# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-# $Id: Makefile.in,v 1.17 2001/02/04 15:52:38 bwelling Exp $
+# $Id: Makefile.in,v 1.18 2001/03/30 22:50:20 bwelling Exp $
srcdir = @srcdir@
VPATH = @srcdir@
dnssec-signkey.8 \
dnssec-signzone.8
+HTMLPAGES = dnssec-keygen.html \
+ dnssec-makekeyset.html \
+ dnssec-signkey.html \
+ dnssec-signzone.html
+
+MANOBJS = ${MANPAGES} ${HTMLPAGES}
+
@BIND9_MAKE_RULES@
dnssec-keygen: dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
dnssec-signzone: dnssec-signzone.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL} ${PURIFY} ${CC} ${CFLAGS} -o $@ dnssec-signzone.@O@ ${OBJS} ${LIBS}
-clean distclean::
- rm -f ${TARGETS}
+doc man:: ${MANOBJS}
+
+docclean manclean maintainer-clean::
+ rm -f ${MANOBJS}
installdirs:
$(SHELL) ${top_srcdir}/mkinstalldirs ${DESTDIR}${sbindir}
install:: ${TARGETS} installdirs
for t in ${TARGETS}; do ${LIBTOOL} ${INSTALL_PROGRAM} $$t ${DESTDIR}${sbindir}; done
for m in ${MANPAGES}; do ${INSTALL_DATA} $$m ${DESTDIR}${mandir}/man8; done
+
+clean distclean::
+ rm -f ${TARGETS}
+
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.TH "DNSSEC-KEYGEN" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-keygen \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-keygen\fR \fB-a \fIalgorithm\fB\fR \fB-b \fIkeysize\fB\fR \fB-n \fInametype\fB\fR [ \fB-c \fIclass\fB\fR ] [ \fB-e\fR ] [ \fB-g \fIgenerator\fB\fR ] [ \fB-h\fR ] [ \fB-p \fIprotocol\fB\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-s \fIstrength\fB\fR ] [ \fB-t \fItype\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBname\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-keygen\fR generates keys for DNSSEC
+(Secure DNS), as defined in RFC 2535. It can also generate
+keys for use with TSIG (Transaction Signatures), as
+defined in RFC 2845.
+.SH "OPTIONS"
+.TP
+\fB-a \fIalgorithm\fB\fR
+Selects the cryptographic algorithm. The value of
+\fBalgorithm\fR must be one of RSAMD5 or RSA,
+DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+are case insensitive.
-.\" $Id: dnssec-keygen.8,v 1.12 2001/01/09 21:47:21 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-KEYGEN 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-keygen
-.Nd key generation tool for DNSSEC
-.Sh SYNOPSIS
-.Nm dnssec-keygen
-.Fl a Ar algorithm
-.Fl b Ar keysize
-.Op Fl c Ar class
-.Op Fl e
-.Op Fl g Ar generator
-.Op Fl h
-.Fl n Ar nametype
-.Op Fl p Ar protocol-value
-.Op Fl r Ar randomdev
-.Op Fl s Ar strength-value
-.Op Fl t Ar type
-.Op Fl v Ar level
-.Ar name
-.Sh DESCRIPTION
-.Nm dnssec-keygen
-generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
-It also generates keys for use in Transaction Signatures, TSIG, which
-is defined in RFC2845.
-.Pp
-A short summary of the options and arguments to
-.Nm dnssec-keygen
-is printed by the
-.Fl h
-(help) option.
-.Pp
-The
-.Fl a ,
-.Fl b ,
-and
-.Fl n
-options and their arguments must be supplied when generating keys.
-The domain name that the key has to be generated for is given by
-.Ar name .
-.Pp
-The choice of encryption algorithm is selected by the
-.Fl a
-option to
-.Nm dnssec-keygen .
-.Ar algorithm
-must be one of
-.Dv RSAMD5 ,
-.Dv DH ,
-.Dv DSA
-or
-.Dv HMAC-MD5
-to indicate that an RSA, Diffie-Hellman, Digital Signature
-Algorithm or HMAC-MD5 key is required.
-An argument of
-.Dv RSA
-can also be given, which is equivalent to
-.Dv RSAMD5 .
-The argument identifying the encryption algorithm is case-insensitive.
-DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
-Implementations of TSIG must support HMAC-MD5.
-.Pp
-The number of bits in the key is determined by the
-.Ar keysize
-argument following the
-.Fl b
-option.
-The choice of key size depends on the algorithm that is used.
-RSA keys must be between 512 and 2048 bits.
-Diffie-Hellman keys must be between 128 and 4096 bits.
-For DSA, the key size must be between 512 and 1024 bits and a multiple
-of 64.
-The length of an HMAC-MD5 key can be between 1 and 512 bits.
-.Pp
-The
-.Fl n
-option specifies how the generated key will be used.
-.Ar nametype
-can be either
-.Dv ZONE ,
-.Dv HOST ,
-.Dv ENTITY ,
-or
-.Dv USER
-to indicate that the key will be used for signing a zone, host,
-entity or user respectively.
-In this context
-.Dv HOST
-and
-.Dv ENTITY
-are identical.
-.Ar nametype
-is case-insensitive.
-.Pp
-The
-.Fl c
-option specifies that the when creating a KEY record, the specified class
-should be used instead of IN.
-.Pp
-The
-.Fl e
-option can only be used when generating RSA keys.
-It tells
-.Nm dnssec-keygen
-to use a large exponent.
-When creating Diffie-Hellman keys, the
-.Fl g
-option selects the Diffie-Hellman generator
-.Ar generator
-that is to be used.
-The only supported values value of
-.Ar generator
-are 2 and 5.
-If no Diffie-Hellman generator is supplied, a known prime
-from RFC2539 will be used if possible; otherwise 2 will be used as the
-generator.
-.Pp
-The
-.Fl p
-option sets the protocol value for the generated key to
-.Ar protocol-value .
-The default is 2 (email) for keys of type
-.Dv USER
-and 3 (DNSSEC) for all other key types.
-Other possible values for this argument are listed in RFC2535 and its
-successors.
-.Pp
-.Nm dnssec-keygen
-uses random numbers to seed the process
-of generating keys.
-If the system does not have a
-.Pa /dev/random
-device that can be used for generating random numbers,
-.Nm dnssec-keygen
-will prompt for keyboard input and use the time intervals between
-keystrokes to provide randomness.
