diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in
index 31ec7ce3ac..41b0491804 100644
--- a/bin/dnssec/Makefile.in
+++ b/bin/dnssec/Makefile.in
@@ -13,7 +13,7 @@
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.17 2001/02/04 15:52:38 bwelling Exp $
+# $Id: Makefile.in,v 1.18 2001/03/30 22:50:20 bwelling Exp $
srcdir = @srcdir@
VPATH = @srcdir@
@@ -55,6 +55,13 @@ MANPAGES = dnssec-keygen.8 \
dnssec-signkey.8 \
dnssec-signzone.8
+HTMLPAGES = dnssec-keygen.html \
+ dnssec-makekeyset.html \
+ dnssec-signkey.html \
+ dnssec-signzone.html
+
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
@BIND9_MAKE_RULES@
dnssec-keygen: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
@@ -72,8 +79,10 @@ dnssec-signzone.@O@: dnssec-signzone.c
dnssec-signzone: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS}
-clean distclean::
- rm -f ${TARGETS}
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
@@ -82,3 +91,7 @@ installdirs:
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
for m in ${MANPAGES}; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8; done
+
+clean distclean::
+ rm -f ${TARGETS}
+
diff --git a/bin/dnssec/dnssec-keygen.8 b/bin/dnssec/dnssec-keygen.8
index f87f3261b1..dff5634957 100644
--- a/bin/dnssec/dnssec-keygen.8
+++ b/bin/dnssec/dnssec-keygen.8
@@ -12,298 +12,146 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-keygen \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-keygen\fR generates keys for DNSSEC
+(Secure DNS), as defined in RFC 2535. It can also generate
+keys for use with TSIG (Transaction Signatures), as
+defined in RFC 2845.
+.SH "OPTIONS"
+.TP
+\fB-a \fIalgorithm\fB\fR
+Selects the cryptographic algorithm. The value of
+\fBalgorithm\fR must be one of RSAMD5 or RSA,
+DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+are case insensitive.
-.\" $Id: dnssec-keygen.8,v 1.12 2001/01/09 21:47:21 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-KEYGEN 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-keygen
-.Nd key generation tool for DNSSEC
-.Sh SYNOPSIS
-.Nm dnssec-keygen
-.Fl a Ar algorithm
-.Fl b Ar keysize
-.Op Fl c Ar class
-.Op Fl e
-.Op Fl g Ar generator
-.Op Fl h
-.Fl n Ar nametype
-.Op Fl p Ar protocol-value
-.Op Fl r Ar randomdev
-.Op Fl s Ar strength-value
-.Op Fl t Ar type
-.Op Fl v Ar level
-.Ar name
-.Sh DESCRIPTION
-.Nm dnssec-keygen
-generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
-It also generates keys for use in Transaction Signatures, TSIG, which
-is defined in RFC2845.
-.Pp
-A short summary of the options and arguments to
-.Nm dnssec-keygen
-is printed by the
-.Fl h
-(help) option.
-.Pp
-The
-.Fl a ,
-.Fl b ,
-and
-.Fl n
-options and their arguments must be supplied when generating keys.
-The domain name that the key has to be generated for is given by
-.Ar name .
-.Pp
-The choice of encryption algorithm is selected by the
-.Fl a
-option to
-.Nm dnssec-keygen .
-.Ar algorithm
-must be one of
-.Dv RSAMD5 ,
-.Dv DH ,
-.Dv DSA
-or
-.Dv HMAC-MD5
-to indicate that an RSA, Diffie-Hellman, Digital Signature
-Algorithm or HMAC-MD5 key is required.
-An argument of
-.Dv RSA
-can also be given, which is equivalent to
-.Dv RSAMD5 .
-The argument identifying the encryption algorithm is case-insensitive.
-DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
-Implementations of TSIG must support HMAC-MD5.
-.Pp
-The number of bits in the key is determined by the
-.Ar keysize
-argument following the
-.Fl b
-option.
-The choice of key size depends on the algorithm that is used.
-RSA keys must be between 512 and 2048 bits.
-Diffie-Hellman keys must be between 128 and 4096 bits.
-For DSA, the key size must be between 512 and 1024 bits and a multiple
-of 64.
-The length of an HMAC-MD5 key can be between 1 and 512 bits.
-.Pp
-The
-.Fl n
-option specifies how the generated key will be used.
-.Ar nametype
-can be either
-.Dv ZONE ,
-.Dv HOST ,
-.Dv ENTITY ,
-or
-.Dv USER
-to indicate that the key will be used for signing a zone, host,
-entity or user respectively.
-In this context
-.Dv HOST
-and
-.Dv ENTITY
-are identical.
-.Ar nametype
-is case-insensitive.
-.Pp
-The
-.Fl c
-option specifies that the when creating a KEY record, the specified class
-should be used instead of IN.
-.Pp
-The
-.Fl e
-option can only be used when generating RSA keys.
-It tells
-.Nm dnssec-keygen
-to use a large exponent.
-When creating Diffie-Hellman keys, the
-.Fl g
-option selects the Diffie-Hellman generator
-.Ar generator
-that is to be used.
-The only supported values value of
-.Ar generator
-are 2 and 5.
-If no Diffie-Hellman generator is supplied, a known prime
-from RFC2539 will be used if possible; otherwise 2 will be used as the
-generator.
-.Pp
-The
-.Fl p
-option sets the protocol value for the generated key to
-.Ar protocol-value .
-The default is 2 (email) for keys of type
-.Dv USER
-and 3 (DNSSEC) for all other key types.
-Other possible values for this argument are listed in RFC2535 and its
-successors.
-.Pp
-.Nm dnssec-keygen
-uses random numbers to seed the process
-of generating keys.
-If the system does not have a
-.Pa /dev/random
-device that can be used for generating random numbers,
-.Nm dnssec-keygen
-will prompt for keyboard input and use the time intervals between
-keystrokes to provide randomness.
-The
-.Fl r
-option overrides this behaviour, making
-.Nm dnssec-keygen
-use
-.Ar randomdev
-as a source of random data.
-.Pp
-The key's strength value can be set with the
-.Fl s
-option.
-The generated key will sign DNS resource records
-with a strength value of
-.Ar strength-value .
-It should be a number between 0 and 15.
-The default strength is zero.
-The key strength field currently has no defined purpose in DNSSEC.
-.Pp
-The
-.Fl t
-option indicates if the key is to be used for authentication or
-confidentiality.
-.Ar type
-can be one of
-.Dv AUTHCONF ,
-.Dv NOAUTHCONF ,
-.Dv NOAUTH
-or
-.Dv NOCONF .
-The default is
-.Dv AUTHCONF .
-If type is
-.Dv AUTHCONF
-the key can be used for authentication and confidentialty.
-Setting
-.Ar type
-to
-.Dv NOAUTHCONF
-indicates that the key cannot be used for authentication or confidentialty.
-A value of
-.Dv NOAUTH
-means the key can be used for confidentiality but not for
-authentication.
-Similarly,
-.Dv NOCONF
-defines that the key cannot be used for confidentiality though it can
-be used for authentication.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-keygen
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-keygen
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Sh GENERATED KEYS
-When
-.Nm dnssec-keygen
-completes it prints a string of the form
-.Ar Knnnn.+aaa+iiiii
-on the standard output.
-This is an identification string for the key it has generated.
-These strings can be supplied as arguments to
-.Xr dnssec-makekeyset 8 .
-.Pp
-The
-.Ar nnnn.
-part is the dot-terminated domain name given by
-.Ar name .
-The DNSSEC algorithm identifier is indicated by
-.Ar aaa -
-001 for RSA, 002 for Diffie-Hellman, 003 for DSA or 157 for HMAC-MD5.
