diff options
Diffstat (limited to 'doc/man/dnssec/dnssec-signkey.8')
| -rw-r--r-- | doc/man/dnssec/dnssec-signkey.8 | 75 |
1 files changed, 62 insertions, 13 deletions
diff --git a/doc/man/dnssec/dnssec-signkey.8 b/doc/man/dnssec/dnssec-signkey.8 index 927abd36..415299a3 100644 --- a/doc/man/dnssec/dnssec-signkey.8 +++ b/doc/man/dnssec/dnssec-signkey.8 @@ -1,7 +1,6 @@ -.\" .\" Copyright (C) 2000 Internet Software Consortium. .\" -.\" Permission to use, copy, modify, and distribute this document for any +.\" Permission to use, copy, modify, and distribute this software for any .\" purpose with or without fee is hereby granted, provided that the above .\" copyright notice and this permission notice appear in all copies. .\" @@ -13,9 +12,9 @@ .\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, .\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION .\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.\" $Id: dnssec-signkey.8,v 1.5.2.1 2000/08/02 22:10:12 gson Exp $ -.\" + +.\" $Id: dnssec-signkey.8,v 1.11 2000/11/18 02:57:37 bwelling Exp $ + .Dd Jun 30, 2000 .Dt DNSSEC-SIGNKEY 8 .Os BIND9 9 @@ -26,6 +25,9 @@ .Sh SYNOPSIS .Nm dnssec-signkey .Op Fl h +.Op Fl s Ar start-time +.Op Fl e Ar end-time +.Op Fl c Ar class .Op Fl p .Op Fl r Ar randomdev .Op Fl v Ar level @@ -34,8 +36,8 @@ .Sh DESCRIPTION .Nm dnssec-signkey is used to sign a key set for a child zone. -Typically this would be provided by a -.Ar .keyset +Typically this would be provided by a +.Ar keyset file generated by .Xr dnssec-makekeyset 8 . This provides a mechanism for a DNSSEC-aware zone to sign the keys of @@ -44,14 +46,14 @@ The child zone's key set gets signed with the zone keys for its parent zone. .Ar keyset will be the pathname of the child zone's -.Ar .keyset +.Ar keyset file. Each .Ar keyfile argument will be a key identification string as reported by .Xr dnssec-keygen 8 for the parent zone. -This allows the child's keys to be signed by more than one +This allows the child's keys to be signed by more than one parent zone key. .Pp The @@ -61,6 +63,53 @@ option makes print a short summary of its command line options and arguments. .Pp +By default, the validity period of the generated SIG records is copied +from that of the signatures in the input key set. This may be overriden +with the +.Fl s +and +.Fl e +options, both of which must be present if either is. +The start of the validity period is specified with the +.Fl s +option. +.Ar start-time +can either be an absolute or relative date. +An absolute start time is indicated by a number in YYYYMMDDHHMMSS +notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. +A relative start time is supplied when +.Ar start-time +is given as +N: N seconds from the current time. +If no +.Fl s +option is supplied, the current date and time is used for the start +time of the SIG records. +.Pp +The expiry date for the SIG records can be set by the +.Fl e +option. +Note that in this context, the expiry date specifies when the SIG +records are no longer valid, not when they are deleted from caches on name +servers. +.Ar end-date +also represents an absolute or relative date. +YYYYMMDDHHMMSS notation is used as before to indicate an absolute date +and time. +When +.Ar end-date +is +N, +it indicates that the SIG records will expire in N seconds after their +start date. +If +.Ar end-date +is written as now+N, +the SIG records will expire in N seconds after the current time. +.Pp +The +.Fl c +option specifies that the KEY records in the input and output key sets should +have the specified class instead of IN. +.Pp .Nm dnssec-signkey may need random numbers in the process of generating keys. If the system does not have a @@ -104,7 +153,7 @@ The default level is zero. When .Nm dnssec-signkey completes successfully, it generates a file called -.Ar nnnn.signedkey +.Ar signedkey-nnnn. containing the signed keys for child zone .Ar nnnn . The keys from the @@ -127,13 +176,13 @@ The DNS administrator for a DNSSEC-aware zone would use the following command to make .Nm dnssec-signkey sign the -.Ar .keyset +.Ar keyset file for .Dv example.com created in the example shown in the man page for .Xr dnssec-makekeyset 8 : .Pp -.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944 +.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944 .Pp where .Dv Kcom.+003+51944 @@ -145,7 +194,7 @@ zone. .Pp .Nm dnssec-signkey will produce a file called -.Dv example.com.signedkey +.Dv signedkey-example.com. which has the keys for .Dv example.com signed by the |