-The
-.Fl r
-option overrides this behaviour, making
-.Nm dnssec-keygen
-use
-.Ar randomdev
-as a source of random data.
-.Pp
-The key's strength value can be set with the
-.Fl s
-option.
-The generated key will sign DNS resource records
-with a strength value of
-.Ar strength-value .
-It should be a number between 0 and 15.
-The default strength is zero.
-The key strength field currently has no defined purpose in DNSSEC.
-.Pp
-The
-.Fl t
-option indicates if the key is to be used for authentication or
-confidentiality.
-.Ar type
-can be one of
-.Dv AUTHCONF ,
-.Dv NOAUTHCONF ,
-.Dv NOAUTH
-or
-.Dv NOCONF .
-The default is
-.Dv AUTHCONF .
-If type is
-.Dv AUTHCONF
-the key can be used for authentication and confidentialty.
-Setting
-.Ar type
-to
-.Dv NOAUTHCONF
-indicates that the key cannot be used for authentication or confidentialty.
-A value of
-.Dv NOAUTH
-means the key can be used for confidentiality but not for
-authentication.
-Similarly,
-.Dv NOCONF
-defines that the key cannot be used for confidentiality though it can
-be used for authentication.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-keygen
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-keygen
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Sh GENERATED KEYS
-When
-.Nm dnssec-keygen
-completes it prints a string of the form
-.Ar Knnnn.+aaa+iiiii
-on the standard output.
-This is an identification string for the key it has generated.
-These strings can be supplied as arguments to
-.Xr dnssec-makekeyset 8 .
-.Pp
-The
-.Ar nnnn.
-part is the dot-terminated domain name given by
-.Ar name .
-The DNSSEC algorithm identifier is indicated by
-.Ar aaa -
-001 for RSA, 002 for Diffie-Hellman, 003 for DSA or 157 for HMAC-MD5.
-.Ar iiiii
-is a five-digit number identifying the key.
-.Pp
-.Nm dnssec-keygen
-creates two files.
-The file names are adapted from the key identification string above.
-They have names of the form:
-.Ar Knnnn.+aaa+iiiii.key
-and
-.Ar Knnnn.+aaa+iiiii.private .
-These contain the public and private parts of the key respectively.
-The files generated by
-.Nm dnssec-keygen
-obey this naming convention to
-make it easy for the signing tool
-.Xr dnssec-signzone 8
-to identify which file(s) have to be read to find the necessary
-key(s) for generating or validating signatures.
-.Pp
-The
-.Ar .key
-file contains a KEY resource record that can be inserted into a zone file
-with a
-.Dv $INCLUDE
-statement.
-The private part of the key is in the
-.Ar .private
-file.
-It contains details of the encryption algorithm that was used and any
-relevant parameters: prime number, exponent, modulus, subprime, etc.
-For obvious security reasons, this file does not have general read
-permission.
-The private part of the key is used by
-.Xr dnssec-signzone 8
-to generate signatures and the public part is used to verify the
-signatures.
-Both
-.Ar .key
-and
-.Ar .private
-key files are generated for symmetric encryption algorithm such as
+Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+.TP
+\fB-b \fIkeysize\fB\fR
+Specifies the number of bits in the key. The choice of key
+size depends on the algorithm used. RSA keys must be between
+512 and 2048 bits. Diffie Hellman keys must be between
+128 and 4096 bits. DSA keys must be between 512 and 1024
+bits and an exact multiple of 64. HMAC-MD5 keys must be
+between 1 and 512 bits.
+.TP
+\fB-n \fInametype\fB\fR
+Specifies the owner type of the key. The value of
+\fBnametype\fR must either be ZONE (for a DNSSEC
+zone key), HOST or ENTITY (for a key associated with a host),
+or USER (for a key associated with a user). These values are
+case insensitive.
+.TP
+\fB-c \fIclass\fB\fR
+Indicates that the DNS record containing the key should have
+the specified class. If not specified, class IN is used.
+.TP
+\fB-e\fR
+If generating an RSA key, use a large exponent.
+.TP
+\fB-g \fIgenerator\fB\fR
+If generating a Diffie Hellman key, use this generator.
+Allowed values are 2 and 5. If no generator
+is specified, a known prime from RFC 2539 will be used
+if possible; otherwise the default is 2.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-keygen\fR.
+.TP
+\fB-p \fIprotocol\fB\fR
+Sets the protocol value for the generated key. The protocol
+is a number between 0 and 255. The default is 2 (email) for
+keys of type USER and 3 (DNSSEC) for all other key types.
+Other possible values for this argument are listed in
+RFC 2535 and its successors.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-s \fIstrength\fB\fR
+Specifies the strength value of the key. The strength is
+a number between 0 and 15, and currently has no defined
+purpose in DNSSEC.
+.TP
+\fB-t \fItype\fB\fR
+Indicates the use of the key. \fBtype\fR must be
+one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+is AUTHCONF. AUTH refers to the ability to authenticate
+data, and CONF the ability to encrypt data.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.SH "GENERATED KEYS"
+.PP
+When \fBdnssec-keygen\fR completes successfully,
+it prints a string of the form \fIKnnnn.+aaa+iiiii\fR
+to the standard output. This is an identification string for
+the key it has generated. These strings can be used as arguments
+to \fBdnssec-makekeyset\fR.
+.PP
+\fInnnn\fR is the key name.
+.PP
+\fIaaa\fR is the numeric representation of the algorithm.
+.PP
+\fIiiiii\fR is the key identifier (or footprint).
+.PP
+\fBdnssec-keygen\fR creates two file, with names based
+on the printed string. \fIKnnnn.+aaa+iiiii.key\fR
+contains the public key, and
+\fIKnnnn.+aaa+iiiii.private\fR contains the private
+key.
+.PP
+The \fI.key\fR file contains a DNS KEY record that
+can be inserted into a zone file (directly or with a $INCLUDE
+statement).
+.PP
+The \fI.private\fR file contains algorithm specific
+fields. For obvious security reasons, this file does not have
+general read permission.
+.PP
+Both \fI.key\fR and \fI.private\fR
+files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
-.Sh EXAMPLE
+.SH "EXAMPLE"
+.PP
To generate a 768-bit DSA key for the domain
-.Dv example.com ,
-the following command would be issued:
-.Pp
-.Dl # dnssec-keygen -a DSA -b 768 -n ZONE example.com
-.Dl Kexample.com.+003+26160
-.Pp
-.Nm dnssec-keygen
-has printed the key identification string
-.Dv Kexample.com.+003+26160 ,
-indicating a DSA key with identifier 26160.