-.Ar iiiii
-is a five-digit number identifying the key.
-.Pp
-.Nm dnssec-keygen
-creates two files.
-The file names are adapted from the key identification string above.
-They have names of the form:
-.Ar Knnnn.+aaa+iiiii.key
-and
-.Ar Knnnn.+aaa+iiiii.private .
-These contain the public and private parts of the key respectively.
-The files generated by
-.Nm dnssec-keygen
-obey this naming convention to
-make it easy for the signing tool
-.Xr dnssec-signzone 8
-to identify which file(s) have to be read to find the necessary
-key(s) for generating or validating signatures.
-.Pp
-The
-.Ar .key
-file contains a KEY resource record that can be inserted into a zone file
-with a
-.Dv $INCLUDE
-statement.
-The private part of the key is in the
-.Ar .private
-file.
-It contains details of the encryption algorithm that was used and any
-relevant parameters: prime number, exponent, modulus, subprime, etc.
-For obvious security reasons, this file does not have general read
-permission.
-The private part of the key is used by
-.Xr dnssec-signzone 8
-to generate signatures and the public part is used to verify the
-signatures.
-Both
-.Ar .key
-and
-.Ar .private
-key files are generated for symmetric encryption algorithm such as
+Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the number of bits in the key. The choice of key
+size depends on the algorithm used. RSA keys must be between
+512 and 2048 bits. Diffie Hellman keys must be between
+128 and 4096 bits. DSA keys must be between 512 and 1024
+bits and an exact multiple of 64. HMAC-MD5 keys must be
+between 1 and 512 bits.
+.TP
+\fB-n \fInametype\fB\fR
+Specifies the owner type of the key. The value of
+\fBnametype\fR must either be ZONE (for a DNSSEC
+zone key), HOST or ENTITY (for a key associated with a host),
+or USER (for a key associated with a user). These values are
+case insensitive.
+.TP
+\fB-c \fIclass\fB\fR
+Indicates that the DNS record containing the key should have
+the specified class. If not specified, class IN is used.
+.TP
+\fB-e\fR
+If generating an RSA key, use a large exponent.
+.TP
+\fB-g \fIgenerator\fB\fR
+If generating a Diffie Hellman key, use this generator.
+Allowed values are 2 and 5. If no generator
+is specified, a known prime from RFC 2539 will be used
+if possible; otherwise the default is 2.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-keygen\fR.
+.TP
+\fB-p \fIprotocol\fB\fR
+Sets the protocol value for the generated key. The protocol
+is a number between 0 and 255. The default is 2 (email) for
+keys of type USER and 3 (DNSSEC) for all other key types.
+Other possible values for this argument are listed in
+RFC 2535 and its successors.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-s \fIstrength\fB\fR
+Specifies the strength value of the key. The strength is
+a number between 0 and 15, and currently has no defined
+purpose in DNSSEC.
+.TP
+\fB-t \fItype\fB\fR
+Indicates the use of the key. \fBtype\fR must be
+one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+is AUTHCONF. AUTH refers to the ability to authenticate
+data, and CONF the ability to encrypt data.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.SH "GENERATED KEYS"
+.PP
+When \fBdnssec-keygen\fR completes successfully,
+it prints a string of the form \fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for
+the key it has generated. These strings can be used as arguments
+to \fBdnssec-makekeyset\fR.
+.PP
+\fInnnn\fR is the key name.
+.PP
+\fIaaa\fR is the numeric representation of the algorithm.
+.PP
+\fIiiiii\fR is the key identifier (or footprint).
+.PP
+\fBdnssec-keygen\fR creates two file, with names based
+on the printed string. \fIKnnnn.+aaa+iiiii.key\fR
+contains the public key, and
+\fIKnnnn.+aaa+iiiii.private\fR contains the private
+key.
+.PP
+The \fI.key\fR file contains a DNS KEY record that
+can be inserted into a zone file (directly or with a $INCLUDE
+statement).
+.PP
+The \fI.private\fR file contains algorithm specific
+fields. For obvious security reasons, this file does not have
+general read permission.
+.PP
+Both \fI.key\fR and \fI.private\fR
+files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
-.Sh EXAMPLE
+.SH "EXAMPLE"
+.PP
To generate a 768-bit DSA key for the domain
-.Dv example.com ,
-the following command would be issued:
-.Pp
-.Dl # dnssec-keygen -a DSA -b 768 -n ZONE example.com
-.Dl Kexample.com.+003+26160
-.Pp
-.Nm dnssec-keygen
-has printed the key identification string
-.Dv Kexample.com.+003+26160 ,
-indicating a DSA key with identifier 26160.
-It will also have created the files
-.Pa Kexample.com.+003+26160.key
-and
-.Pa Kexample.com.+003+26160.private
-containing respectively the public and private keys for the generated
-DSA key.
-.Sh FILES
-.Pa /dev/random
-.Sh SEE ALSO
-.Xr RFC2535,
-.Xr RFC2845,
-.Xr RFC2539,
-.Xr dnssec-makekeyset 8 ,
-.Xr dnssec-signkey 8 ,
-.Xr dnssec-signzone 8 .
-.Sh BUGS
-The naming convention for the public and private key files is a little
-clumsy.
-It won't work for domain names that are longer than 236 characters
-because of the
-.Ar .+aaa+iiiii.private
-suffix results in filenames that are too long for most
-.Ux
-systems.
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-keygen -a DSA -b 768 -n ZONE example.com\fR
+.PP
+The command would print a string of the form:
+.PP
+\fBKexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-keygen\fR creates
+the files \fIKexample.com.+003+26160.key\fR and
+\fIKexample.com.+003+26160.private\fR
+.SH "SEE ALSO"
+.PP
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signkey\fR(8),
+\fBdnssec-signzone\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR,
+\fIRFC 2845\fR,
+\fIRFC 2539\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
new file mode 100644
index 0000000000..c7287180e7
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -0,0 +1,300 @@
+
+
+
+
+ June 30, 2000
+
+
+
+ dnssec-keygen
+ 8
+ BIND9
+
+
+
+ dnssec-keygen
+ DNSSEC key generation tool
+
+
+
+
+ dnssec-keygen
+ -a algorithm
+ -b keysize
+ -n nametype
+
+
+
+
+
+
+
+
+
+ name
+
+
+
+
+ DESCRIPTION
+
+ dnssec-keygen generates keys for DNSSEC
+ (Secure DNS), as defined in RFC 2535. It can also generate
+ keys for use with TSIG (Transaction Signatures), as
+ defined in RFC 2845.
+
+
+
+
+ OPTIONS
+
+
+
+ -a algorithm
+
+
+ Selects the cryptographic algorithm. The value of
+ must be one of RSAMD5 or RSA,
+ DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+ are case insensitive.
+
+
+ Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+ and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+
+
+
+
+
+ -b keysize
+
+
+ Specifies the number of bits in the key. The choice of key
+ size depends on the algorithm used. RSA keys must be between
+ 512 and 2048 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. DSA keys must be between 512 and 1024
+ bits and an exact multiple of 64. HMAC-MD5 keys must be
+ between 1 and 512 bits.
+
+
+
+
+
+ -n nametype
+
+
+ Specifies the owner type of the key. The value of
+ must either be ZONE (for a DNSSEC
+ zone key), HOST or ENTITY (for a key associated with a host),
+ or USER (for a key associated with a user). These values are
+ case insensitive.
+
+
+
+
+
+ -c class
+
+
+ Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+
+
+
+
+
+ -e
+
+
+ If generating an RSA key, use a large exponent.
+
+
+
+
+
+ -g generator
+
+
+ If generating a Diffie Hellman key, use this generator.
+ Allowed values are 2 and 5. If no generator
+ is specified, a known prime from RFC 2539 will be used
+ if possible; otherwise the default is 2.
