ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
42cf4e4eadee9fda7dafc6cd4acbc629181baceb
bind9/doc/man/dnssec/dnssec-signkey.8
Brian Wellington 6e4deb9f1b updates
2000-11-01 00:33:50 +00:00

210 lines
5.7 KiB
Groff
Raw Blame History

.\" Copyright (C) 2000 Internet Software Consortium.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
.\" DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
.\" INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signkey.8,v 1.10 2000/11/01 00:33:48 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
.Os BIND9 9
.ds vT BIND9 Programmer's Manual
.Sh NAME
.Nm dnssec-signkey
.Nd DNSSEC keyset signing tool
.Sh SYNOPSIS
.Nm dnssec-signkey
.Op Fl h
.Op Fl s Ar start-time
.Op Fl e Ar end-time
.Op Fl c Ar class
.Op Fl p
.Op Fl r Ar randomdev
.Op Fl v Ar level
.Ar keyset
.Ar keyfile ...
.Sh DESCRIPTION
.Nm dnssec-signkey
is used to sign a key set for a child zone.
Typically this would be provided by a
.Ar keyset
file generated by
.Xr dnssec-makekeyset 8 .
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
any DNSSEC-aware child zones.
The child zone's key set gets signed with the zone keys for its parent
zone.
.Ar keyset
will be the pathname of the child zone's
.Ar keyset
file.
Each
.Ar keyfile
argument will be a key identification string as reported by
.Xr dnssec-keygen 8
for the parent zone.
This allows the child's keys to be signed by more than one
parent zone key.
.Pp
The
.Fl h
option makes
.Nm dnssec-signkey
print a short summary of its command line options
and arguments.
.Pp
By default, the validity period of the generated SIG records is copied
from that of the signatures in the input key set. This may be overriden
with the
.Fl s
and
.Fl e
options, both of which must be present if either is.
The start of the validity period is specified with the
.Fl s
option.
.Ar start-time
can either be an absolute or relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS
notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when
.Ar start-time
is given as +N: N seconds from the current time.
If no
.Fl s
option is supplied, the current date and time is used for the start
time of the SIG records.
.Pp
The expiry date for the SIG records can be set by the
.Fl e
option.
Note that in this context, the expiry date specifies when the SIG
records are no longer valid, not when they are deleted from caches on name
servers.
.Ar end-date
also represents an absolute or relative date.
YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
and time.
When
.Ar end-date
is +N,
it indicates that the SIG records will expire in N seconds after their
start date.
If
.Ar end-date
is written as now+N,
the SIG records will expire in N seconds after the current time.
.Pp
The
.Fl c
option specifies that the KEY records in the input and output key sets should
have the specified class instead of IN.
.Pp
.Nm dnssec-signkey
may need random numbers in the process of generating keys.
If the system does not have a
.Pa /dev/random
device that can be used for generating random numbers,
.Nm dnssec-signkey
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-signkey
use
.Ar randomdev
as a source of random data.
.Pp
The
.Fl p
option instructs
.Nm dnssec-signkey
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone keysets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
.Pp
The
.Fl v
option can be used to make
.Nm dnssec-signkey
more verbose.
As the debugging/tracing level
.Ar level
increases,
.Nm dnssec-signkey
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
When
.Nm dnssec-signkey
completes successfully, it generates a file called
.Ar signedkey-nnnn.
containing the signed keys for child zone
.Ar nnnn .
The keys from the
.Ar keyset
file will have been signed by the parent zone's key or keys which were
supplied as
.Ar keyfile
arguments.
This file should be sent to the DNS administrator of the child zone.
They arrange for its contents to be incorporated into the zone file
when it next gets signed with
.Xr dnssec-signzone 8 .
A copy of the generated
.Ar signedkey
file should be kept by the parent zone's DNS administrator, since
it will be needed when signing the parent zone.
.Sh EXAMPLE
The DNS administrator for a DNSSEC-aware
.Dv .com
zone would use the following command to make
.Nm dnssec-signkey
sign the
.Ar keyset
file for
.Dv example.com
created in the example shown in the man page for
.Xr dnssec-makekeyset 8 :
.Pp
.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
was a key file identifier that was produced when
.Xr dnssec-keygen 8
generated a key for the
.Dv .com
zone.
.Pp
.Nm dnssec-signkey
will produce a file called
.Dv signedkey-example.com.
which has the keys for
.Dv example.com
signed by the
.Dv com
zone's zone key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signzone 8 .
View Git Blame Copy Permalink