-It will also have created the files
-.Pa Kexample.com.+003+26160.key
-and
-.Pa Kexample.com.+003+26160.private
-containing respectively the public and private keys for the generated
-DSA key.
-.Sh FILES
-.Pa /dev/random
-.Sh SEE ALSO
-.Xr RFC2535,
-.Xr RFC2845,
-.Xr RFC2539,
-.Xr dnssec-makekeyset 8 ,
-.Xr dnssec-signkey 8 ,
-.Xr dnssec-signzone 8 .
-.Sh BUGS
-The naming convention for the public and private key files is a little
-clumsy.
-It won't work for domain names that are longer than 236 characters
-because of the
-.Ar .+aaa+iiiii.private
-suffix results in filenames that are too long for most
-.Ux
-systems.
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-keygen -a DSA -b 768 -n ZONE example.com\fR
+.PP
+The command would print a string of the form:
+.PP
+\fBKexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-keygen\fR creates
+the files \fIKexample.com.+003+26160.key\fR and
+\fIKexample.com.+003+26160.private\fR
+.SH "SEE ALSO"
+.PP
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signkey\fR(8),
+\fBdnssec-signzone\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR,
+\fIRFC 2845\fR,
+\fIRFC 2539\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
--- /dev/null
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-keygen</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-keygen</application></refname>
+ <refpurpose>DNSSEC key generation tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-keygen</command>
+ <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
+ <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
+ <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-e</option></arg>
+ <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
+ <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req">name</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-keygen</command> generates keys for DNSSEC
+ (Secure DNS), as defined in RFC 2535. It can also generate
+ keys for use with TSIG (Transaction Signatures), as
+ defined in RFC 2845.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a <replaceable class="parameter">algorithm</replaceable></term>
+ <listitem>
+ <para>
+ Selects the cryptographic algorithm. The value of
+ <option>algorithm</option> must be one of RSAMD5 or RSA,
+ DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+ are case insensitive.
+ </para>
+ <para>
+ Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+ and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-b <replaceable class="parameter">keysize</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the number of bits in the key. The choice of key
+ size depends on the algorithm used. RSA keys must be between
+ 512 and 2048 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. DSA keys must be between 512 and 1024
+ bits and an exact multiple of 64. HMAC-MD5 keys must be
+ between 1 and 512 bits.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-n <replaceable class="parameter">nametype</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the owner type of the key. The value of
+ <option>nametype</option> must either be ZONE (for a DNSSEC
+ zone key), HOST or ENTITY (for a key associated with a host),
+ or USER (for a key associated with a user). These values are
+ case insensitive.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e</term>
+ <listitem>
+ <para>
+ If generating an RSA key, use a large exponent.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-g <replaceable class="parameter">generator</replaceable></term>
+ <listitem>
+ <para>
+ If generating a Diffie Hellman key, use this generator.
+ Allowed values are 2 and 5. If no generator
+ is specified, a known prime from RFC 2539 will be used
+ if possible; otherwise the default is 2.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-keygen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p <replaceable class="parameter">protocol</replaceable></term>
+ <listitem>
+ <para>
+ Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 2 (email) for
+ keys of type USER and 3 (DNSSEC) for all other key types.
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">strength</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the strength value of the key. The strength is
+ a number between 0 and 15, and currently has no defined
+ purpose in DNSSEC.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t <replaceable class="parameter">type</replaceable></term>
+ <listitem>
+ <para>
+ Indicates the use of the key. <option>type</option> must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>GENERATED KEYS</title>
+ <para>
+ When <command>dnssec-keygen</command> completes successfully,
+ it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
+ to the standard output. This is an identification string for
+ the key it has generated. These strings can be used as arguments
+ to <command>dnssec-makekeyset</command>.
+ </para>
+ <para>
+ <filename>nnnn</filename> is the key name.
+ </para>
+ <para>
+ <filename>aaa</filename> is the numeric representation of the algorithm.
+ </para>
+ <para>
+ <filename>iiiii</filename> is the key identifier (or footprint).
+ </para>
+ <para>
+ <command>dnssec-keygen</command> creates two file, with names based
+ on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
+ contains the public key, and
+ <filename>Knnnn.+aaa+iiiii.private</filename> contains the private
+ key.
+ </para>
+ <para>
+ The <filename>.key</filename> file contains a DNS KEY record that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+ </para>
+ <para>
+ The <filename>.private</filename> file contains algorithm specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+ </para>
+ <para>
+ Both <filename>.key</filename> and <filename>.private</filename>
+ files are generated for symmetric encryption algorithm such as
+ HMAC-MD5, even though the public and private key are equivalent.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ To generate a 768-bit DSA key for the domain
+ <userinput>example.com</userinput>, the following command would be
+ issued:
+ </para>
+ <para>
+ <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
+ </para>
+ <para>
+ The command would print a string of the form:
+ </para>
+ <para>
+ <userinput>Kexample.com.+003+26160</userinput>
+ </para>
+ <para>
+ In this example, <command>dnssec-keygen</command> creates
+ the files <filename>Kexample.com.+003+26160.key</filename> and
+ <filename>Kexample.com.+003+26160.private</filename>
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-makekeyset</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signkey</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2535</citetitle>,
+ <citetitle>RFC 2845</citetitle>,
+ <citetitle>RFC 2539</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2000, 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<HTML
+><HEAD
+><TITLE
+>dnssec-keygen</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-keygen</SPAN
+> -- DNSSEC key generation tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> {-a <TT
+CLASS="REPLACEABLE"
+><I
+>algorithm</I
+></TT
+>} {-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+>} {-n <TT
+CLASS="REPLACEABLE"
+><I
+>nametype</I
+></TT
+>} [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e</TT
+>] [<TT
+CLASS="OPTION"
+>-g <TT
+CLASS="REPLACEABLE"
+><I
+>generator</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>strength</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {name}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN48"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> generates keys for DNSSEC
+ (Secure DNS), as defined in RFC 2535. It can also generate
+ keys for use with TSIG (Transaction Signatures), as
+ defined in RFC 2845.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN52"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a <TT
+CLASS="REPLACEABLE"
+><I
+>algorithm</I
+></TT
+></DT
+><DD
+><P
+> Selects the cryptographic algorithm. The value of
+ <TT
+CLASS="OPTION"
+>algorithm</TT
+> must be one of RSAMD5 or RSA,
+ DSA, DH (Diffie Hellman), or HMAC-MD5. These values
+ are case insensitive.
