NAME
dnssec-signkey — DNSSEC keyset signing tool
SYNOPSIS
dnssec-signkey
[-h]
[-p]
[-r
randomdev]
[-v
level]
keyset
keyfile ...
DESCRIPTION
dnssec-signkey
is used to sign a key set for a child zone. Typically this would
be provided by a
.keyset
file generated by the
dnssec-makekeyset
utility.
This provides a mechanism for a DNSSEC-aware zone to sign the keys of
any DNSSEC-aware child zones. The child zone's key set gets
signed with the zone keys for its parent
zone.
keyset
will be the pathname of the child zone's
.keyset
file.
Each
keyfile
argument will be a key identification string as reported by
dnssec-keygen
for the parent zone.
This allows the child's keys to be signed by more than one
parent zone key.
Options
- -h
This
option makes
dnssec-signkey
print a summary of its command line options
and arguments.
- -p
This option instructs
dnssec-signkey
to use pseudo-random data when signing the keys.
This is faster, but
less secure than using genuinely random data for signing.
This option may be useful when there are many child zone key sets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
- -r randomdev
This option overrides the behaviour of
dnssec-signkey
to use random numbers to seed the process
of generating keys when the system does not have a
/dev/random
device to generate random numbers. The
dnssec-signkey
program will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness. With this option, it will use
randomdev
as a source of random data.
- -v level
This option can be used to make
dnssec-signkey
more verbose.
As the debugging/tracing level
increases,
dnssec-signkey
generates increasingly detailed reports about what it is doing.
The default level is zero.
When
dnssec-signkey
completes successfully, it generates a file called
nnnn.signedkey
containing the signed keys for child zone
nnnn.
The keys from the
keyset
file would have been signed by the parent zone's key or keys which were
supplied as
keyfile
arguments.
This file should be sent to the DNS administrator of the child zone.
They arrange for its contents to be incorporated into the zone file
when it next gets signed with
dnssec-signzone.
A copy of the generated
signedkey
file should be kept by the parent zone's DNS administrator, since
it will be needed when signing the parent zone.
EXAMPLE
The DNS administrator for a DNSSEC-aware
.com
zone would use the following command to make
dnssec-signkey
sign the
.keyset
file for
example.com
created in the example shown in the man page for
dnssec-makekeyset:
dnssec-signkey example.com.keyset Kcom.+003+51944
where
Kcom.+003+51944
was a key file identifier that was produced when
dnssec-keygen
generated a key for the
.com
zone.
dnssec-signkey
will produce a file called
example.com.signedkey
which has the keys for
example.com
signed by the
com
zone's zone key.
Printable version
