diff options
Diffstat (limited to 'contrib/bind9/bin/dnssec/dnssec-signkey.html')
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-signkey.html | 407 |
1 files changed, 407 insertions, 0 deletions
diff --git a/contrib/bind9/bin/dnssec/dnssec-signkey.html b/contrib/bind9/bin/dnssec/dnssec-signkey.html new file mode 100644 index 000000000000..8cbf1fc736a3 --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-signkey.html @@ -0,0 +1,407 @@ +<!-- + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001, 2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-signkey.html,v 1.4.2.1.4.1 2004/03/06 10:21:15 marka Exp $ --> + +<HTML +><HEAD +><TITLE +>dnssec-signkey</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.73 +"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="AEN1" +><SPAN +CLASS="APPLICATION" +>dnssec-signkey</SPAN +></A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN9" +></A +><H2 +>Name</H2 +><SPAN +CLASS="APPLICATION" +>dnssec-signkey</SPAN +> -- DNSSEC key set signing tool</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN13" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>dnssec-signkey</B +> [<TT +CLASS="OPTION" +>-a</TT +>] [<TT +CLASS="OPTION" +>-c <TT +CLASS="REPLACEABLE" +><I +>class</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-s <TT +CLASS="REPLACEABLE" +><I +>start-time</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-e <TT +CLASS="REPLACEABLE" +><I +>end-time</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-h</TT +>] [<TT +CLASS="OPTION" +>-p</TT +>] [<TT +CLASS="OPTION" +>-r <TT +CLASS="REPLACEABLE" +><I +>randomdev</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-v <TT +CLASS="REPLACEABLE" +><I +>level</I +></TT +></TT +>] {keyset} {key...}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN39" +></A +><H2 +>DESCRIPTION</H2 +><P +> <B +CLASS="COMMAND" +>dnssec-signkey</B +> signs a keyset. Typically + the keyset will be for a child zone, and will have been generated + by <B +CLASS="COMMAND" +>dnssec-makekeyset</B +>. The child zone's keyset + is signed with the zone keys for its parent zone. The output file + is of the form <TT +CLASS="FILENAME" +>signedkey-nnnn.</TT +>, where + <TT +CLASS="FILENAME" +>nnnn</TT +> is the zone name. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN46" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-a</DT +><DD +><P +> Verify all generated signatures. + </P +></DD +><DT +>-c <TT +CLASS="REPLACEABLE" +><I +>class</I +></TT +></DT +><DD +><P +> Specifies the DNS class of the key sets. + </P +></DD +><DT +>-s <TT +CLASS="REPLACEABLE" +><I +>start-time</I +></TT +></DT +><DD +><P +> Specify the date and time when the generated SIG records + become valid. This can be either an absolute or relative + time. An absolute start time is indicated by a number + in YYYYMMDDHHMMSS notation; 20000530144500 denotes + 14:45:00 UTC on May 30th, 2000. A relative start time is + indicated by +N, which is N seconds from the current time. + If no <TT +CLASS="OPTION" +>start-time</TT +> is specified, the current + time is used. + </P +></DD +><DT +>-e <TT +CLASS="REPLACEABLE" +><I +>end-time</I +></TT +></DT +><DD +><P +> Specify the date and time when the generated SIG records + expire. As with <TT +CLASS="OPTION" +>start-time</TT +>, an absolute + time is indicated in YYYYMMDDHHMMSS notation. A time relative + to the start time is indicated with +N, which is N seconds from + the start time. A time relative to the current time is + indicated with now+N. If no <TT +CLASS="OPTION" +>end-time</TT +> is + specified, 30 days from the start time is used as a default. + </P +></DD +><DT +>-h</DT +><DD +><P +> Prints a short summary of the options and arguments to + <B +CLASS="COMMAND" +>dnssec-signkey</B +>. + </P +></DD +><DT +>-p</DT +><DD +><P +> Use pseudo-random data when signing the zone. This is faster, + but less secure, than using real random data. This option + may be useful when signing large zones or when the entropy + source is limited. + </P +></DD +><DT +>-r <TT +CLASS="REPLACEABLE" +><I +>randomdev</I +></TT +></DT +><DD +><P +> Specifies the source of randomness. If the operating + system does not provide a <TT +CLASS="FILENAME" +>/dev/random</TT +> + or equivalent device, the default source of randomness + is keyboard input. <TT +CLASS="FILENAME" +>randomdev</TT +> specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <TT +CLASS="FILENAME" +>keyboard</TT +> indicates that keyboard + input should be used. + </P +></DD +><DT +>-v <TT +CLASS="REPLACEABLE" +><I +>level</I +></TT +></DT +><DD +><P +> Sets the debugging level. + </P +></DD +><DT +>keyset</DT +><DD +><P +> The file containing the child's keyset. + </P +></DD +><DT +>key</DT +><DD +><P +> The keys used to sign the child's keyset. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN101" +></A +><H2 +>EXAMPLE</H2 +><P +> The DNS administrator for a DNSSEC-aware <TT +CLASS="USERINPUT" +><B +>.com</B +></TT +> + zone would use the following command to sign the + <TT +CLASS="FILENAME" +>keyset</TT +> file for <TT +CLASS="USERINPUT" +><B +>example.com</B +></TT +> + created by <B +CLASS="COMMAND" +>dnssec-makekeyset</B +> with a key generated + by <B +CLASS="COMMAND" +>dnssec-keygen</B +>: + </P +><P +> <TT +CLASS="USERINPUT" +><B +>dnssec-signkey keyset-example.com. Kcom.+003+51944</B +></TT +> + </P +><P +> In this example, <B +CLASS="COMMAND" +>dnssec-signkey</B +> creates + the file <TT +CLASS="FILENAME" +>signedkey-example.com.</TT +>, which + contains the <TT +CLASS="USERINPUT" +><B +>example.com</B +></TT +> keys and the + signatures by the <TT +CLASS="USERINPUT" +><B +>.com</B +></TT +> keys. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN116" +></A +><H2 +>SEE ALSO</H2 +><P +> <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>dnssec-keygen</SPAN +>(8)</SPAN +>, + <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>dnssec-makekeyset</SPAN +>(8)</SPAN +>, + <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>dnssec-signzone</SPAN +>(8)</SPAN +>. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN128" +></A +><H2 +>AUTHOR</H2 +><P +> Internet Software Consortium + </P +></DIV +></BODY +></HTML +> |