+ </P
+><P
+> Note that for DNSSEC, DSA is a mandatory to implement algorithm,
+ and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
+ </P
+></DD
+><DT
+>-b <TT
+CLASS="REPLACEABLE"
+><I
+>keysize</I
+></TT
+></DT
+><DD
+><P
+> Specifies the number of bits in the key. The choice of key
+ size depends on the algorithm used. RSA keys must be between
+ 512 and 2048 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. DSA keys must be between 512 and 1024
+ bits and an exact multiple of 64. HMAC-MD5 keys must be
+ between 1 and 512 bits.
+ </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>nametype</I
+></TT
+></DT
+><DD
+><P
+> Specifies the owner type of the key. The value of
+ <TT
+CLASS="OPTION"
+>nametype</TT
+> must either be ZONE (for a DNSSEC
+ zone key), HOST or ENTITY (for a key associated with a host),
+ or USER (for a key associated with a user). These values are
+ case insensitive.
+ </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+> Indicates that the DNS record containing the key should have
+ the specified class. If not specified, class IN is used.
+ </P
+></DD
+><DT
+>-e</DT
+><DD
+><P
+> If generating an RSA key, use a large exponent.
+ </P
+></DD
+><DT
+>-g <TT
+CLASS="REPLACEABLE"
+><I
+>generator</I
+></TT
+></DT
+><DD
+><P
+> If generating a Diffie Hellman key, use this generator.
+ Allowed values are 2 and 5. If no generator
+ is specified, a known prime from RFC 2539 will be used
+ if possible; otherwise the default is 2.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+ </P
+></DD
+><DT
+>-p <TT
+CLASS="REPLACEABLE"
+><I
+>protocol</I
+></TT
+></DT
+><DD
+><P
+> Sets the protocol value for the generated key. The protocol
+ is a number between 0 and 255. The default is 2 (email) for
+ keys of type USER and 3 (DNSSEC) for all other key types.
+ Other possible values for this argument are listed in
+ RFC 2535 and its successors.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>strength</I
+></TT
+></DT
+><DD
+><P
+> Specifies the strength value of the key. The strength is
+ a number between 0 and 15, and currently has no defined
+ purpose in DNSSEC.
+ </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>type</I
+></TT
+></DT
+><DD
+><P
+> Indicates the use of the key. <TT
+CLASS="OPTION"
+>type</TT
+> must be
+ one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+ is AUTHCONF. AUTH refers to the ability to authenticate
+ data, and CONF the ability to encrypt data.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN121"
+></A
+><H2
+>GENERATED KEYS</H2
+><P
+> When <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> completes successfully,
+ it prints a string of the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
+ to the standard output. This is an identification string for
+ the key it has generated. These strings can be used as arguments
+ to <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+ </P
+><P
+> <TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the key name.
+ </P
+><P
+> <TT
+CLASS="FILENAME"
+>aaa</TT
+> is the numeric representation of the algorithm.
+ </P
+><P
+> <TT
+CLASS="FILENAME"
+>iiiii</TT
+> is the key identifier (or footprint).
+ </P
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates two file, with names based
+ on the printed string. <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.key</TT
+>
+ contains the public key, and
+ <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii.private</TT
+> contains the private
+ key.
+ </P
+><P
+> The <TT
+CLASS="FILENAME"
+>.key</TT
+> file contains a DNS KEY record that
+ can be inserted into a zone file (directly or with a $INCLUDE
+ statement).
+ </P
+><P
+> The <TT
+CLASS="FILENAME"
+>.private</TT
+> file contains algorithm specific
+ fields. For obvious security reasons, this file does not have
+ general read permission.
+ </P
+><P
+> Both <TT
+CLASS="FILENAME"
+>.key</TT
+> and <TT
+CLASS="FILENAME"
+>.private</TT
+>
+ files are generated for symmetric encryption algorithm such as
+ HMAC-MD5, even though the public and private key are equivalent.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN144"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> To generate a 768-bit DSA key for the domain
+ <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>, the following command would be
+ issued:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-keygen -a DSA -b 768 -n ZONE example.com</B
+></TT
+>
+ </P
+><P
+> The command would print a string of the form:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>Kexample.com.+003+26160</B
+></TT
+>
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> creates
+ the files <TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.key</TT
+> and
+ <TT
+CLASS="FILENAME"
+>Kexample.com.+003+26160.private</TT
+>
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN157"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-makekeyset</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>,
+ <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2845</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2539</I
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN173"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-.\" $Id: dnssec-makekeyset.8,v 1.10 2001/01/09 21:47:23 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-MAKEKEYSET 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-makekeyset
-.Nd produce a set of DNSSEC keys
-.Sh SYNOPSIS
-.Nm dnssec-makekeyset
-.Op Fl h
-.Op Fl s Ar start-time
-.Op Fl e Ar end-time
-.Op Fl t Ar TTL
-.Op Fl r Ar randomdev
-.Op Fl p
-.Op Fl v Ar level
-.Ar keyfile ....
-.Sh DESCRIPTION
-.Nm dnssec-makekeyset
-generates a key set from one or more keys created by
-.Xr dnssec-keygen 8 .
-It creates a file containing KEY and SIG records for some zone which
-can then be signed by the zone's parent if the parent zone is
-DNSSEC-aware.
-.Ar keyfile
-should be a key identification string as reported by
-.Xr dnssec-keygen 8 :
-i.e.
-.Ar Knnnn.+aaa+iiiii
-where
-.Ar nnnn
-is the name of the key,
-.Ar aaa
-is the encryption algorithm and
-.Ar iiiii
-is the key identifier.
-Multiple
-.Ar keyfile
-arguments can be supplied when there are several keys to be combined
-by
-.Nm dnssec-makekeyset
-into a key set.
-.Pp
-For any SIG records that are in the key set, the start time when the
-SIG records become valid is specified with the
-.Fl s
-option.
-.Ar start-time
-can either be an absolute or relative date.
-An absolute start time is indicated by a number in YYYYMMDDHHMMSS
-notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
-A relative start time is supplied when
-.Ar start-time
-is given as +N: N seconds from the current time.
