From: Jelte Jansen Date: Mon, 19 May 2008 22:25:35 +0000 (+0000) Subject: engine use and key generation documented X-Git-Tag: release-1.3.0~42 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d4105b50378aebf4e699bd370a8d34174f5e7531;p=thirdparty%2Fldns.git engine use and key generation documented --- diff --git a/examples/ldns-signzone.1 b/examples/ldns-signzone.1 index 417a76d7..8e434666 100644 --- a/examples/ldns-signzone.1 +++ b/examples/ldns-signzone.1 @@ -17,12 +17,17 @@ KEY \fBldns-signzone\fR is used to generate a DNSSEC signed zone. When run it will create a new zonefile that contains RRSIG and NSEC resource records, as -specified in RFC 4033, RFC 4034 and RFC 4035. It will add the DNSKEY(s) -that is/are used to sign the zone. +specified in RFC 4033, RFC 4034 and RFC 4035. -Keys must be specified by their base name (i.e. without .key and .private) -and both the public and private key must be present in the specified -location. Multiple keys can be specified. +Keys must be specified by their base name (i.e. without .private). If +the DNSKEY that belongs to the key in the .private file is not present +in the zone, it will be read from the file .key. If that +file does not exist, the DNSKEY value will be generated from the +private key. + +Multiple keys can be specified, Key Signing Keys are used as such when +they are either already present in the zone, or specified in a .key +file, and have the KSK bit set. .SH OPTIONS .TP @@ -41,11 +46,12 @@ YYYYMMDD[hhmmss], or a timestamp. .TP \fB-l\fR -Leave old DNSSEC RRSIGS and NSEC records intact (by default, they are removed from the zone) +Leave old DNSSEC RRSIGS and NSEC records intact (by default, they are +removed from the zone) .TP \fB-o\fR \fIorigin\fR -Use this as the origin of the zone, if it cannot be read from the zonefile +Use this as the origin of the zone .TP \fB-v\fR @@ -53,16 +59,73 @@ Print the version and exit .TP \fB-E\fR \fIname\fR -Use the EVP cryptographic engine with the given name for signing. This can have some extra options; see ENGINE OPTIONS for more information. - +Use the EVP cryptographic engine with the given name for signing. This +can have some extra options; see ENGINE OPTIONS for more information. .TP \fB-k\fR \fIid,int\fR -Use the key with the given id as the signing key for algorithm int as a Zone signing key. +Use the key with the given id as the signing key for algorithm int as +a Zone signing key. This option is used when you use an OpenSSL +engine, see ENGINE OPTIONS for more information. .TP \fB-K\fR \fIid,int\fR -Use the key with the given id as the signing key for algorithm int as a Key signing key. + +Use the key with the given id as the signing key for algorithm int as +a Key signing key. This options is used when you ue an OpenSSL engine, +see ENGINE OPTIONS for more information. + +.TP +\fB-n\fR +Use NSEC3 instead of NSEC. + +.TP +If you use NSEC3, you can specify the following extra options: + +.TP +\fB-a\fR \fIalgorithm\fR +Algorithm used to create the hashed NSEC3 owner names + +.TP +\fB-t\fR \fInumber\fR +Number of hash iterations + +.TP +\fB-s\fR \fIstring\fR +Salt + +.SH ENGINE OPTIONS +You can modify the possible engines, if supported, by setting an +OpenSSL configuration file. This is done through the environment +variable OPENSSL_CONF. If you use -E with a non-existent engine name, +ldns-signzone will print a list of engines supported by your +configuration. + +The key options (-k and -K) work as follows; you specify a key id, and a DNSSEC algorithm number (for instance, 5 for RSASHA1). The key id can be any of the following: + + + : + id_ + slot_-id_ + label_