+
+
+
+
+
+ -h
+
+
+ Prints a short summary of the options and arguments to
+ dnssec-keygen.
+
+
+
+
+
+ -p protocol
+
+
+ Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 2 (email) for
+ keys of type USER and 3 (DNSSEC) for all other key types.
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+
+
+
+
+
+ -r randomdev
+
+
+ Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
+
+
+
+
+ -s strength
+
+
+ Specifies the strength value of the key. The strength is
+ a number between 0 and 15, and currently has no defined
+ purpose in DNSSEC.
+
+
+
+
+
+ -t type
+
+
+ Indicates the use of the key. must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+
+
+
+
+
+ -v level
+
+
+ Sets the debugging level.
+
+
+
+
+
+
+
+
+ GENERATED KEYS
+
+ When dnssec-keygen completes successfully,
+ it prints a string of the form Knnnn.+aaa+iiiii
+ to the standard output. This is an identification string for
+ the key it has generated. These strings can be used as arguments
+ to dnssec-makekeyset.
+
+
+ nnnn is the key name.
+
+
+ aaa is the numeric representation of the algorithm.
+
+
+ iiiii is the key identifier (or footprint).
+
+
+ dnssec-keygen creates two file, with names based
+ on the printed string. Knnnn.+aaa+iiiii.key
+ contains the public key, and
+ Knnnn.+aaa+iiiii.private contains the private
+ key.
+
+
+ The .key file contains a DNS KEY record that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+
+
+ The .private file contains algorithm specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+
+
+ Both .key and .private
+ files are generated for symmetric encryption algorithm such as
+ HMAC-MD5, even though the public and private key are equivalent.
+
+
+
+
+ EXAMPLE
+
+ To generate a 768-bit DSA key for the domain
+ example.com, the following command would be
+ issued:
+
+
+ dnssec-keygen -a DSA -b 768 -n ZONE example.com
+
+
+ The command would print a string of the form:
+
+
+ Kexample.com.+003+26160
+
+
+ In this example, dnssec-keygen creates
+ the files Kexample.com.+003+26160.key and
+ Kexample.com.+003+26160.private
+
+
+
+
+ SEE ALSO
+
+
+ dnssec-makekeyset
+ 8
+ ,
+
+ dnssec-signkey
+ 8
+ ,
+
+ dnssec-signzone
+ 8
+ ,
+ BIND 9 Administrator Reference Manual,
+ RFC 2535,
+ RFC 2845,
+ RFC 2539.
+
+
+
+
+ AUTHOR
+
+ Internet Software Consortium
+
+
+
+
+
+
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html
new file mode 100644
index 0000000000..98e9d0d312
--- /dev/null
+++ b/bin/dnssec/dnssec-keygen.html
@@ -0,0 +1,561 @@
+
+dnssec-keygen
dnssec-keygen generates keys for DNSSEC
+ (Secure DNS), as defined in RFC 2535. It can also generate
+ keys for use with TSIG (Transaction Signatures), as
+ defined in RFC 2845.
+
OPTIONS
-a algorithm
Selects the cryptographic algorithm. The value of
+ algorithm must be one of RSAMD5 or RSA,
+ DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+ are case insensitive.
+
Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+ and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+
-b keysize
Specifies the number of bits in the key. The choice of key
+ size depends on the algorithm used. RSA keys must be between
+ 512 and 2048 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. DSA keys must be between 512 and 1024
+ bits and an exact multiple of 64. HMAC-MD5 keys must be
+ between 1 and 512 bits.
+
-n nametype
Specifies the owner type of the key. The value of
+ nametype must either be ZONE (for a DNSSEC
+ zone key), HOST or ENTITY (for a key associated with a host),
+ or USER (for a key associated with a user). These values are
+ case insensitive.
+
-c class
Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+
-e
If generating an RSA key, use a large exponent.
+
-g generator
If generating a Diffie Hellman key, use this generator.
+ Allowed values are 2 and 5. If no generator
+ is specified, a known prime from RFC 2539 will be used
+ if possible; otherwise the default is 2.
+
-h
Prints a short summary of the options and arguments to
+ dnssec-keygen.
+
-p protocol
Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 2 (email) for
+ keys of type USER and 3 (DNSSEC) for all other key types.
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+
-r randomdev
Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
-s strength
Specifies the strength value of the key. The strength is
+ a number between 0 and 15, and currently has no defined
+ purpose in DNSSEC.
+
-t type
Indicates the use of the key. type must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+
-v level
Sets the debugging level.
+
GENERATED KEYS
When dnssec-keygen completes successfully,
+ it prints a string of the form Knnnn.+aaa+iiiii
+ to the standard output. This is an identification string for
+ the key it has generated. These strings can be used as arguments
+ to dnssec-makekeyset.
+
nnnn is the key name.
+
aaa is the numeric representation of the algorithm.
+
iiiii is the key identifier (or footprint).
+
dnssec-keygen creates two file, with names based
+ on the printed string. Knnnn.+aaa+iiiii.key
+ contains the public key, and
+ Knnnn.+aaa+iiiii.private contains the private
+ key.
+
The .key file contains a DNS KEY record that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+
The .private file contains algorithm specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+
Both .key and .private
+ files are generated for symmetric encryption algorithm such as
+ HMAC-MD5, even though the public and private key are equivalent.
+
EXAMPLE
To generate a 768-bit DSA key for the domain
+ example.com, the following command would be
+ issued:
+
dnssec-keygen -a DSA -b 768 -n ZONE example.com
+
The command would print a string of the form:
+
Kexample.com.+003+26160
+
In this example, dnssec-keygen creates
+ the files Kexample.com.+003+26160.key and
+ Kexample.com.+003+26160.private
+
\ No newline at end of file
diff --git a/bin/dnssec/dnssec-makekeyset.8 b/bin/dnssec/dnssec-makekeyset.8
index 8999e2c8de..e6a8ca90ba 100644
--- a/bin/dnssec/dnssec-makekeyset.8
+++ b/bin/dnssec/dnssec-makekeyset.8
@@ -12,199 +12,99 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-.\" $Id: dnssec-makekeyset.8,v 1.10 2001/01/09 21:47:23 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-MAKEKEYSET 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-makekeyset
-.Nd produce a set of DNSSEC keys
-.Sh SYNOPSIS
-.Nm dnssec-makekeyset
-.Op Fl h
-.Op Fl s Ar start-time
-.Op Fl e Ar end-time
-.Op Fl t Ar TTL
-.Op Fl r Ar randomdev
-.Op Fl p
-.Op Fl v Ar level
-.Ar keyfile ....
-.Sh DESCRIPTION
-.Nm dnssec-makekeyset
-generates a key set from one or more keys created by
-.Xr dnssec-keygen 8 .
-It creates a file containing KEY and SIG records for some zone which
-can then be signed by the zone's parent if the parent zone is
-DNSSEC-aware.
-.Ar keyfile
-should be a key identification string as reported by
-.Xr dnssec-keygen 8 :
-i.e.
-.Ar Knnnn.+aaa+iiiii
-where
-.Ar nnnn
-is the name of the key,
-.Ar aaa
-is the encryption algorithm and
-.Ar iiiii
-is the key identifier.
-Multiple
-.Ar keyfile
-arguments can be supplied when there are several keys to be combined
-by
-.Nm dnssec-makekeyset
-into a key set.
-.Pp
-For any SIG records that are in the key set, the start time when the
-SIG records become valid is specified with the
-.Fl s
-option.
-.Ar start-time
-can either be an absolute or relative date.
-An absolute start time is indicated by a number in YYYYMMDDHHMMSS
-notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
-A relative start time is supplied when
-.Ar start-time
-is given as +N: N seconds from the current time.