-If no
-.Fl s
-option is supplied, the current date and time is used for the start
-time of the SIG records.
-.Pp
-The expiry date for the SIG records can be set by the
-.Fl e
-option.
-Note that in this context, the expiry date specifies when the SIG
-records are no longer valid, not when they are deleted from caches on name
-servers.
-.Ar end-date
-also represents an absolute or relative date.
-YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
-and time.
-When
-.Ar end-date
-is +N,
-it indicates that the SIG records will expire in N seconds after their
-start date.
-If
-.Ar end-date
-is written as now+N,
-the SIG records will expire in N seconds after the current time.
-When no expiry date is set for the SIG records,
-.Nm dnssec-makekeyset
-defaults to an expire time of 30 days from the start time of the SIG
-records.
-.Pp
-An alternate source of random data can be specified with the
-.Fl r
-option.
-.Ar randomdev
-is the name of the file to use to obtain random data.
-By default
-.Pa /dev/random
-is used if this device is available.
-If it is not provided by the operating system and no
-.Fl r
-option is used,
-.Nm dnssec-makekeyset
-will prompt the user for input from the keyboard and use the time
-between keystrokes to derive some random data.
-.Pp
-The
-.Fl p
-option instructs
-.Nm dnssec-makekeyset
-to use pseudo-random data when self-signing the keyset. This is faster, but
-less secure, than using genuinely random data for signing.
-This option may be useful when the entropy source is limited.
-.Pp
-The
-.Fl t
-option is followed by a time-to-live argument
-.Ar TTL
-which indicates the TTL value that will be assigned to the assembled KEY
-and SIG records in the output file.
-.Ar TTL
-is expressed in seconds.
-If no
-.Fl t
-option is provided,
-.Nm dnssec-makekeyset
-prints a warning and uses a default TTL of 3600 seconds.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-makekeyset
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-makekeyset
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Pp
-The
-.Fl h
-option makes
-.Nm dnssec-makekeyset
-to print a short summary of its options and arguments.
-.Pp
-If
-.Nm dnssec-makekeyset
-is successful, it creates a file name of the form
-.Ar keyset-nnnn. .
-This file contains the KEY and SIG records for domain
-.Dv nnnn ,
-the domain name part from the key file identifier produced when
-.Nm dnssec-keygen
-created the domain's public and private keys.
-The
-.Ar keyset
-file can then be transferred to the DNS administrator of the parent
-zone for them to sign the contents with
-.Xr dnssec-signkey 8 .
-.Sh EXAMPLE
-The following command generates a key set for the DSA key for
-.Dv example.com
-that was shown in the
-.Xr dnssec-keygen 8
-man page.
-The backslash is for typographic reasons and would not be provided on
-the command line when running
-.Nm dnssec-makekeyset .
-.nf
-.Dl # dnssec-makekeyset -t 86400 -s 20000701120000 \e\p
-.Dl -e +2592000 Kexample.com.+003+26160
-.fi
-.Pp
-.Nm dnssec-makekeyset
-will create a file called
-.Pa keyset-example.com.
-containing a SIG and KEY record for
-.Dv example.com.
-These records will have a TTL of 86400 seconds (1 day).
-The SIG record becomes valid at noon UTC on July 1st 2000 and expires
-30 days (2592000 seconds) later.
-.Pp
-The DNS administrator for
-.Dv example.com
-could then send
-.Pa keyset-example.com.
-to the DNS administrator for
-.Dv .com
-so that they could sign the resource records in the file.
-This assumes that the
-.Dv .com
-zone is DNSSEC-aware and the administrators of the two zones have some
-mechanism for authenticating each other and exchanging the keys and
-signatures securely.
-.Sh FILES
-.Pa /dev/random .
-.Sh SEE ALSO
-.Xr RFC2535 ,
-.Xr dnssec-keygen 8 ,
-.Xr dnssec-signkey 8 .
+.TH "DNSSEC-MAKEKEYSET" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-makekeyset \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-makekeyset\fR [ \fB-a\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fIttl\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-makekeyset\fR generates a key set from one
+or more keys created by \fBdnssec-keygen\fR. It creates
+a file containing a KEY record for each key, and self-signs the key
+set with each zone key. The output file is of the form
+\fIkeyset-nnnn.\fR, where \fInnnn\fR
+is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-makekeyset\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t \fIttl\fB\fR
+Specify the TTL (time to live) of the KEY and SIG records.
+The default is 3600 seconds.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkey\fR
+Lists the keys included in the keyset file. These keys
+are expressed in the form \fIKnnnn.+aaa+iiiii\fR
+as generated by \fBdnssec-keygen\fR.
+.SH "EXAMPLE"
+.PP
+The following command generates a keyset containing the DSA key for
+\fBexample.com\fR generated in the
+\fBdnssec-keygen\fR man page.
+.PP
+\fBdnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160\fR
+.PP
+In this example, \fBdnssec-makekeyset\fR creates
+the file \fIkeyset-example.com.\fR. This file
+contains the specified key and a self-generated signature.
+.PP
+The DNS administrator for \fBexample.com\fR could
+send \fIkeyset-example.com.\fR to the DNS
+administrator for \fB.com\fR for signing, if the
+\&.com zone is DNSSEC-aware and the administrators of the two zones
+have some mechanism for authenticating each other and exchanging
+the keys and signatures securely.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
--- /dev/null
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-makekeyset</application></refname>
+ <refpurpose>DNSSEC zone signing tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-makekeyset</command>
+ <arg><option>-a</option></arg>
+ <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+ <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-p</option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req" rep="repeat">key</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-makekeyset</command> generates a key set from one
+ or more keys created by <command>dnssec-keygen</command>. It creates
+ a file containing a KEY record for each key, and self-signs the key
+ set with each zone key. The output file is of the form
+ <filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
+ is the zone name.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem>
+ <para>
+ Verify all generated signatures.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">start-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <option>start-time</option> is specified, the current
+ time is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e <replaceable class="parameter">end-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ expire. As with <option>start-time</option>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <option>end-time</option> is
+ specified, 30 days from the start time is used as a default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-makekeyset</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t <replaceable class="parameter">ttl</replaceable></term>
+ <listitem>
+ <para>
+ Specify the TTL (time to live) of the KEY and SIG records.
