign the
.Ar keyset
file for
.Dv example.com
created in the example shown in the man page for
.Xr dnssec-makekeyset 8 :
.Pp
.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
was a key file identifier that was produced when
.Xr dnssec-keygen 8
generated a key for the
.Dv .com
zone.
.Pp
.Nm dnssec-signkey
will produce a file called
.Dv signedkey-example.com.
which has the keys for
.Dv example.com
signed by the
.Dv com
zone's zone key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signzone 8 .
.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
.SH NAME
dnssec-signkey \- DNSSEC key set signing tool
.SH SYNOPSIS
.sp
\fBdnssec-signkey\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkeyset\fR \fBkey\fR\fI...\fR
.SH "DESCRIPTION"
.PP
\fBdnssec-signkey\fR signs a keyset. Typically
the keyset will be for a child zone, and will have been generated
by \fBdnssec-makekeyset\fR. The child zone's keyset
is signed with the zone keys for its parent zone. The output file
is of the form \fIsignedkey-nnnn.\fR, where
\fInnnn\fR is the zone name.
.SH "OPTIONS"
.TP
\fB-a\fR
Verify all generated signatures.
.TP
\fB-c \fIclass\fB\fR
Specifies the DNS class of the key sets.
.TP
\fB-s \fIstart-time\fB\fR
Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no \fBstart-time\fR is specified, the current
time is used.
.TP
\fB-e \fIend-time\fB\fR
Specify the date and time when the generated SIG records
expire. As with \fBstart-time\fR, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no \fBend-time\fR is
specified, 30 days from the start time is used as a default.
.TP
\fB-h\fR
Prints a short summary of the options and arguments to
\fBdnssec-signkey\fR.
.TP
\fB-p\fR
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
.TP
\fB-r \fIrandomdev\fB\fR
Specifies the source of randomness. If the operating
system does not provide a \fI/dev/random\fR
or equivalent device, the default source of randomness
is keyboard input. \fIrandomdev\fR specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
\fIkeyboard\fR indicates that keyboard
input should be used.
.TP
\fB-v \fIlevel\fB\fR
Sets the debugging level.
.TP
\fBkeyset\fR
The file containing the child's keyset.
.TP
\fBkey\fR
The keys used to sign the child's keyset.
.SH "EXAMPLE"
.PP
The DNS administrator for a DNSSEC-aware \fB.com\fR
zone would use the following command to sign the
\fIkeyset\fR file for \fBexample.com\fR
created by \fBdnssec-makekeyset\fR with a key generated
by \fBdnssec-keygen\fR:
.PP
\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
.PP
In this example, \fBdnssec-signkey\fR creates
the file \fIsignedkey-example.com.\fR, which
contains the \fBexample.com\fR keys and the
signatures by the \fB.com\fR keys.
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-makekeyset\fR(8),
\fBdnssec-signzone\fR(8).
.SH "AUTHOR"
.PP
Internet Software Consortium

219
bin/dnssec/dnssec-signkey.docbook Normal file
View File

@@ -0,0 +1,219 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<refentry>
<refentryinfo>
<date>June 30, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-signkey</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-signkey</application></refname>
<refpurpose>DNSSEC key set signing tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-signkey</command>
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-p</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">keyset</arg>
<arg choice="req" rep="repeat">key</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>
<command>dnssec-signkey</command> signs a keyset. Typically
the keyset will be for a child zone, and will have been generated
by <command>dnssec-makekeyset</command>. The child zone's keyset
is signed with the zone keys for its parent zone. The output file
is of the form <filename>signedkey-nnnn.</filename>, where
<filename>nnnn</filename> is the zone name.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Verify all generated signatures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the key sets.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <option>start-time</option> is specified, the current
time is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e <replaceable class="parameter">end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated SIG records
expire. As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-signkey</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>keyset</term>
<listitem>
<para>
The file containing the child's keyset.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>key</term>
<listitem>
<para>
The keys used to sign the child's keyset.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
zone would use the following command to sign the
<filename>keyset</filename> file for <userinput>example.com</userinput>
created by <command>dnssec-makekeyset</command> with a key generated
by <command>dnssec-keygen</command>:
</para>
<para>
<userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
</para>
<para>
In this example, <command>dnssec-signkey</command> creates
the file <filename>signedkey-example.com.</filename>, which
contains the <userinput>example.com</userinput> keys and the
signatures by the <userinput>.com</userinput> keys.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-makekeyset</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>
