dnssec-signkey Command
Purpose
Domain name system security extensions (DNSSEC) key set signing tool.
Syntax
dnssec-signkey [-a] [-c class] [-s start-time] [-e end-time] [-h] [-p] [-r randomdev] [-v level] keyset key
Description
The dnssec-signkey command
signs a key set. Typically the key set is for a child zone, and is
generated by the dnssec-makekeyset command. The
child zone's key set is signed with the zone keys for its parent zone.
The output file is of the form signedkey-nnnn.,
where nnnn is the zone name.
Flags
| Item | Description |
|---|---|
| -a | Verify all generated signatures. |
| -c class | Specifies the DNS class of the key sets. |
| -s start-time | Specify the date and time when the generated
SIG records become valid. It can be either an absolute or relative
time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation;
20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
start time is indicated by +N, which is N seconds
from the current time. If no start-time is specified,
the current time is used. |
| -e end-time | Specify the date and time when the generated
SIG records expire. As with start-time, an absolute time is indicated
in YYYYMMDDHHMMSS notation. A time relative to the
start time is indicated with +N, which is N seconds
from the start time. A time relative to the current time is indicated
with now+N. If no end-time is
specified, 30 days time from the start time is used as a default.
|
| -h | Prints a short summary of the options and arguments to the dnssec-signkey command. |
| -p | Use pseudo-random data when you sign the zone. It is faster, but less secure, than using real random data. This option might be useful when you sign large zones or when the entropy source is limited. |
| -r randomdev | Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file that contains random data to be used instead of the default. The special value keyboard indicates that keyboard input must be used. |
| -v level | Sets the debugging level. |
Parameters
| Item | Description |
|---|---|
| keyset | The file that contains the child's key set. |
| key | The keys that are used to sign the child's key set. |
Examples
The DNS administrator for a DNSSEC-aware
.com zone
uses the following command to sign the key set file for example.com created
by the dnssec-makekeyset command with a key generated
by the dnssec-keygen command: dnssec-signkey keyset-example.com. Kcom.+003+51944example.com keys and the signatures
by the .com keys.