+ The default is 3600 seconds.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>key</term>
+ <listitem>
+ <para>
+ Lists the keys included in the keyset file. These keys
+ are expressed in the form <filename>Knnnn.+aaa+iiiii</filename>
+ as generated by <command>dnssec-keygen</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ The following command generates a keyset containing the DSA key for
+ <userinput>example.com</userinput> generated in the
+ <command>dnssec-keygen</command> man page.
+ </para>
+ <para>
+ <userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>
+ </para>
+ <para>
+ In this example, <command>dnssec-makekeyset</command> creates
+ the file <filename>keyset-example.com.</filename>. This file
+ contains the specified key and a self-generated signature.
+ </para>
+ <para>
+ The DNS administrator for <userinput>example.com</userinput> could
+ send <filename>keyset-example.com.</filename> to the DNS
+ administrator for <userinput>.com</userinput> for signing, if the
+ .com zone is DNSSEC-aware and the administrators of the two zones
+ have some mechanism for authenticating each other and exchanging
+ the keys and signatures securely.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signkey</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2535</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2000, 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<HTML
+><HEAD
+><TITLE
+>dnssec-makekeyset</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-makekeyset</SPAN
+> -- DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t</TT
+><TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN38"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> generates a key set from one
+ or more keys created by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>. It creates
+ a file containing a KEY record for each key, and self-signs the key
+ set with each zone key. The output file is of the form
+ <TT
+CLASS="FILENAME"
+>keyset-nnnn.</TT
+>, where <TT
+CLASS="FILENAME"
+>nnnn</TT
+>
+ is the zone name.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN45"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+> Verify all generated signatures.
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+ time is used.
+ </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ expire. As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+ specified, 30 days from the start time is used as a default.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>.
+ </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+> Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-t <TT
+CLASS="REPLACEABLE"
+><I
+>ttl</I
+></TT
+></DT
+><DD
+><P
+> Specify the TTL (time to live) of the KEY and SIG records.
+ The default is 3600 seconds.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+> Lists the keys included in the keyset file. These keys
+ are expressed in the form <TT
+CLASS="FILENAME"
+>Knnnn.+aaa+iiiii</TT
+>
+ as generated by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN98"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> The following command generates a keyset containing the DSA key for
+ <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> generated in the
+ <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+> man page.
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
+></TT
+>
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> creates
+ the file <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+>. This file
+ contains the specified key and a self-generated signature.
+ </P
+><P
+> The DNS administrator for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> could
+ send <TT
+CLASS="FILENAME"
+>keyset-example.com.</TT
+> to the DNS
+ administrator for <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> for signing, if the
+ .com zone is DNSSEC-aware and the administrators of the two zones
+ have some mechanism for authenticating each other and exchanging
+ the keys and signatures securely.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN112"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+ <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN123"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-
-.\" $Id: dnssec-signkey.8,v 1.12 2001/01/09 21:47:24 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-SIGNKEY 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-signkey
-.Nd DNSSEC keyset signing tool
-.Sh SYNOPSIS
-.Nm dnssec-signkey
-.Op Fl h
-.Op Fl s Ar start-time
-.Op Fl e Ar end-time
-.Op Fl c Ar class
-.Op Fl p
-.Op Fl r Ar randomdev
-.Op Fl v Ar level
-.Ar keyset
-.Ar keyfile ...
-.Sh DESCRIPTION
-.Nm dnssec-signkey
-is used to sign a key set for a child zone.
-Typically this would be provided by a
-.Ar keyset
-file generated by
-.Xr dnssec-makekeyset 8 .
-This provides a mechanism for a DNSSEC-aware zone to sign the keys of
-any DNSSEC-aware child zones.
-The child zone's key set gets signed with the zone keys for its parent
-zone.
-.Ar keyset
-will be the pathname of the child zone's
-.Ar keyset
-file.
-Each
-.Ar keyfile
-argument will be a key identification string as reported by
-.Xr dnssec-keygen 8
-for the parent zone.
-This allows the child's keys to be signed by more than one
-parent zone key.
-.Pp
-The
-.Fl h
-option makes
-.Nm dnssec-signkey
-print a short summary of its command line options
-and arguments.
-.Pp
-By default, the validity period of the generated SIG records is copied
-from that of the signatures in the input key set. This may be overriden
-with the
-.Fl s
-and
-.Fl e
-options, both of which must be present if either is.
-The start of the validity period is specified with the
-.Fl s
-option.
-.Ar start-time
-can either be an absolute or relative date.
-An absolute start time is indicated by a number in YYYYMMDDHHMMSS
-notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
-A relative start time is supplied when
-.Ar start-time
-is given as +N: N seconds from the current time.
-If no
-.Fl s
-option is supplied, the current date and time is used for the start
-time of the SIG records.
-.Pp
-The expiry date for the SIG records can be set by the
-.Fl e
-option.
-Note that in this context, the expiry date specifies when the SIG
-records are no longer valid, not when they are deleted from caches on name
-servers.
-.Ar end-date
-also represents an absolute or relative date.
-YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
-and time.
-When
-.Ar end-date
-is +N,
-it indicates that the SIG records will expire in N seconds after their
-start date.
-If
-.Ar end-date
-is written as now+N,
-the SIG records will expire in N seconds after the current time.
-.Pp
-The
-.Fl c
-option specifies that the KEY records in the input and output key sets should
-have the specified class instead of IN.
-.Pp
-.Nm dnssec-signkey
-may need random numbers in the process of generating keys.
-If the system does not have a
-.Pa /dev/random
-device that can be used for generating random numbers,
-.Nm dnssec-signkey
-will prompt for keyboard input and use the time intervals between
-keystrokes to provide randomness.
-The
-.Fl r
-option overrides this behaviour, making
-.Nm dnssec-signkey
-use
-.Ar randomdev
-as a source of random data.
-.Pp
-The
-.Fl p
-option instructs
-.Nm dnssec-signkey
-to use pseudo-random data when signing the keys. This is faster, but
-less secure, than using genuinely random data for signing.
-This option may be useful when there are many child zone keysets to
-sign or if the entropy source is limited.
-It could also be used for short-lived keys and signatures that don't
-require as much protection against cryptanalysis, such as when the key
-will be discarded long before it could be compromised.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-signkey
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-signkey
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Pp
-When
-.Nm dnssec-signkey
-completes successfully, it generates a file called
-.Ar signedkey-nnnn.
