DNSSEC-SIGNKEY(8)                               DNSSEC-SIGNKEY(8)



NAME
       dnssec-signkey - DNSSEC key set signing tool

SYNOPSIS
       dnssec-signkey  [ -a ]  [ -c class ]  [ -s start-time ]  [
       -e end-time ]  [ -h ]  [ -p ]  [  -r  randomdev  ]   [  -v
       level ]  keyset key...

DESCRIPTION
       dnssec-signkey  signs  a keyset. Typically the keyset will
       be for a child zone,  and  will  have  been  generated  by
       dnssec-makekeyset.  The child zone's keyset is signed with
       the zone keys for its parent zone. The output file  is  of
       the form signedkey-nnnn., where nnnn is the zone name.

OPTIONS
       -a     Verify all generated signatures.

       -c class
              Specifies the DNS class of the key sets.

       -s start-time
              Specify  the  date  and time when the generated SIG
              records become valid. This can be either  an  abso-
              lute  or  relative  time. An absolute start time is
              indicated by a number in  YYYYMMDDHHMMSS  notation;
              20000530144500  denotes  14:45:00  UTC on May 30th,
              2000. A relative start time  is  indicated  by  +N,
              which  is  N  seconds from the current time.  If no
              start-time is specified, the current time is  used.

       -e end-time
              Specify  the  date  and time when the generated SIG
              records expire. As  with  start-time,  an  absolute
              time  is  indicated  in  YYYYMMDDHHMMSS notation. A
              time relative to the start time is  indicated  with
              +N,  which is N seconds from the start time. A time
              relative to the  current  time  is  indicated  with
              now+N.  If  no  end-time is specified, 30 days from
              the start time is used as a default.

       -h     Prints a short summary of the options and arguments
              to dnssec-signkey.

       -p     Use  pseudo-random data when signing the zone. This
              is faster, but less secure, than using real  random
              data.  This option may be useful when signing large
              zones or when the entropy source is limited.

       -r randomdev
              Specifies the source of randomness. If the  operat-
              ing system does not provide a /dev/random or equiv-
              alent device, the default source of  randomness  is
              keyboard  input.  randomdev specifies the name of a
              character device or file containing random data  to
              be  used  instead of the default. The special value
              keyboard indicates that keyboard  input  should  be
              used.

       -v level
              Sets the debugging level.

       keyset The file containing the child's keyset.

       key    The keys used to sign the child's keyset.

EXAMPLE
       The  DNS  administrator for a DNSSEC-aware .com zone would
       use the following command to  sign  the  keyset  file  for
       example.com created by dnssec-makekeyset with a key gener-
       ated by dnssec-keygen:

       dnssec-signkey keyset-example.com. Kcom.+003+51944

       In this example, dnssec-signkey creates the  file  signed-
       key-example.com.,  which contains the example.com keys and
       the signatures by the .com keys.

SEE ALSO
       dnssec-keygen(8),    dnssec-makekeyset(8),    dnssec-sign-
       zone(8).

AUTHOR
       Internet Software Consortium



BIND9                     June 30, 2000         DNSSEC-SIGNKEY(8)