<corpauthor>Internet Software Consortium</corpauthor>
</para>
</refsect1>
</refentry>
<!--
- Local variables:
- mode: sgml
- End:
-->

404
bin/dnssec/dnssec-signkey.html Normal file
View File

@@ -0,0 +1,404 @@
<!--
- Copyright (C) 2000, 2001 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-->
<HTML
><HEAD
><TITLE
>dnssec-signkey</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
><SPAN
CLASS="APPLICATION"
>dnssec-signkey</SPAN
></A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>dnssec-signkey</SPAN
>&nbsp;--&nbsp;DNSSEC key set signing tool</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>dnssec-signkey</B
> [<TT
CLASS="OPTION"
>-a</TT
>] [<TT
CLASS="OPTION"
>-c <TT
CLASS="REPLACEABLE"
><I
>class</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-h</TT
>] [<TT
CLASS="OPTION"
>-p</TT
>] [<TT
CLASS="OPTION"
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></TT
>] {keyset} {key...}</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN39"
></A
><H2
>DESCRIPTION</H2
><P
> <B
CLASS="COMMAND"
>dnssec-signkey</B
> signs a keyset. Typically
the keyset will be for a child zone, and will have been generated
by <B
CLASS="COMMAND"
>dnssec-makekeyset</B
>. The child zone's keyset
is signed with the zone keys for its parent zone. The output file
is of the form <TT
CLASS="FILENAME"
>signedkey-nnnn.</TT
>, where
<TT
CLASS="FILENAME"
>nnnn</TT
> is the zone name.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN46"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a</DT
><DD
><P
> Verify all generated signatures.
</P
></DD
><DT
>-c <TT
CLASS="REPLACEABLE"
><I
>class</I
></TT
></DT
><DD
><P
> Specifies the DNS class of the key sets.
</P
></DD
><DT
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></DT
><DD
><P
> Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <TT
CLASS="OPTION"
>start-time</TT
> is specified, the current
time is used.
</P
></DD
><DT
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></DT
><DD
><P
> Specify the date and time when the generated SIG records
expire. As with <TT
CLASS="OPTION"
>start-time</TT
>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no <TT
CLASS="OPTION"
>end-time</TT
> is
specified, 30 days from the start time is used as a default.
</P
></DD
><DT
>-h</DT
><DD
><P
> Prints a short summary of the options and arguments to
<B
CLASS="COMMAND"
>dnssec-signkey</B
>.
</P
></DD
><DT
>-p</DT
><DD
><P
> Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</P
></DD
><DT
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></DT
><DD
><P
> Specifies the source of randomness. If the operating
system does not provide a <TT
CLASS="FILENAME"
>/dev/random</TT
>
or equivalent device, the default source of randomness
is keyboard input. <TT
CLASS="FILENAME"
>randomdev</TT
> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<TT
CLASS="FILENAME"
>keyboard</TT
> indicates that keyboard
input should be used.
</P
></DD
><DT
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></DT
><DD
><P
> Sets the debugging level.
</P
></DD
><DT
>keyset</DT
><DD
><P
> The file containing the child's keyset.
</P
></DD
><DT
>key</DT
><DD
><P
> The keys used to sign the child's keyset.
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN101"
></A
><H2
>EXAMPLE</H2
><P
> The DNS administrator for a DNSSEC-aware <TT
CLASS="USERINPUT"
><B
>.com</B
></TT
>
zone would use the following command to sign the
<TT
CLASS="FILENAME"
>keyset</TT
> file for <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
>
created by <B
CLASS="COMMAND"
>dnssec-makekeyset</B
> with a key generated
by <B
CLASS="COMMAND"
>dnssec-keygen</B
>:
</P
><P
> <TT
CLASS="USERINPUT"
><B
>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
></TT
>
</P
><P
> In this example, <B
CLASS="COMMAND"
>dnssec-signkey</B
> creates
the file <TT
CLASS="FILENAME"
>signedkey-example.com.</TT
>, which
contains the <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
> keys and the
signatures by the <TT
CLASS="USERINPUT"
><B
>.com</B
></TT
> keys.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN116"
></A
><H2
>SEE ALSO</H2
><P
> <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-keygen</SPAN
>(8)</SPAN
>,
<SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-makekeyset</SPAN
>(8)</SPAN
>,
<SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signzone</SPAN
>(8)</SPAN
>.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN128"
></A
><H2
>AUTHOR</H2
><P
> Internet Software Consortium
</P
></DIV
></BODY
></HTML
>

407
bin/dnssec/dnssec-signzone.8
View File

@@ -12,274 +12,141 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
.SH NAME
dnssec-signzone \- DNSSEC zone signing tool
.SH SYNOPSIS
.sp
\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-h\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
.SH "DESCRIPTION"
.PP
\fBdnssec-signzone\fR signs a zone. It generates NXT
and SIG records and produces a signed version of the zone. If there
is a \fIsignedkey\fR file from the zone's parent,
the parent's signatures will be incorporated into the generated
signed zone file. The security status of delegations from the the
signed zone (that is, whether the child zones are secure or not) is
determined by the presence or absence of a
\fIsignedkey\fR file for each child zone.