-If no
-.Fl s
-option is supplied, the current date and time is used for the start
-time of the SIG records.
-.Pp
-The expiry date for the SIG records can be set by the
-.Fl e
-option.
-Note that in this context, the expiry date specifies when the SIG
-records are no longer valid, not when they are deleted from caches on name
-servers.
-.Ar end-date
-also represents an absolute or relative date.
-YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
-and time.
-When
-.Ar end-date
-is +N,
-it indicates that the SIG records will expire in N seconds after their
-start date.
-If
-.Ar end-date
-is written as now+N,
-the SIG records will expire in N seconds after the current time.
-When no expiry date is set for the SIG records,
-.Nm dnssec-makekeyset
-defaults to an expire time of 30 days from the start time of the SIG
-records.
-.Pp
-An alternate source of random data can be specified with the
-.Fl r
-option.
-.Ar randomdev
-is the name of the file to use to obtain random data.
-By default
-.Pa /dev/random
-is used if this device is available.
-If it is not provided by the operating system and no
-.Fl r
-option is used,
-.Nm dnssec-makekeyset
-will prompt the user for input from the keyboard and use the time
-between keystrokes to derive some random data.
-.Pp
-The
-.Fl p
-option instructs
-.Nm dnssec-makekeyset
-to use pseudo-random data when self-signing the keyset. This is faster, but
-less secure, than using genuinely random data for signing.
-This option may be useful when the entropy source is limited.
-.Pp
-The
-.Fl t
-option is followed by a time-to-live argument
-.Ar TTL
-which indicates the TTL value that will be assigned to the assembled KEY
-and SIG records in the output file.
-.Ar TTL
-is expressed in seconds.
-If no
-.Fl t
-option is provided,
-.Nm dnssec-makekeyset
-prints a warning and uses a default TTL of 3600 seconds.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-makekeyset
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-makekeyset
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Pp
-The
-.Fl h
-option makes
-.Nm dnssec-makekeyset
-to print a short summary of its options and arguments.
-.Pp
-If
-.Nm dnssec-makekeyset
-is successful, it creates a file name of the form
-.Ar keyset-nnnn. .
-This file contains the KEY and SIG records for domain
-.Dv nnnn ,
-the domain name part from the key file identifier produced when
-.Nm dnssec-keygen
-created the domain's public and private keys.
-The
-.Ar keyset
-file can then be transferred to the DNS administrator of the parent
-zone for them to sign the contents with
-.Xr dnssec-signkey 8 .
-.Sh EXAMPLE
-The following command generates a key set for the DSA key for
-.Dv example.com
-that was shown in the
-.Xr dnssec-keygen 8
-man page.
-The backslash is for typographic reasons and would not be provided on
-the command line when running
-.Nm dnssec-makekeyset .
-.nf
-.Dl # dnssec-makekeyset -t 86400 -s 20000701120000 \e\p
-.Dl -e +2592000 Kexample.com.+003+26160
-.fi
-.Pp
-.Nm dnssec-makekeyset
-will create a file called
-.Pa keyset-example.com.
-containing a SIG and KEY record for
-.Dv example.com.
-These records will have a TTL of 86400 seconds (1 day).
-The SIG record becomes valid at noon UTC on July 1st 2000 and expires
-30 days (2592000 seconds) later.
-.Pp
-The DNS administrator for
-.Dv example.com
-could then send
-.Pa keyset-example.com.
-to the DNS administrator for
-.Dv .com
-so that they could sign the resource records in the file.
-This assumes that the
-.Dv .com
-zone is DNSSEC-aware and the administrators of the two zones have some
-mechanism for authenticating each other and exchanging the keys and
-signatures securely.
-.Sh FILES
-.Pa /dev/random .
-.Sh SEE ALSO
-.Xr RFC2535 ,
-.Xr dnssec-keygen 8 ,
-.Xr dnssec-signkey 8 .
+.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-makekeyset \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-makekeyset\fR [ \fB-a\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fIttl\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-makekeyset\fR generates a key set from one
+or more keys created by \fBdnssec-keygen\fR. It creates
+a file containing a KEY record for each key, and self-signs the key
+set with each zone key. The output file is of the form
+\fIkeyset-nnnn.\fR, where \fInnnn\fR
+is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-makekeyset\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t \fIttl\fB\fR
+Specify the TTL (time to live) of the KEY and SIG records.
+The default is 3600 seconds.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkey\fR
+Lists the keys included in the keyset file. These keys
+are expressed in the form \fIKnnnn.+aaa+iiiii\fR
+as generated by \fBdnssec-keygen\fR.
+.SH "EXAMPLE"
+.PP
+The following command generates a keyset containing the DSA key for
+\fBexample.com\fR generated in the
+\fBdnssec-keygen\fR man page.
+.PP
+\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-makekeyset\fR creates
+the file \fIkeyset-example.com.\fR. This file
+contains the specified key and a self-generated signature.
+.PP
+The DNS administrator for \fBexample.com\fR could
+send \fIkeyset-example.com.\fR to the DNS
+administrator for \fB.com\fR for signing, if the
+\&.com zone is DNSSEC-aware and the administrators of the two zones
+have some mechanism for authenticating each other and exchanging
+the keys and signatures securely.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-makekeyset.docbook b/bin/dnssec/dnssec-makekeyset.docbook
new file mode 100644
index 0000000000..567bc17b93
--- /dev/null
+++ b/bin/dnssec/dnssec-makekeyset.docbook
@@ -0,0 +1,215 @@
+
+
+
+
+ June 30, 2000
+
+
+
+ dnssec-makekeyset
+ 8
+ BIND9
+
+
+
+ dnssec-makekeyset
+ DNSSEC zone signing tool
+
+
+
+
+ dnssec-makekeyset
+
+
+
+
+
+
+ ttl
+
+ key
+
+
+
+
+ DESCRIPTION
+
+ dnssec-makekeyset generates a key set from one
+ or more keys created by dnssec-keygen. It creates
+ a file containing a KEY record for each key, and self-signs the key
+ set with each zone key. The output file is of the form
+ keyset-nnnn., where nnnn
+ is the zone name.
+
+
+
+
+ OPTIONS
+
+
+
+ -a
+
+
+ Verify all generated signatures.
+
+
+
+
+
+ -s start-time
+
+
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no is specified, the current
+ time is used.
+
+
+
+
+
+ -e end-time
+
+
+ Specify the date and time when the generated SIG records
+ expire. As with , an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no is
+ specified, 30 days from the start time is used as a default.
+
+
+
+
+
+ -h
+
+
+ Prints a short summary of the options and arguments to
+ dnssec-makekeyset.
+
+
+
+
+
+ -p
+
+
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+
+
+
+
+
+ -r randomdev
+
+
+ Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
+
+
+
+
+ -t ttl
+
+
+ Specify the TTL (time to live) of the KEY and SIG records.
+ The default is 3600 seconds.
+
+
+
+
+
+ -v level
+
+
+ Sets the debugging level.
+
+
+
+
+
+ key
+
+
+ Lists the keys included in the keyset file. These keys
+ are expressed in the form Knnnn.+aaa+iiiii
+ as generated by dnssec-keygen.
+
+
+
+
+
+
+
+
+ EXAMPLE
+
+ The following command generates a keyset containing the DSA key for
+ example.com generated in the
+ dnssec-keygen man page.
+
+
+ dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160
+
+
+ In this example, dnssec-makekeyset creates
+ the file keyset-example.com.. This file
+ contains the specified key and a self-generated signature.
+
+
+ The DNS administrator for example.com could
+ send keyset-example.com. to the DNS
+ administrator for .com for signing, if the
+ .com zone is DNSSEC-aware and the administrators of the two zones
+ have some mechanism for authenticating each other and exchanging
+ the keys and signatures securely.