-containing the signed keys for child zone
-.Ar nnnn .
-The keys from the
-.Ar keyset
-file will have been signed by the parent zone's key or keys which were
-supplied as
-.Ar keyfile
-arguments.
-This file should be sent to the DNS administrator of the child zone.
-They arrange for its contents to be incorporated into the zone file
-when it next gets signed with
-.Xr dnssec-signzone 8 .
-A copy of the generated
-.Ar signedkey
-file should be kept by the parent zone's DNS administrator, since
-it will be needed when signing the parent zone.
-.Sh EXAMPLE
-The DNS administrator for a DNSSEC-aware
-.Dv .com
-zone would use the following command to make
-.Nm dnssec-signkey
-sign the
-.Ar keyset
-file for
-.Dv example.com
-created in the example shown in the man page for
-.Xr dnssec-makekeyset 8 :
-.Pp
-.Dl # dnssec-signkey keyset-example.com. Kcom.+003+51944
-.Pp
-where
-.Dv Kcom.+003+51944
-was a key file identifier that was produced when
-.Xr dnssec-keygen 8
-generated a key for the
-.Dv .com
-zone.
-.Pp
-.Nm dnssec-signkey
-will produce a file called
-.Dv signedkey-example.com.
-which has the keys for
-.Dv example.com
-signed by the
-.Dv com
-zone's zone key.
-.Sh FILES
-.Pa /dev/random
-.Sh SEE ALSO
-.Xr RFC2535,
-.Xr dnssec-keygen 8 ,
-.Xr dnssec-makekeyset 8 ,
-.Xr dnssec-signzone 8 .
+.TH "DNSSEC-SIGNKEY" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signkey \- DNSSEC key set signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signkey\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-h\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-v \fIlevel\fB\fR ] \fBkeyset\fR \fBkey\fR\fI...\fR
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signkey\fR signs a keyset. Typically
+the keyset will be for a child zone, and will have been generated
+by \fBdnssec-makekeyset\fR. The child zone's keyset
+is signed with the zone keys for its parent zone. The output file
+is of the form \fIsignedkey-nnnn.\fR, where
+\fInnnn\fR is the zone name.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the key sets.
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signkey\fR.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBkeyset\fR
+The file containing the child's keyset.
+.TP
+\fBkey\fR
+The keys used to sign the child's keyset.
+.SH "EXAMPLE"
+.PP
+The DNS administrator for a DNSSEC-aware \fB.com\fR
+zone would use the following command to sign the
+\fIkeyset\fR file for \fBexample.com\fR
+created by \fBdnssec-makekeyset\fR with a key generated
+by \fBdnssec-keygen\fR:
+.PP
+\fBdnssec-signkey keyset-example.com. Kcom.+003+51944\fR
+.PP
+In this example, \fBdnssec-signkey\fR creates
+the file \fIsignedkey-example.com.\fR, which
+contains the \fBexample.com\fR keys and the
+signatures by the \fB.com\fR keys.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-makekeyset\fR(8),
+\fBdnssec-signzone\fR(8).
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
--- /dev/null
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-signkey</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-signkey</application></refname>
+ <refpurpose>DNSSEC key set signing tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-signkey</command>
+ <arg><option>-a</option></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+ <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-p</option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req">keyset</arg>
+ <arg choice="req" rep="repeat">key</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-signkey</command> signs a keyset. Typically
+ the keyset will be for a child zone, and will have been generated
+ by <command>dnssec-makekeyset</command>. The child zone's keyset
+ is signed with the zone keys for its parent zone. The output file
+ is of the form <filename>signedkey-nnnn.</filename>, where
+ <filename>nnnn</filename> is the zone name.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem>
+ <para>
+ Verify all generated signatures.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the DNS class of the key sets.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">start-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <option>start-time</option> is specified, the current
+ time is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e <replaceable class="parameter">end-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ expire. As with <option>start-time</option>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <option>end-time</option> is
+ specified, 30 days from the start time is used as a default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-signkey</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>keyset</term>
+ <listitem>
+ <para>
+ The file containing the child's keyset.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>key</term>
+ <listitem>
+ <para>
+ The keys used to sign the child's keyset.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ The DNS administrator for a DNSSEC-aware <userinput>.com</userinput>
+ zone would use the following command to sign the
+ <filename>keyset</filename> file for <userinput>example.com</userinput>
+ created by <command>dnssec-makekeyset</command> with a key generated
+ by <command>dnssec-keygen</command>:
+ </para>
+ <para>
+ <userinput>dnssec-signkey keyset-example.com. Kcom.+003+51944</userinput>
+ </para>
+ <para>
+ In this example, <command>dnssec-signkey</command> creates
+ the file <filename>signedkey-example.com.</filename>, which
+ contains the <userinput>example.com</userinput> keys and the
+ signatures by the <userinput>.com</userinput> keys.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-makekeyset</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signzone</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2000, 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<HTML
+><HEAD
+><TITLE
+>dnssec-signkey</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signkey</SPAN
+> -- DNSSEC key set signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {keyset} {key...}</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN39"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> signs a keyset. Typically
+ the keyset will be for a child zone, and will have been generated
+ by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+>. The child zone's keyset
+ is signed with the zone keys for its parent zone. The output file
+ is of the form <TT
+CLASS="FILENAME"
+>signedkey-nnnn.</TT
+>, where
+ <TT
+CLASS="FILENAME"
+>nnnn</TT
+> is the zone name.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN46"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+> Verify all generated signatures.
+ </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+> Specifies the DNS class of the key sets.
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+ time is used.
+ </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ expire. As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+ specified, 30 days from the start time is used as a default.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+>.
+ </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+> Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+><DT
+>keyset</DT
+><DD
+><P
+> The file containing the child's keyset.