.SH "OPTIONS"
.TP
\fB-a\fR
Verify all generated signatures.
.TP
\fB-c \fIclass\fB\fR
Specifies the DNS class of the zone.
.TP
\fB-d \fIdirectory\fB\fR
Look for \fIsignedkey\fR files in
\fBdirectory\fR as the directory
.TP
\fB-s \fIstart-time\fB\fR
Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no \fBstart-time\fR is specified, the current
time is used.
.TP
\fB-e \fIend-time\fB\fR
Specify the date and time when the generated SIG records
expire. As with \fBstart-time\fR, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no \fBend-time\fR is
specified, 30 days from the start time is used as a default.
.TP
\fB-f \fIoutput-file\fB\fR
The name of the output file containing the signed zone. The
default is to append \fI.signed\fR to the
input file.
.TP
\fB-h\fR
Prints a short summary of the options and arguments to
\fBdnssec-signzone\fR.
.TP
\fB-i \fIinterval\fB\fR
When a previously signed zone is passed as input, records
may be resigned. The \fBinterval\fR option
specifies the cycle interval as an offset from the current
time (in seconds). If a SIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
.\" $Id: dnssec-signzone.8,v 1.17 2001/01/09 21:47:25 bwelling Exp $
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-signzone
.Nd DNSSEC zone signing tool
.Sh SYNOPSIS
.Nm dnssec-signzone
.Op Fl a
.Op Fl c Ar class
.Op Fl d Ar directory
.Op Fl s Ar start-time
.Op Fl e Ar end-time
.Op Fl i Ar interval
.Op Fl o Ar origin
.Op Fl f Ar output-file
.Op Fl p
.Op Fl r Ar randomdev
.Op Fl t
.Op Fl v Ar level
.Op Fl n Ar nthreads
.Ar zonefile
.Op keyfile ....
.Sh DESCRIPTION
.Pp
.Nm dnssec-signzone
is used to sign a zone.
Any
.Ar signedkey
files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
.Ar keyfile
arguments are supplied, the default behaviour is to use all of the zone's
keys that are present in the current directory.
Providing specific
.Ar keyfile
arguments constrains
.Nm dnssec-signzone
to only use those keys for signing the zone.
Each
.Ar keyfile
argument would be an identification string for a key created with
.Xr dnssec-keygen 8 .
If the zone to be signed has any secure subzones, the
.Ar signedkey
files for those subzones need to be available in the
current working directory used by
.Nm dnssec-signzone .
.Pp
.Ar zonefile
is the name of the unsigned zone file.
Unless the file name is the same as the name of the zone, the
.Fl o
option should be given.
.Ar origin
will be the fully qualified domain origin for the zone.
.Pp
.Nm dnssec-signzone
will generate NXT and SIG records for the zone and produce a signed
version of the zone.
If there is a
.Ar signedkey
file from the zone's parent, the parent's signatures will be
incorporated into the generated signed zone file.
The security status of delegations from the the signed zone
- i.e. whether the child zones are DNSSEC-aware or not - is
set according to the presence or absence of a
.Ar signedkey
file for the child in case.
.Pp
By default,
.Nm dnssec-signzone
generates a file called
.Ar zonefile.signed
containing the signed zone file.
The output file name can be overridden usign the
.Fl f
option.