+
+
+
+
+ SEE ALSO
+
+
+ dnssec-keygen
+ 8
+ ,
+
+ dnssec-signkey
+ 8
+ ,
+ BIND 9 Administrator Reference Manual,
+ RFC 2535.
+
+
+
+
+ AUTHOR
+
+ Internet Software Consortium
+
+
+
+
+
+
diff --git a/bin/dnssec/dnssec-makekeyset.html b/bin/dnssec/dnssec-makekeyset.html
new file mode 100644
index 0000000000..067b572b64
--- /dev/null
+++ b/bin/dnssec/dnssec-makekeyset.html
@@ -0,0 +1,404 @@
+
+dnssec-makekeyset
dnssec-makekeyset generates a key set from one
+ or more keys created by dnssec-keygen. It creates
+ a file containing a KEY record for each key, and self-signs the key
+ set with each zone key. The output file is of the form
+ keyset-nnnn., where nnnn
+ is the zone name.
+
OPTIONS
-a
Verify all generated signatures.
+
-s start-time
Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no start-time is specified, the current
+ time is used.
+
-e end-time
Specify the date and time when the generated SIG records
+ expire. As with start-time, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no end-time is
+ specified, 30 days from the start time is used as a default.
+
-h
Prints a short summary of the options and arguments to
+ dnssec-makekeyset.
+
-p
Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+
-r randomdev
Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
-t ttl
Specify the TTL (time to live) of the KEY and SIG records.
+ The default is 3600 seconds.
+
-v level
Sets the debugging level.
+
key
Lists the keys included in the keyset file. These keys
+ are expressed in the form Knnnn.+aaa+iiiii
+ as generated by dnssec-keygen.
+
EXAMPLE
The following command generates a keyset containing the DSA key for
+ example.com generated in the
+ dnssec-keygen man page.
+
In this example, dnssec-makekeyset creates
+ the file keyset-example.com.. This file
+ contains the specified key and a self-generated signature.
+
The DNS administrator for example.com could
+ send keyset-example.com. to the DNS
+ administrator for .com for signing, if the
+ .com zone is DNSSEC-aware and the administrators of the two zones
+ have some mechanism for authenticating each other and exchanging
+ the keys and signatures securely.
+
\ No newline at end of file
diff --git a/bin/dnssec/dnssec-signkey.8 b/bin/dnssec/dnssec-signkey.8
index 07b1296bf8..0af7807ca9 100644
--- a/bin/dnssec/dnssec-signkey.8
+++ b/bin/dnssec/dnssec-signkey.8
@@ -12,198 +12,94 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-.\" $Id: dnssec-signkey.8,v 1.12 2001/01/09 21:47:24 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-SIGNKEY 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-signkey
-.Nd DNSSEC keyset signing tool
-.Sh SYNOPSIS
-.Nm dnssec-signkey
-.Op Fl h
-.Op Fl s Ar start-time
-.Op Fl e Ar end-time
-.Op Fl c Ar class
-.Op Fl p
-.Op Fl r Ar randomdev
-.Op Fl v Ar level
-.Ar keyset
-.Ar keyfile ...
-.Sh DESCRIPTION
-.Nm dnssec-signkey
-is used to sign a key set for a child zone.
-Typically this would be provided by a
-.Ar keyset
-file generated by
-.Xr dnssec-makekeyset 8 .
-This provides a mechanism for a DNSSEC-aware zone to sign the keys of
-any DNSSEC-aware child zones.
-The child zone's key set gets signed with the zone keys for its parent
-zone.
-.Ar keyset
-will be the pathname of the child zone's
-.Ar keyset
-file.
-Each
-.Ar keyfile
-argument will be a key identification string as reported by
-.Xr dnssec-keygen 8
-for the parent zone.
-This allows the child's keys to be signed by more than one
-parent zone key.
-.Pp
-The
-.Fl h
-option makes
-.Nm dnssec-signkey
-print a short summary of its command line options
-and arguments.
-.Pp
-By default, the validity period of the generated SIG records is copied
-from that of the signatures in the input key set. This may be overriden
-with the
-.Fl s
-and
-.Fl e
-options, both of which must be present if either is.
-The start of the validity period is specified with the
-.Fl s
-option.
-.Ar start-time
-can either be an absolute or relative date.
-An absolute start time is indicated by a number in YYYYMMDDHHMMSS
-notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
-A relative start time is supplied when
-.Ar start-time
-is given as +N: N seconds from the current time.
-If no
-.Fl s
-option is supplied, the current date and time is used for the start
-time of the SIG records.
-.Pp
-The expiry date for the SIG records can be set by the
-.Fl e
-option.
-Note that in this context, the expiry date specifies when the SIG
-records are no longer valid, not when they are deleted from caches on name
-servers.
-.Ar end-date
-also represents an absolute or relative date.
-YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
-and time.
-When
-.Ar end-date
-is +N,
-it indicates that the SIG records will expire in N seconds after their
-start date.
-If
-.Ar end-date
-is written as now+N,
-the SIG records will expire in N seconds after the current time.
-.Pp
-The
-.Fl c
-option specifies that the KEY records in the input and output key sets should
-have the specified class instead of IN.
-.Pp
-.Nm dnssec-signkey
-may need random numbers in the process of generating keys.
-If the system does not have a
-.Pa /dev/random
-device that can be used for generating random numbers,
-.Nm dnssec-signkey
-will prompt for keyboard input and use the time intervals between
-keystrokes to provide randomness.
-The
-.Fl r
-option overrides this behaviour, making
-.Nm dnssec-signkey
-use
-.Ar randomdev
-as a source of random data.
-.Pp
-The
-.Fl p
-option instructs
-.Nm dnssec-signkey
-to use pseudo-random data when signing the keys. This is faster, but
-less secure, than using genuinely random data for signing.
-This option may be useful when there are many child zone keysets to
-sign or if the entropy source is limited.
-It could also be used for short-lived keys and signatures that don't
-require as much protection against cryptanalysis, such as when the key
-will be discarded long before it could be compromised.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-signkey
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-signkey
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Pp
-When
-.Nm dnssec-signkey
-completes successfully, it generates a file called
-.Ar signedkey-nnnn.
-containing the signed keys for child zone
-.Ar nnnn .
-The keys from the
-.Ar keyset
-file will have been signed by the parent zone's key or keys which were
-supplied as
-.Ar keyfile
-arguments.
-This file should be sent to the DNS administrator of the child zone.
-They arrange for its contents to be incorporated into the zone file
-when it next gets signed with
-.Xr dnssec-signzone 8 .
-A copy of the generated
-.Ar signedkey
-file should be kept by the parent zone's DNS administrator, since
-it will be needed when signing the parent zone.
-.Sh EXAMPLE
-The DNS administrator for a DNSSEC-aware
-.Dv .com
-zone would use the following command to make
-.Nm dnssec-signkey
-sign the
-.Ar keyset
-file for
-.Dv example.com
-created in the example shown in the man page for
-.Xr dnssec-makekeyset 8 :
-.Pp
-.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
-.Pp
-where
-.Dv Kcom.+003+51944
-was a key file identifier that was produced when
-.Xr dnssec-keygen 8
-generated a key for the
-.Dv .com
-zone.
-.Pp
-.Nm dnssec-signkey
-will produce a file called
-.Dv signedkey-example.com.
-which has the keys for
-.Dv example.com
-signed by the
-.Dv com
-zone's zone key.
-.Sh FILES
-.Pa /dev/random
-.Sh SEE ALSO
-.Xr RFC2535,
-.Xr dnssec-keygen 8 ,
-.Xr dnssec-makekeyset 8 ,
-.Xr dnssec-signzone 8 .
