DNSSEC-SIGNKEY linux command manual

DNSSEC-SIGNKEY(8)					    DNSSEC-SIGNKEY(8)



NAME
       dnssec-signkey - DNSSEC key set signing tool

SYNOPSIS
       dnssec-signkey  [ -a ]  [ -c class ]  [ -s start-time ]	[ -e end-time
       ]  [ -h ]  [ -p ]  [ -r randomdev ]  [ -v level ]  keyset key...

DESCRIPTION
       dnssec-signkey signs a keyset. Typically the  keyset  will  be  for  a
       child  zone,  and  will	have been generated by dnssec-makekeyset. The
       child zone's keyset is signed with the zone keys for its parent	zone.
       The output file is of the form signedkey-nnnn., where nnnn is the zone
       name.

OPTIONS
       -a     Verify all generated signatures.

       -c class
	      Specifies the DNS class of the key sets.

       -s start-time
	      Specify the date and time when the generated SIG records become
	      valid.  This  can	 be  either  an absolute or relative time. An
	      absolute start time is indicated by a number in  YYYYMMDDHHMMSS
	      notation;	 20000530144500	 denotes  14:45:00  UTC	 on May 30th,
	      2000. A relative start time is indicated by +N, which is N sec-
	      onds from the current time.  If no start-time is specified, the
	      current time is used.

       -e end-time
	      Specify the date	and  time  when	 the  generated	 SIG  records
	      expire.  As  with	 start-time, an absolute time is indicated in
	      YYYYMMDDHHMMSS notation. A time relative to the start  time  is
	      indicated	 with  +N,  which is N seconds from the start time. A
	      time relative to the current time is indicated with  now+N.  If
	      no  end-time  is specified, 30 days from the start time is used
	      as a default.

       -h     Prints a short summary of the options and arguments to  dnssec-
	      signkey.

       -p     Use  pseudo-random  data when signing the zone. This is faster,
	      but less secure, than using real random data. This  option  may
	      be  useful  when signing large zones or when the entropy source
	      is limited.

       -r randomdev
	      Specifies the source of randomness.  If  the  operating  system
	      does  not	 provide  a  /dev/random  or  equivalent  device, the
	      default source of randomness is keyboard input. randomdev spec-
	      ifies  the name of a character device or file containing random
	      data to be used instead of the default. The special value	 key-
	      board indicates that keyboard input should be used.

       -v level
	      Sets the debugging level.

       keyset The file containing the child's keyset.

       key    The keys used to sign the child's keyset.

EXAMPLE
       The  DNS administrator for a DNSSEC-aware .com zone would use the fol-
       lowing command to sign the keyset  file	for  example.com  created  by
       dnssec-makekeyset with a key generated by dnssec-keygen:

       dnssec-signkey keyset-example.com. Kcom.+003+51944

       In  this	 example,  dnssec-signkey  creates  the	 file signedkey-exam-
       ple.com., which contains the example.com keys and  the  signatures  by
       the .com keys.

SEE ALSO
       dnssec-keygen(8), dnssec-makekeyset(8), dnssec-signzone(8).

AUTHOR
       Internet Software Consortium



BIND9				June 30, 2000		    DNSSEC-SIGNKEY(8)