.\" Don't hyphenate YYYYMMDDHHMMSS
.nh YYYYMMDDHHMMSS
.Pp
.Nm dnssec-signzone
does not verify the signatures by default.
The
.Fl a
option makes it verify the signatures it generated.
.Pp
The date and time when the generated
SIG records become valid can be specified with the
.Fl s
option.
.Ar start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
.Ar start-time
is given as +N: N seconds from the current time.
If no
.Fl s
option is supplied, the current date and time is used for the start
time of the SIG records.
.Pp
The expiry date for the SIG records can be set by the
.Fl e
option.
Note that in this context, the expiry date specifies when the SIG
records are no longer valid, not when they are deleted from caches on name
servers.
.Ar end-date
also represents an absolute or relative date.
YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
and time.
When
.Ar end-date
is +N,
it indicates that the SIG records will expire in N seconds after their
start date.
If
.Ar end-date
is supplied as now+N,
the SIG records will expire in N seconds after the current time.
When no expiry date is set for the SIG records,
.Nm dnssec-signzone
defaults to an expire time of 30 days from the start time of the SIG
records.
.Pp
When a previously signed zone is passed as input to
.Nm dnssec-signzone ,
records may be resigned. Whether or not to resign records is configurable
by using the
.Fl i
option, which specifies the cycle interval as an offset from the current time
(in seconds). If a SIG record expires after the cycle interval, it is
retained. Otherwise, it is considered to be expiring soon, and
.Nm dnssec-signzone
will remove it and generate a new SIG record to replace it.
.Pp
The default cycle interval is one quarter of the difference between the
specified signature end and start dates. So if the
.Fl e
and
.Fl s
options are not specified,
.Nm dnssec-signzone
generates signatures that are valid for 30 days from the current date
by default, with a cycle interval of 7.5 days. Therefore, if any SIG records
are due to expire in less than 7.5 days, they would be replaced
with new ones.
.Pp
.Nm dnssec-signzone
may need random numbers in the process of signing the zone.
If the system does not have a
.Pa /dev/random
device that can be used for generating random numbers,
.Nm dnssec-signzone
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-signzone
use
.Ar randomdev
as a source of random data.
.Pp
The
.Fl p
option instructs
.Nm dnssec-signzone
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when signing large zones or when the
entropy source is limited.
.Pp
The
.Fl t
option causes
.Nm dnssec-signzone
to print various statistics after signing the zone.
.Pp
The
.Fl c
option specifies that the KEY records in the input and output key sets should
have the specified class instead of IN.
.Pp
The
.Fl d
option specifies that
.Nm dnssec-signzone
should look in a directory other than the current directory for signedkey
files.
.Pp
An option of
.Fl h
makes
.Nm dnssec-signzone
print a short summary of its command line options
and arguments.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-signzone
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-signzone
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
The
.Fl n
option can be used to change the threading behavior. By default,
.Nm dnssec-signzone
attempts to determine the number of CPUs present, and create one thread
per CPU. The
.Fl n
option causes a different number of threads to be created.
.Sh EXAMPLE
The example below shows how
.Nm dnssec-signzone
could be used to sign the
.Dv example.com
zone with the key that was generated in the example given in the
man page for
.Xr dnssec-keygen 8 .
The zone file for this zone is
.Dv example.com ,
which is the same as the origin, so there is no need to use the
.Fl o
option to set the origin.
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
If there was a
.Ar signedkey
file from the parent zone - i.e.
.Dv signedkey-example.com.
- it should be present in the current directory.
This allows the parent zone's signature to be included in the signed
version of the
.Dv example.com
zone.
.Pp
.Dl # dnssec-signzone example.com Kexample.com.+003+26160
.Pp
.Nm dnssec-signzone
will create a file called
.Dv example.com.signed ,
the signed version of the
.Dv example.com
zone.
This file can then be referenced in a
.Dv zone{}
statement in
.Pa /etc/named.conf
so that it can be loaded by the name server.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-signkey 8 .
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
\fBend-time\fR or \fBstart-time\fR
are specified, \fBdnssec-signzone\fR generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing SIG records
are due to expire in less than 7.5 days, they would be
replaced.
