DNSSEC-SIGNKEY linux command manual

DNSSEC-SIGNKEY(8)                                      DNSSEC-SIGNKEY(8)

       dnssec-signkey - DNSSEC key set signing tool

       dnssec-signkey  [ -a ]  [ -c class ]  [ -s start-time ]  [ -e end-time
       ]  [ -h ]  [ -p ]  [ -r randomdev ]  [ -v level ]  keyset key...

       dnssec-signkey signs a keyset. Typically the  keyset  will  be  for  a
       child  zone,  and  will  have been generated by dnssec-makekeyset. The
       child zone's keyset is signed with the zone keys for its parent  zone.
       The output file is of the form signedkey-nnnn., where nnnn is the zone

       -a     Verify all generated signatures.

       -c class
              Specifies the DNS class of the key sets.

       -s start-time
              Specify the date and time when the generated SIG records become
              valid.  This  can  be  either  an absolute or relative time. An
              absolute start time is indicated by a number in  YYYYMMDDHHMMSS
              notation;  20000530144500  denotes  14:45:00  UTC  on May 30th,
              2000. A relative start time is indicated by +N, which is N sec-
              onds from the current time.  If no start-time is specified, the
              current time is used.

       -e end-time
              Specify the date  and  time  when  the  generated  SIG  records
              expire.  As  with  start-time, an absolute time is indicated in
              YYYYMMDDHHMMSS notation. A time relative to the start  time  is
              indicated  with  +N,  which is N seconds from the start time. A
              time relative to the current time is indicated with  now+N.  If
              no  end-time  is specified, 30 days from the start time is used
              as a default.

       -h     Prints a short summary of the options and arguments to  dnssec-

       -p     Use  pseudo-random  data when signing the zone. This is faster,
              but less secure, than using real random data. This  option  may
              be  useful  when signing large zones or when the entropy source
              is limited.

       -r randomdev
              Specifies the source of randomness.  If  the  operating  system
              does  not  provide  a  /dev/random  or  equivalent  device, the
              default source of randomness is keyboard input. randomdev spec-
              ifies  the name of a character device or file containing random
              data to be used instead of the default. The special value  key-
              board indicates that keyboard input should be used.

       -v level
              Sets the debugging level.

       keyset The file containing the child's keyset.

       key    The keys used to sign the child's keyset.

       The  DNS administrator for a DNSSEC-aware .com zone would use the fol-
       lowing command to sign the keyset  file  for  example.com  created  by
       dnssec-makekeyset with a key generated by dnssec-keygen:

       dnssec-signkey keyset-example.com. Kcom.+003+51944

       In  this  example,  dnssec-signkey  creates  the  file signedkey-exam-
       ple.com., which contains the example.com keys and  the  signatures  by
       the .com keys.

       dnssec-keygen(8), dnssec-makekeyset(8), dnssec-signzone(8).

       Internet Software Consortium

BIND9                           June 30, 2000               DNSSEC-SIGNKEY(8)