ComputerSurge/bind9
3
0
Fork 0
Code Pull Requests 1 Activity
Files
ef7aba70726cff9afaaa8c7054098f84087ccf84
bind9/bin/dnssec/dnssec-ksr.rst
Ondřej Surý ef7aba7072 Remove OpenSSL Engine support 
The OpenSSL 1.x Engines support has been deprecated in the OpenSSL 3.x
and is going to be removed.  Remove the OpenSSL Engine support in favor
of OpenSSL Providers.
2024-08-06 15:17:48 +02:00

155 lines
4.4 KiB
ReStructuredText
Raw Blame History

.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
..
.. SPDX-License-Identifier: MPL-2.0
..
.. This Source Code Form is subject to the terms of the Mozilla Public
.. License, v. 2.0. If a copy of the MPL was not distributed with this
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
..
.. See the COPYRIGHT file distributed with this work for additional
.. information regarding copyright ownership.
.. highlight: console
.. iscman:: dnssec-ksr
.. program:: dnssec-ksr
.. _man_dnssec-ksr:
dnssec-ksr - Create signed key response (SKR) files for offline KSK setups
--------------------------------------------------------------------------
Synopsis
~~~~~~~~
:program:`dnssec-ksr` [**-e** date/offset] [**-F**] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-V**] [**-v** level] {command} {zone}
Description
~~~~~~~~~~~
The :program:`dnssec-ksr` can be used to issue several commands that are needed
to generate presigned RRsets for a zone where the private key file of the Key
Signing Key (KSK) is typically offline. This requires Zone Signing Keys
(ZSKs) to be pregenerated, and the DNSKEY, CDNSKEY, and CDS RRsets to be
already signed in advance.
The latter is done by creating Key Signing Requests (KSRs) that can be imported
to the environment where the KSK is available. Once there, this program can
create Signed Key Responses (SKRs) that can be loaded by an authoritative DNS
server.
Options
~~~~~~~
.. option:: -e date/offset
This option sets the end date for which keys or SKRs need to be generated
(depending on the command).
.. option:: -F
This options turns on FIPS (US Federal Information Processing Standards)
mode if the underlying crytographic library supports running in FIPS
mode.
.. option:: -h
This option prints a short summary of the options and arguments to
:program:`dnssec-ksr`.
.. option:: -i date/offset
This option sets the start date for which keys or SKRs need to be generated
(depending on the command).
.. option:: -K directory
This option sets the directory in which the key files are to be read or
written (depending on the command).
.. option:: -k policy
This option sets the specific ``dnssec-policy`` for which keys need to
be generated, or signed.
.. option:: -l file
This option provides a configuration file that contains a ``dnssec-policy``
statement (matching the policy set with :option:`-k`).
.. option:: -V
This option prints version information.
.. option:: -v level
This option sets the debugging level. Level 1 is intended to be usefully
verbose for general users; higher levels are intended for developers.
``command``
The KSR command to be executed. See below for the available commands.
``zone``
The name of the zone for which the KSR command is being executed.
Commands
~~~~~~~~
.. option:: keygen
Pregenerate a number of zone signing keys (ZSKs), given a DNSSEC policy and
an interval. The number of generated keys depends on the interval and the
ZSK lifetime.
.. option:: request
Create a Key Signing Request (KSR), given a DNSSEC policy and an interval.
This will generate a file with a number of key bundles, where each bundle
contains the currently published ZSKs (according to the timing metadata).
.. option:: sign
Sign a Key Signing Request (KSR), given a DNSSEC policy and an interval,
creating a Signed Key Response (SKR). This will add the corresponding DNSKEY,
CDS, and CDNSKEY records for the KSK that is being used for signing.
Exit Status
~~~~~~~~~~~
The :program:`dnssec-ksr` command exits 0 on success, or non-zero if an error
occurred.
Examples
~~~~~~~~
When you need to generate keys for the zone "example.com" for the next year,
given a ``dnssec-policy`` named "mypolicy":
::
dnssec-ksr -i now -e +1y -k mypolicy -l named.conf keygen example.com
Creating a KSR for the same zone and period can be done with:
::
dnssec-ksr -i now -e +1y -k mypolicy -l named.conf request example.com > ksr.txt
Typically you would now transfer the KSR to the system that has access to the KSK.
Signing the KSR created above can be done with:
::
dnssec-ksr -i now -e +1y -k kskpolicy -l named.conf -f ksr.txt sign example.com
Make sure that the DNSSEC parameters in ``kskpolicy`` match those in ``mypolicy``.
See Also
~~~~~~~~
:iscman:`dnssec-keygen(8) <dnssec-keygen>`,
:iscman:`dnssec-signzone(8) <dnssec-signzone>`,
BIND 9 Administrator Reference Manual.
View Git Blame Copy Permalink