.TP
\fB-n \fIncpus\fB\fR
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
.TP
\fB-o \fIorigin\fB\fR
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
.TP
\fB-p\fR
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
.TP
\fB-r \fIrandomdev\fB\fR
Specifies the source of randomness. If the operating
system does not provide a \fI/dev/random\fR
or equivalent device, the default source of randomness
is keyboard input. \fIrandomdev\fR specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
\fIkeyboard\fR indicates that keyboard
input should be used.
.TP
\fB-t\fR
Print statistics at completion.
.TP
\fB-v \fIlevel\fB\fR
Sets the debugging level.
.TP
\fBzonefile\fR
The file containing the zone to be signed.
Sets the debugging level.
.TP
\fBkey\fR
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
.SH "EXAMPLE"
.PP
The following command signs the \fBexample.com\fR
zone with the DSA key generated in the \fBdnssec-keygen\fR
man page. The zone's keys must be in the zone. If there are
\fIsignedkey\fR files associated with this zone
or any child zones, they must be in the current directory.
\fBexample.com\fR, the following command would be
issued:
.PP
\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR
.PP
The command would print a string of the form:
.PP
In this example, \fBdnssec-signzone\fR creates
the file \fIdb.example.com.signed\fR. This file
should be referenced in a zone statement in a
\fInamed.conf\fR file.
.SH "SEE ALSO"
.PP
\fBdnssec-keygen\fR(8),
\fBdnssec-signkey\fR(8),
\fIBIND 9 Administrator Reference Manual\fR,
\fIRFC 2535\fR.
.SH "AUTHOR"
.PP
Internet Software Consortium

307
bin/dnssec/dnssec-signzone.docbook Normal file
View File

@@ -0,0 +1,307 @@
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
<refentry>
<refentryinfo>
<date>June 30, 2000</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>dnssec-signzone</application></refentrytitle>
<manvolnum>8</manvolnum>
<refmiscinfo>BIND9</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>dnssec-signzone</application></refname>
<refpurpose>DNSSEC zone signing tool</refpurpose>
</refnamediv>
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-signzone</command>
<arg><option>-a</option></arg>
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
<arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
<arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
<arg><option>-p</option></arg>
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-t</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">zonefile</arg>
<arg rep="repeat">key</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para>
<command>dnssec-signzone</command> signs a zone. It generates NXT
and SIG records and produces a signed version of the zone. If there
is a <filename>signedkey</filename> file from the zone's parent,
the parent's signatures will be incorporated into the generated
signed zone file. The security status of delegations from the the
signed zone (that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<filename>signedkey</filename> file for each child zone.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a</term>
<listitem>
<para>
Verify all generated signatures.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class of the zone.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-d <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for <filename>signedkey</filename> files in
<option>directory</option> as the directory
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">start-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <option>start-time</option> is specified, the current
time is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e <replaceable class="parameter">end-time</replaceable></term>
<listitem>
<para>
Specify the date and time when the generated SIG records
expire. As with <option>start-time</option>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no <option>end-time</option> is
specified, 30 days from the start time is used as a default.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">output-file</replaceable></term>
<listitem>
<para>
The name of the output file containing the signed zone. The
default is to append <filename>.signed</filename> to the
input file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-signzone</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-i <replaceable class="parameter">interval</replaceable></term>
<listitem>
<para>
When a previously signed zone is passed as input, records
may be resigned. The <option>interval</option> option
specifies the cycle interval as an offset from the current
time (in seconds). If a SIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</para>
<para>
The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<option>end-time</option> or <option>start-time</option>
are specified, <command>dnssec-signzone</command> generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing SIG records
are due to expire in less than 7.5 days, they would be
replaced.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">ncpus</replaceable></term>
<listitem>
<para>
Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-o <replaceable class="parameter">origin</replaceable></term>
<listitem>
<para>
The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p</term>
<listitem>
<para>
Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t</term>
<listitem>
<para>
Print statistics at completion.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>zonefile</term>
<listitem>
<para>
The file containing the zone to be signed.
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>key</term>
<listitem>
<para>
The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated in the <command>dnssec-keygen</command>
man page. The zone's keys must be in the zone. If there are
<filename>signedkey</filename> files associated with this zone
or any child zones, they must be in the current directory.