+.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signkey \- DNSSEC key set signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signkey\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkeyset\fR \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signkey\fR signs a keyset. Typically
+the keyset will be for a child zone, and will have been generated
+by \fBdnssec-makekeyset\fR. The child zone's keyset
+is signed with the zone keys for its parent zone. The output file
+is of the form \fIsignedkey-nnnn.\fR, where
+\fInnnn\fR is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the key sets.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signkey\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkeyset\fR
+The file containing the child's keyset.
+.TP
+\fBkey\fR
+The keys used to sign the child's keyset.
+.SH "EXAMPLE"
+.PP
+The DNS administrator for a DNSSEC-aware \fB.com\fR
+zone would use the following command to sign the
+\fIkeyset\fR file for \fBexample.com\fR
+created by \fBdnssec-makekeyset\fR with a key generated
+by \fBdnssec-keygen\fR:
+.PP
+\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
+.PP
+In this example, \fBdnssec-signkey\fR creates
+the file \fIsignedkey-example.com.\fR, which
+contains the \fBexample.com\fR keys and the
+signatures by the \fB.com\fR keys.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signzone\fR(8).
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-signkey.docbook b/bin/dnssec/dnssec-signkey.docbook
new file mode 100644
index 0000000000..5d216df1bc
--- /dev/null
+++ b/bin/dnssec/dnssec-signkey.docbook
@@ -0,0 +1,219 @@
+
+
+
+
+ June 30, 2000
+
+
+
+ dnssec-signkey
+ 8
+ BIND9
+
+
+
+ dnssec-signkey
+ DNSSEC key set signing tool
+
+
+
+
+ dnssec-signkey
+
+
+
+
+
+
+
+
+ keyset
+ key
+
+
+
+
+ DESCRIPTION
+
+ dnssec-signkey signs a keyset. Typically
+ the keyset will be for a child zone, and will have been generated
+ by dnssec-makekeyset. The child zone's keyset
+ is signed with the zone keys for its parent zone. The output file
+ is of the form signedkey-nnnn., where
+ nnnn is the zone name.
+
+
+
+
+ OPTIONS
+
+
+
+ -a
+
+
+ Verify all generated signatures.
+
+
+
+
+
+ -c class
+
+
+ Specifies the DNS class of the key sets.
+
+
+
+
+
+ -s start-time
+
+
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no is specified, the current
+ time is used.
+
+
+
+
+
+ -e end-time
+
+
+ Specify the date and time when the generated SIG records
+ expire. As with , an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no is
+ specified, 30 days from the start time is used as a default.
+
+
+
+
+
+ -h
+
+
+ Prints a short summary of the options and arguments to
+ dnssec-signkey.
+
+
+
+
+
+ -p
+
+
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+
+
+
+
+
+ -r randomdev
+
+
+ Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
+
+
+
+
+ -v level
+
+
+ Sets the debugging level.
+
+
+
+
+
+ keyset
+
+
+ The file containing the child's keyset.
+
+
+
+
+
+ key
+
+
+ The keys used to sign the child's keyset.
+
+
+
+
+
+
+
+
+ EXAMPLE
+
+ The DNS administrator for a DNSSEC-aware .com
+ zone would use the following command to sign the
+ keyset file for example.com
+ created by dnssec-makekeyset with a key generated
+ by dnssec-keygen:
+
+
+ dnssec-signkey keyset-example.com. Kcom.+003+51944
+
+
+ In this example, dnssec-signkey creates
+ the file signedkey-example.com., which
+ contains the example.com keys and the
+ signatures by the .com keys.
+
+
+
+
+ SEE ALSO
+
+
+ dnssec-keygen
+ 8
+ ,
+
+ dnssec-makekeyset
+ 8
+ ,
+
+ dnssec-signzone
+ 8
+ .
+
+
+
+
+ AUTHOR
+
+ Internet Software Consortium
+
+
+
+
+
+
diff --git a/bin/dnssec/dnssec-signkey.html b/bin/dnssec/dnssec-signkey.html
new file mode 100644
index 0000000000..d98fd225c2
--- /dev/null
+++ b/bin/dnssec/dnssec-signkey.html
@@ -0,0 +1,404 @@
+
+dnssec-signkey
dnssec-signkey signs a keyset. Typically
+ the keyset will be for a child zone, and will have been generated
+ by dnssec-makekeyset. The child zone's keyset
+ is signed with the zone keys for its parent zone. The output file
+ is of the form signedkey-nnnn., where
+ nnnn is the zone name.
+
OPTIONS
-a
Verify all generated signatures.
+
-c class
Specifies the DNS class of the key sets.
+
-s start-time
Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no start-time is specified, the current
+ time is used.
+
-e end-time
Specify the date and time when the generated SIG records
+ expire. As with start-time, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no end-time is
+ specified, 30 days from the start time is used as a default.
+
-h
Prints a short summary of the options and arguments to
+ dnssec-signkey.
+
-p
Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+
-r randomdev
Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
-v level
Sets the debugging level.
+
keyset
The file containing the child's keyset.
+
key
The keys used to sign the child's keyset.
+
EXAMPLE
The DNS administrator for a DNSSEC-aware .com
+ zone would use the following command to sign the
+ keyset file for example.com
+ created by dnssec-makekeyset with a key generated
+ by dnssec-keygen:
+
In this example, dnssec-signkey creates
+ the file signedkey-example.com., which
+ contains the example.com keys and the
+ signatures by the .com keys.
+
\ No newline at end of file
diff --git a/bin/dnssec/dnssec-signzone.8 b/bin/dnssec/dnssec-signzone.8
index 0fe3b1cb47..ac6a556bd8 100644
--- a/bin/dnssec/dnssec-signzone.8
+++ b/bin/dnssec/dnssec-signzone.8
@@ -12,274 +12,141 @@
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signzone \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-h\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signzone\fR signs a zone. It generates NXT
+and SIG records and produces a signed version of the zone. If there
+is a \fIsignedkey\fR file from the zone's parent,
+the parent's signatures will be incorporated into the generated
+signed zone file. The security status of delegations from the the
+signed zone (that is, whether the child zones are secure or not) is
+determined by the presence or absence of a
+\fIsignedkey\fR file for each child zone.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the zone.
+.TP
+\fB-d \fIdirectory\fB\fR
+Look for \fIsignedkey\fR files in
+\fBdirectory\fR as the directory
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-f \fIoutput-file\fB\fR
+The name of the output file containing the signed zone. The
+default is to append \fI.signed\fR to the
+input file.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signzone\fR.
+.TP
+\fB-i \fIinterval\fB\fR
+When a previously signed zone is passed as input, records
+may be resigned. The \fBinterval\fR option
+specifies the cycle interval as an offset from the current
+time (in seconds). If a SIG record expires after the
+cycle interval, it is retained. Otherwise, it is considered
+to be expiring soon, and it will be replaced.
-.\" $Id: dnssec-signzone.8,v 1.17 2001/01/09 21:47:25 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-SIGNZONE 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-signzone
-.Nd DNSSEC zone signing tool
-.Sh SYNOPSIS
-.Nm dnssec-signzone
-.Op Fl a
-.Op Fl c Ar class
-.Op Fl d Ar directory
-.Op Fl s Ar start-time
-.Op Fl e Ar end-time
-.Op Fl i Ar interval
-.Op Fl o Ar origin
-.Op Fl f Ar output-file
-.Op Fl p
-.Op Fl r Ar randomdev
-.Op Fl t
-.Op Fl v Ar level
-.Op Fl n Ar nthreads
-.Ar zonefile
-.Op keyfile ....
-.Sh DESCRIPTION
-.Pp
-.Nm dnssec-signzone
-is used to sign a zone.
