System Administration Commands dnssec-signkey(1M)
NAME
dnssec-signkey - DNSEC key set signing tool
SYNOPSIS
dnssec-signkey [-ahp] [-c class] [-e end-time]
[-r randomdev] [-s start-time] [-v level] keyset key...
DESCRIPTION
The dnssec-signkey utility signs a keyset. Typically the
keyset will be for a child zone and will have been generated
by dnssec-makekeyset(1M). The child zone's keyset is signed
with the zone keys for its parent zone. The output file is
of the form signedkey-nnnn., where nnnn is the zone name.
OPTIONS
The following options are supported:
-a Verify all generated signatures.
-c class Specify the DNS class of the key sets.
-e end-time Specify the date and time when the gen-
erated SIG records expire. As with start-
time, an absolute time is indicated in
YMDHMS notation. A time relative to
the start time is indicated with ]N, which
is N seconds from the start time. A time
relative to the current time is indicated
with now]N. If no end-time is specified, 30
days from the start time is used as a
default.
-h Prints a short summary of the options and
arguments to dnssec-signkey().
-p Use pseudo-random data when signing the
zone. This is faster, but less secure, than
using real random data. This option may be
useful when signing large zones or when the
entropy source is limited.
-r randomdev Specify the source of randomness. If the
operating system does not provide a
/dev/random or equivalent device, the
default source of randomness is keyboard
input. randomdev specifies the name of a
SunOS 5.11 Last change: 20 Mar 2007 1
System Administration Commands dnssec-signkey(1M)
character device or file containing random
data to be used instead of the default. The
special value keyboard indicates that key-
board input should be used.
-s start-time Specify the date and time when the gen-
erated SIG records become valid. This can
be either an absolute or relative time. An
absolute start time is indicated by a
number in YMDHMS notation;
20000530144500 denotes 14:45:00 UTC on May
30th, 2000. A relative start time is indi-
cated by ]N, which is N seconds from the
current time. If no start-time is speci-
fied, the current time is used.
-v level Set the debugging level.
OPERANDS
The following operands are supported:
key The keys used to sign the child's keyset.
keyset The file containing the child's keyset.
EXAMPLES
Example 1 Sign the keyset file for example.com.
The DNS administrator for a DNSEC-aware .com zone would use
the following command to sign the keyset file for
example.com created by dnssec-makekeyset with a key gen-
erated by dnssec-keygen:
dnssec-signkey keyset-example.com. Kcom.]003]51944
In this example, dnssec-signkey creates the file signedkey-
example.com, which contains the example.com keys and the
signatures by the .com keys.
ATRIBUTES
SunOS 5.11 Last change: 20 Mar 2007 2
System Administration Commands dnssec-signkey(1M)
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWbind9
Interface Stability External
SEE ALSO
dnssec-keygen(1M), dnssec-makekeyset(1M), dnssec-
signzone(1M), attributes(5)
NOTES
Source for BIND9 is available in the SUNWbind9S package.
SunOS 5.11 Last change: 20 Mar 2007 3
|