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para>
<userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para>
In this example, <command>dnssec-signzone</command> creates
the file <filename>db.example.com.signed</filename>. This file
should be referenced in a zone statement in a
<filename>named.conf</filename> file.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para>
<citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signkey</refentrytitle>
<manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2535</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para>
<corpauthor>Internet Software Consortium</corpauthor>
</para>
</refsect1>
</refentry>
<!--
- Local variables:
- mode: sgml
- End:
-->

553
bin/dnssec/dnssec-signzone.html Normal file
View File

@@ -0,0 +1,553 @@
<!--
- Copyright (C) 2000, 2001 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
- DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
- IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
- INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
- FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
- NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
- WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-->
<HTML
><HEAD
><TITLE
>dnssec-signzone</TITLE
><META
NAME="GENERATOR"
CONTENT="Modular DocBook HTML Stylesheet Version 1.61
"></HEAD
><BODY
CLASS="REFENTRY"
BGCOLOR="#FFFFFF"
TEXT="#000000"
LINK="#0000FF"
VLINK="#840084"
ALINK="#0000FF"
><H1
><A
NAME="AEN1"
><SPAN
CLASS="APPLICATION"
>dnssec-signzone</SPAN
></A
></H1
><DIV
CLASS="REFNAMEDIV"
><A
NAME="AEN9"
></A
><H2
>Name</H2
><SPAN
CLASS="APPLICATION"
>dnssec-signzone</SPAN
>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
><DIV
CLASS="REFSYNOPSISDIV"
><A
NAME="AEN13"
></A
><H2
>Synopsis</H2
><P
><B
CLASS="COMMAND"
>dnssec-signzone</B
> [<TT
CLASS="OPTION"
>-a</TT
>] [<TT
CLASS="OPTION"
>-c <TT
CLASS="REPLACEABLE"
><I
>class</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-d <TT
CLASS="REPLACEABLE"
><I
>directory</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-f <TT
CLASS="REPLACEABLE"
><I
>output-file</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-h</TT
>] [<TT
CLASS="OPTION"
>-i <TT
CLASS="REPLACEABLE"
><I
>interval</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-n <TT
CLASS="REPLACEABLE"
><I
>nthreads</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-o <TT
CLASS="REPLACEABLE"
><I
>origin</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-p</TT
>] [<TT
CLASS="OPTION"
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></TT
>] [<TT
CLASS="OPTION"
>-t</TT
>] [<TT
CLASS="OPTION"
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></TT
>] {zonefile} [key...]</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN56"
></A
><H2
>DESCRIPTION</H2
><P
> <B
CLASS="COMMAND"
>dnssec-signzone</B
> signs a zone. It generates NXT
and SIG records and produces a signed version of the zone. If there
is a <TT
CLASS="FILENAME"
>signedkey</TT
> file from the zone's parent,
the parent's signatures will be incorporated into the generated
signed zone file. The security status of delegations from the the
signed zone (that is, whether the child zones are secure or not) is
determined by the presence or absence of a
<TT
CLASS="FILENAME"
>signedkey</TT
> file for each child zone.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN62"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a</DT
><DD
><P
> Verify all generated signatures.
</P
></DD
><DT
>-c <TT
CLASS="REPLACEABLE"
><I
>class</I
></TT
></DT
><DD
><P
> Specifies the DNS class of the zone.
</P
></DD
><DT
>-d <TT
CLASS="REPLACEABLE"
><I
>directory</I
></TT
></DT
><DD
><P
> Look for <TT
CLASS="FILENAME"
>signedkey</TT
> files in
<TT
CLASS="OPTION"
>directory</TT
> as the directory
</P
></DD
><DT
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></DT
><DD
><P
> Specify the date and time when the generated SIG records
become valid. This can be either an absolute or relative
time. An absolute start time is indicated by a number
in YYYYMMDDHHMMSS notation; 20000530144500 denotes
14:45:00 UTC on May 30th, 2000. A relative start time is
indicated by +N, which is N seconds from the current time.
If no <TT
CLASS="OPTION"
>start-time</TT
> is specified, the current
time is used.
</P
></DD
><DT
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></DT
><DD
><P
> Specify the date and time when the generated SIG records
expire. As with <TT
CLASS="OPTION"
>start-time</TT
>, an absolute
time is indicated in YYYYMMDDHHMMSS notation. A time relative
to the start time is indicated with +N, which is N seconds from
the start time. A time realtive to the current time is
indicated with now+N. If no <TT
CLASS="OPTION"
>end-time</TT
> is
specified, 30 days from the start time is used as a default.