-Any
-.Ar signedkey
-files for the zone to be signed should be present in the current
-directory, along with the keys that will be used to sign the zone.
-If no
-.Ar keyfile
-arguments are supplied, the default behaviour is to use all of the zone's
-keys that are present in the current directory.
-Providing specific
-.Ar keyfile
-arguments constrains
-.Nm dnssec-signzone
-to only use those keys for signing the zone.
-Each
-.Ar keyfile
-argument would be an identification string for a key created with
-.Xr dnssec-keygen 8 .
-If the zone to be signed has any secure subzones, the
-.Ar signedkey
-files for those subzones need to be available in the
-current working directory used by
-.Nm dnssec-signzone .
-.Pp
-.Ar zonefile
-is the name of the unsigned zone file.
-Unless the file name is the same as the name of the zone, the
-.Fl o
-option should be given.
-.Ar origin
-will be the fully qualified domain origin for the zone.
-.Pp
-.Nm dnssec-signzone
-will generate NXT and SIG records for the zone and produce a signed
-version of the zone.
-If there is a
-.Ar signedkey
-file from the zone's parent, the parent's signatures will be
-incorporated into the generated signed zone file.
-The security status of delegations from the the signed zone
-- i.e. whether the child zones are DNSSEC-aware or not - is
-set according to the presence or absence of a
-.Ar signedkey
-file for the child in case.
-.Pp
-By default,
-.Nm dnssec-signzone
-generates a file called
-.Ar zonefile.signed
-containing the signed zone file.
-The output file name can be overridden usign the
-.Fl f
-option.
-.\" Don't hyphenate YYYYMMDDHHMMSS
-.nh YYYYMMDDHHMMSS
-.Pp
-.Nm dnssec-signzone
-does not verify the signatures by default.
-The
-.Fl a
-option makes it verify the signatures it generated.
-.Pp
-The date and time when the generated
-SIG records become valid can be specified with the
-.Fl s
-option.
-.Ar start-time
-can either be an absolute or relative date.
-An absolute start time is indicated by a number in YYYYMMDDHHMMSS
-notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
-A relative start time is supplied when
-.Ar start-time
-is given as +N: N seconds from the current time.
-If no
-.Fl s
-option is supplied, the current date and time is used for the start
-time of the SIG records.
-.Pp
-The expiry date for the SIG records can be set by the
-.Fl e
-option.
-Note that in this context, the expiry date specifies when the SIG
-records are no longer valid, not when they are deleted from caches on name
-servers.
-.Ar end-date
-also represents an absolute or relative date.
-YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
-and time.
-When
-.Ar end-date
-is +N,
-it indicates that the SIG records will expire in N seconds after their
-start date.
-If
-.Ar end-date
-is supplied as now+N,
-the SIG records will expire in N seconds after the current time.
-When no expiry date is set for the SIG records,
-.Nm dnssec-signzone
-defaults to an expire time of 30 days from the start time of the SIG
-records.
-.Pp
-When a previously signed zone is passed as input to
-.Nm dnssec-signzone ,
-records may be resigned. Whether or not to resign records is configurable
-by using the
-.Fl i
-option, which specifies the cycle interval as an offset from the current time
-(in seconds). If a SIG record expires after the cycle interval, it is
-retained. Otherwise, it is considered to be expiring soon, and
-.Nm dnssec-signzone
-will remove it and generate a new SIG record to replace it.
-.Pp
-The default cycle interval is one quarter of the difference between the
-specified signature end and start dates. So if the
-.Fl e
-and
-.Fl s
-options are not specified,
-.Nm dnssec-signzone
-generates signatures that are valid for 30 days from the current date
-by default, with a cycle interval of 7.5 days. Therefore, if any SIG records
-are due to expire in less than 7.5 days, they would be replaced
-with new ones.
-.Pp
-.Nm dnssec-signzone
-may need random numbers in the process of signing the zone.
-If the system does not have a
-.Pa /dev/random
-device that can be used for generating random numbers,
-.Nm dnssec-signzone
-will prompt for keyboard input and use the time intervals between
-keystrokes to provide randomness.
-The
-.Fl r
-option overrides this behaviour, making
-.Nm dnssec-signzone
-use
-.Ar randomdev
-as a source of random data.
-.Pp
-The
-.Fl p
-option instructs
-.Nm dnssec-signzone
-to use pseudo-random data when signing the keys. This is faster, but
-less secure, than using genuinely random data for signing.
-This option may be useful when signing large zones or when the
-entropy source is limited.
-.Pp
-The
-.Fl t
-option causes
-.Nm dnssec-signzone
-to print various statistics after signing the zone.
-.Pp
-The
-.Fl c
-option specifies that the KEY records in the input and output key sets should
-have the specified class instead of IN.
-.Pp
-The
-.Fl d
-option specifies that
-.Nm dnssec-signzone
-should look in a directory other than the current directory for signedkey
-files.
-.Pp
-An option of
-.Fl h
-makes
-.Nm dnssec-signzone
-print a short summary of its command line options
-and arguments.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-signzone
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-signzone
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Pp
-The
-.Fl n
-option can be used to change the threading behavior. By default,
-.Nm dnssec-signzone
-attempts to determine the number of CPUs present, and create one thread
-per CPU. The
-.Fl n
-option causes a different number of threads to be created.
-.Sh EXAMPLE
-The example below shows how
-.Nm dnssec-signzone
-could be used to sign the
-.Dv example.com
-zone with the key that was generated in the example given in the
-man page for
-.Xr dnssec-keygen 8 .
-The zone file for this zone is
-.Dv example.com ,
-which is the same as the origin, so there is no need to use the
-.Fl o
-option to set the origin.
-The zone's keys were either appended to the zone file or
-incorporated using a
-.Dv $INCLUDE
-statement.
-If there was a
-.Ar signedkey
-file from the parent zone - i.e.
-.Dv signedkey-example.com.
-- it should be present in the current directory.
-This allows the parent zone's signature to be included in the signed
-version of the
-.Dv example.com
-zone.
-.Pp
-.Dl # dnssec-signzone example.com Kexample.com.+003+26160
-.Pp
-.Nm dnssec-signzone
-will create a file called
-.Dv example.com.signed ,
-the signed version of the
-.Dv example.com
-zone.
-This file can then be referenced in a
-.Dv zone{}
-statement in
-.Pa /etc/named.conf
-so that it can be loaded by the name server.
-.Sh FILES
-.Pa /dev/random
-.Sh SEE ALSO
-.Xr RFC2535,
-.Xr dnssec-keygen 8 ,
-.Xr dnssec-signkey 8 .
+The default cycle interval is one quarter of the difference
+between the signature end and start times. So if neither
+\fBend-time\fR or \fBstart-time\fR
+are specified, \fBdnssec-signzone\fR generates
+signatures that are valid for 30 days, with a cycle
+interval of 7.5 days. Therefore, if any existing SIG records
+are due to expire in less than 7.5 days, they would be
+replaced.
+.TP
+\fB-n \fIncpus\fB\fR
+Specifies the number of threads to use. By default, one
+thread is started for each detected CPU.
+.TP
+\fB-o \fIorigin\fB\fR
+The zone origin. If not specified, the name of the zone file
+is assumed to be the origin.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t\fR
+Print statistics at completion.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBzonefile\fR
+The file containing the zone to be signed.
+Sets the debugging level.
+.TP
+\fBkey\fR
+The keys used to sign the zone. If no keys are specified, the
+default all zone keys that have private key files in the
+current directory.
+.SH "EXAMPLE"
+.PP
+The following command signs the \fBexample.com\fR
+zone with the DSA key generated in the \fBdnssec-keygen\fR
+man page. The zone's keys must be in the zone. If there are
+\fIsignedkey\fR files associated with this zone
+or any child zones, they must be in the current directory.
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR
+.PP
+The command would print a string of the form:
+.PP
+In this example, \fBdnssec-signzone\fR creates
+the file \fIdb.example.com.signed\fR. This file
+should be referenced in a zone statement in a
+\fInamed.conf\fR file.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
diff --git a/bin/dnssec/dnssec-signzone.docbook b/bin/dnssec/dnssec-signzone.docbook
new file mode 100644
index 0000000000..a0539c2ab7
--- /dev/null
+++ b/bin/dnssec/dnssec-signzone.docbook
@@ -0,0 +1,307 @@
+
+
+
+
+ June 30, 2000
+
+
+
+ dnssec-signzone
+ 8
+ BIND9
+
+
+
+ dnssec-signzone
+ DNSSEC zone signing tool
+
+
+
+
+ dnssec-signzone
+
+
+
+
+
+
+
+
+
+
+
+
+
+
+ zonefile
+ key
+
+
+
+
+ DESCRIPTION
+
+ dnssec-signzone signs a zone. It generates NXT
+ and SIG records and produces a signed version of the zone. If there
+ is a signedkey file from the zone's parent,
+ the parent's signatures will be incorporated into the generated
+ signed zone file. The security status of delegations from the the
+ signed zone (that is, whether the child zones are secure or not) is
+ determined by the presence or absence of a
+ signedkey file for each child zone.
+
+
+
+
+ OPTIONS
+
+
+
+ -a
+
+
+ Verify all generated signatures.
+
+
+
+
+
+ -c class
+
+
+ Specifies the DNS class of the zone.
+
+
+
+
+
+ -d directory
+
+
+ Look for signedkey files in
+ as the directory
+
+
+
+
+
+ -s start-time
+
+
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no is specified, the current
+ time is used.
+
+
+
+
+
+ -e end-time
+
+
+ Specify the date and time when the generated SIG records
+ expire. As with , an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no is
+ specified, 30 days from the start time is used as a default.
+
+
+
+
+
+ -f output-file
+
+
+ The name of the output file containing the signed zone. The
+ default is to append .signed to the
+ input file.
+
+
+
+
+
+ -h
+
+
+ Prints a short summary of the options and arguments to
+ dnssec-signzone.
+
+
+
+
+
+ -i interval
+
+
+ When a previously signed zone is passed as input, records
+ may be resigned. The option
+ specifies the cycle interval as an offset from the current
+ time (in seconds). If a SIG record expires after the
+ cycle interval, it is retained. Otherwise, it is considered
+ to be expiring soon, and it will be replaced.
+
+
+ The default cycle interval is one quarter of the difference
+ between the signature end and start times. So if neither
+ or
+ are specified, dnssec-signzone generates
+ signatures that are valid for 30 days, with a cycle
+ interval of 7.5 days. Therefore, if any existing SIG records
+ are due to expire in less than 7.5 days, they would be
+ replaced.
+
+
+
+
+
+ -n ncpus
+
+
+ Specifies the number of threads to use. By default, one
+ thread is started for each detected CPU.
+
+
+
+
+
+ -o origin
+
+
+ The zone origin. If not specified, the name of the zone file
+ is assumed to be the origin.
+
+
+
+
+
+ -p
+
+
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+
+
+
+
+
+ -r randomdev
+
+
+ Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
+
+
+
+
+ -t
+
+
+ Print statistics at completion.
+
+
+
+
+
+ -v level
+
+
+ Sets the debugging level.
+
+
+
+
+
+ zonefile
+
+
+ The file containing the zone to be signed.
+ Sets the debugging level.
+
+
+
+
+
+ key
+
+
+ The keys used to sign the zone. If no keys are specified, the
+ default all zone keys that have private key files in the
+ current directory.
+
+
+
+
+
+
+
+
+ EXAMPLE
+
+ The following command signs the example.com
+ zone with the DSA key generated in the dnssec-keygen
+ man page. The zone's keys must be in the zone. If there are
+ signedkey files associated with this zone
+ or any child zones, they must be in the current directory.
+ example.com, the following command would be
+ issued:
+
+
+ dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160
+
+
+ The command would print a string of the form:
+
+
+ In this example, dnssec-signzone creates
+ the file db.example.com.signed. This file
+ should be referenced in a zone statement in a
+ named.conf file.
+
+
+
+
+ SEE ALSO
+
+
+ dnssec-keygen
+ 8
+ ,
+
+ dnssec-signkey
+ 8
+ ,
+ BIND 9 Administrator Reference Manual,
+ RFC 2535.
+
+
+
+
+ AUTHOR
+
+ Internet Software Consortium
+
+
+
+
+
+
diff --git a/bin/dnssec/dnssec-signzone.html b/bin/dnssec/dnssec-signzone.html
new file mode 100644
index 0000000000..ed3ba8e7a6
--- /dev/null
+++ b/bin/dnssec/dnssec-signzone.html
@@ -0,0 +1,553 @@
+
+dnssec-signzone
dnssec-signzone signs a zone. It generates NXT
+ and SIG records and produces a signed version of the zone. If there
+ is a signedkey file from the zone's parent,
+ the parent's signatures will be incorporated into the generated
+ signed zone file. The security status of delegations from the the
+ signed zone (that is, whether the child zones are secure or not) is
+ determined by the presence or absence of a
+ signedkey file for each child zone.
+
OPTIONS
-a
Verify all generated signatures.
+
-c class
Specifies the DNS class of the zone.
+
-d directory
Look for signedkey files in
+ directory as the directory
+
-s start-time
Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no start-time is specified, the current
+ time is used.
+
-e end-time
Specify the date and time when the generated SIG records
+ expire. As with start-time, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no end-time is
+ specified, 30 days from the start time is used as a default.
+
-f output-file
The name of the output file containing the signed zone. The
+ default is to append .signed to the
+ input file.
+
-h
Prints a short summary of the options and arguments to
+ dnssec-signzone.
+
-i interval
When a previously signed zone is passed as input, records
+ may be resigned. The interval option
+ specifies the cycle interval as an offset from the current
+ time (in seconds). If a SIG record expires after the
+ cycle interval, it is retained. Otherwise, it is considered
+ to be expiring soon, and it will be replaced.
+
The default cycle interval is one quarter of the difference
+ between the signature end and start times. So if neither
+ end-time or start-time
+ are specified, dnssec-signzone generates
+ signatures that are valid for 30 days, with a cycle
+ interval of 7.5 days. Therefore, if any existing SIG records
+ are due to expire in less than 7.5 days, they would be
+ replaced.
+
-n ncpus
Specifies the number of threads to use. By default, one
+ thread is started for each detected CPU.
+
-o origin
The zone origin. If not specified, the name of the zone file
+ is assumed to be the origin.
+
-p
Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+
-r randomdev
Specifies the source of randomness. If the operating
+ system does not provide a /dev/random
+ or equivalent device, the default source of randomness
+ is keyboard input. randomdev specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ keyboard indicates that keyboard
+ input should be used.
+
-t
Print statistics at completion.
+
-v level
Sets the debugging level.
+
zonefile
The file containing the zone to be signed.
+ Sets the debugging level.
+
key
The keys used to sign the zone. If no keys are specified, the
+ default all zone keys that have private key files in the
+ current directory.
+
EXAMPLE
The following command signs the example.com
+ zone with the DSA key generated in the dnssec-keygen
+ man page. The zone's keys must be in the zone. If there are
+ signedkey files associated with this zone
+ or any child zones, they must be in the current directory.
+ example.com, the following command would be
+ issued:
+
In this example, dnssec-signzone creates
+ the file db.example.com.signed. This file
+ should be referenced in a zone statement in a
+ named.conf file.
+