</P
></DD
><DT
>-f <TT
CLASS="REPLACEABLE"
><I
>output-file</I
></TT
></DT
><DD
><P
> The name of the output file containing the signed zone. The
default is to append <TT
CLASS="FILENAME"
>.signed</TT
> to the
input file.
</P
></DD
><DT
>-h</DT
><DD
><P
> Prints a short summary of the options and arguments to
<B
CLASS="COMMAND"
>dnssec-signzone</B
>.
</P
></DD
><DT
>-i <TT
CLASS="REPLACEABLE"
><I
>interval</I
></TT
></DT
><DD
><P
> When a previously signed zone is passed as input, records
may be resigned. The <TT
CLASS="OPTION"
>interval</TT
> option
specifies the cycle interval as an offset from the current
time (in seconds). If a SIG record expires after the
cycle interval, it is retained. Otherwise, it is considered
to be expiring soon, and it will be replaced.
</P
><P
> The default cycle interval is one quarter of the difference
between the signature end and start times. So if neither
<TT
CLASS="OPTION"
>end-time</TT
> or <TT
CLASS="OPTION"
>start-time</TT
>
are specified, <B
CLASS="COMMAND"
>dnssec-signzone</B
> generates
signatures that are valid for 30 days, with a cycle
interval of 7.5 days. Therefore, if any existing SIG records
are due to expire in less than 7.5 days, they would be
replaced.
</P
></DD
><DT
>-n <TT
CLASS="REPLACEABLE"
><I
>ncpus</I
></TT
></DT
><DD
><P
> Specifies the number of threads to use. By default, one
thread is started for each detected CPU.
</P
></DD
><DT
>-o <TT
CLASS="REPLACEABLE"
><I
>origin</I
></TT
></DT
><DD
><P
> The zone origin. If not specified, the name of the zone file
is assumed to be the origin.
</P
></DD
><DT
>-p</DT
><DD
><P
> Use pseudo-random data when signing the zone. This is faster,
but less secure, than using real random data. This option
may be useful when signing large zones or when the entropy
source is limited.
</P
></DD
><DT
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></DT
><DD
><P
> Specifies the source of randomness. If the operating
system does not provide a <TT
CLASS="FILENAME"
>/dev/random</TT
>
or equivalent device, the default source of randomness
is keyboard input. <TT
CLASS="FILENAME"
>randomdev</TT
> specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<TT
CLASS="FILENAME"
>keyboard</TT
> indicates that keyboard
input should be used.
</P
></DD
><DT
>-t</DT
><DD
><P
> Print statistics at completion.
</P
></DD
><DT
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></DT
><DD
><P
> Sets the debugging level.
</P
></DD
><DT
>zonefile</DT
><DD
><P
> The file containing the zone to be signed.
Sets the debugging level.
</P
></DD
><DT
>key</DT
><DD
><P
> The keys used to sign the zone. If no keys are specified, the
default all zone keys that have private key files in the
current directory.
</P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN154"
></A
><H2
>EXAMPLE</H2
><P
> The following command signs the <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
>
zone with the DSA key generated in the <B
CLASS="COMMAND"
>dnssec-keygen</B
>
man page. The zone's keys must be in the zone. If there are
<TT
CLASS="FILENAME"
>signedkey</TT
> files associated with this zone
or any child zones, they must be in the current directory.
<TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
>, the following command would be
issued:
</P
><P
> <TT
CLASS="USERINPUT"
><B
>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</B
></TT
>
</P
><P
> The command would print a string of the form:
</P
><P
> In this example, <B
CLASS="COMMAND"
>dnssec-signzone</B
> creates
the file <TT
CLASS="FILENAME"
>db.example.com.signed</TT
>. This file
should be referenced in a zone statement in a
<TT
CLASS="FILENAME"
>named.conf</TT
> file.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN168"
></A
><H2
>SEE ALSO</H2
><P
> <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-keygen</SPAN
>(8)</SPAN
>,
<SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signkey</SPAN
>(8)</SPAN
>,
<I
CLASS="CITETITLE"
>BIND 9 Administrator Reference Manual</I
>,
<I
CLASS="CITETITLE"
>RFC 2535</I
>.
</P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN179"
></A
><H2
>AUTHOR</H2
><P
> Internet Software Consortium
</P
></DIV
></BODY
></HTML
>