+ </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+> The keys used to sign the child's keyset.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN101"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> The DNS administrator for a DNSSEC-aware <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+>
+ zone would use the following command to sign the
+ <TT
+CLASS="FILENAME"
+>keyset</TT
+> file for <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>
+ created by <B
+CLASS="COMMAND"
+>dnssec-makekeyset</B
+> with a key generated
+ by <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-signkey keyset-example.com. Kcom.+003+51944</B
+></TT
+>
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-signkey</B
+> creates
+ the file <TT
+CLASS="FILENAME"
+>signedkey-example.com.</TT
+>, which
+ contains the <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+> keys and the
+ signatures by the <TT
+CLASS="USERINPUT"
+><B
+>.com</B
+></TT
+> keys.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN116"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-makekeyset</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signzone</SPAN
+>(8)</SPAN
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN128"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
.\" FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+.TH "DNSSEC-SIGNZONE" "8" "June 30, 2000" "BIND9" ""
+.SH NAME
+dnssec-signzone \- DNSSEC zone signing tool
+.SH SYNOPSIS
+.sp
+\fBdnssec-signzone\fR [ \fB-a\fR ] [ \fB-c \fIclass\fB\fR ] [ \fB-d \fIdirectory\fB\fR ] [ \fB-s \fIstart-time\fB\fR ] [ \fB-e \fIend-time\fB\fR ] [ \fB-f \fIoutput-file\fB\fR ] [ \fB-h\fR ] [ \fB-i \fIinterval\fB\fR ] [ \fB-n \fInthreads\fB\fR ] [ \fB-o \fIorigin\fB\fR ] [ \fB-p\fR ] [ \fB-r \fIrandomdev\fB\fR ] [ \fB-t\fR ] [ \fB-v \fIlevel\fB\fR ] \fBzonefile\fR [ \fBkey\fR\fI...\fR ]
+.SH "DESCRIPTION"
+.PP
+\fBdnssec-signzone\fR signs a zone. It generates NXT
+and SIG records and produces a signed version of the zone. If there
+is a \fIsignedkey\fR file from the zone's parent,
+the parent's signatures will be incorporated into the generated
+signed zone file. The security status of delegations from the the
+signed zone (that is, whether the child zones are secure or not) is
+determined by the presence or absence of a
+\fIsignedkey\fR file for each child zone.
+.SH "OPTIONS"
+.TP
+\fB-a\fR
+Verify all generated signatures.
+.TP
+\fB-c \fIclass\fB\fR
+Specifies the DNS class of the zone.
+.TP
+\fB-d \fIdirectory\fB\fR
+Look for \fIsignedkey\fR files in
+\fBdirectory\fR as the directory
+.TP
+\fB-s \fIstart-time\fB\fR
+Specify the date and time when the generated SIG records
+become valid. This can be either an absolute or relative
+time. An absolute start time is indicated by a number
+in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+14:45:00 UTC on May 30th, 2000. A relative start time is
+indicated by +N, which is N seconds from the current time.
+If no \fBstart-time\fR is specified, the current
+time is used.
+.TP
+\fB-e \fIend-time\fB\fR
+Specify the date and time when the generated SIG records
+expire. As with \fBstart-time\fR, an absolute
+time is indicated in YYYYMMDDHHMMSS notation. A time relative
+to the start time is indicated with +N, which is N seconds from
+the start time. A time realtive to the current time is
+indicated with now+N. If no \fBend-time\fR is
+specified, 30 days from the start time is used as a default.
+.TP
+\fB-f \fIoutput-file\fB\fR
+The name of the output file containing the signed zone. The
+default is to append \fI.signed\fR to the
+input file.
+.TP
+\fB-h\fR
+Prints a short summary of the options and arguments to
+\fBdnssec-signzone\fR.
+.TP
+\fB-i \fIinterval\fB\fR
+When a previously signed zone is passed as input, records
+may be resigned. The \fBinterval\fR option
+specifies the cycle interval as an offset from the current
+time (in seconds). If a SIG record expires after the
+cycle interval, it is retained. Otherwise, it is considered
+to be expiring soon, and it will be replaced.
-.\" $Id: dnssec-signzone.8,v 1.17 2001/01/09 21:47:25 bwelling Exp $
-
-.Dd Jun 30, 2000
-.Dt DNSSEC-SIGNZONE 8
-.Os BIND9 9
-.ds vT BIND9 Programmer's Manual
-.Sh NAME
-.Nm dnssec-signzone
-.Nd DNSSEC zone signing tool
-.Sh SYNOPSIS
-.Nm dnssec-signzone
-.Op Fl a
-.Op Fl c Ar class
-.Op Fl d Ar directory
-.Op Fl s Ar start-time
-.Op Fl e Ar end-time
-.Op Fl i Ar interval
-.Op Fl o Ar origin
-.Op Fl f Ar output-file
-.Op Fl p
-.Op Fl r Ar randomdev
-.Op Fl t
-.Op Fl v Ar level
-.Op Fl n Ar nthreads
-.Ar zonefile
-.Op keyfile ....
-.Sh DESCRIPTION
-.Pp
-.Nm dnssec-signzone
-is used to sign a zone.
-Any
-.Ar signedkey
-files for the zone to be signed should be present in the current
-directory, along with the keys that will be used to sign the zone.
-If no
-.Ar keyfile
-arguments are supplied, the default behaviour is to use all of the zone's
-keys that are present in the current directory.
-Providing specific
-.Ar keyfile
-arguments constrains
-.Nm dnssec-signzone
-to only use those keys for signing the zone.
-Each
-.Ar keyfile
-argument would be an identification string for a key created with
-.Xr dnssec-keygen 8 .
-If the zone to be signed has any secure subzones, the
-.Ar signedkey
-files for those subzones need to be available in the
-current working directory used by
-.Nm dnssec-signzone .
-.Pp
-.Ar zonefile
-is the name of the unsigned zone file.
-Unless the file name is the same as the name of the zone, the
-.Fl o
-option should be given.
-.Ar origin
-will be the fully qualified domain origin for the zone.
-.Pp
-.Nm dnssec-signzone
-will generate NXT and SIG records for the zone and produce a signed
-version of the zone.
-If there is a
-.Ar signedkey
-file from the zone's parent, the parent's signatures will be
-incorporated into the generated signed zone file.
-The security status of delegations from the the signed zone
-- i.e. whether the child zones are DNSSEC-aware or not - is
-set according to the presence or absence of a
-.Ar signedkey
-file for the child in case.
-.Pp
-By default,
-.Nm dnssec-signzone
-generates a file called
-.Ar zonefile.signed
-containing the signed zone file.
-The output file name can be overridden usign the
-.Fl f
-option.
-.\" Don't hyphenate YYYYMMDDHHMMSS
-.nh YYYYMMDDHHMMSS
-.Pp
-.Nm dnssec-signzone
-does not verify the signatures by default.
-The
-.Fl a
-option makes it verify the signatures it generated.
-.Pp
-The date and time when the generated
-SIG records become valid can be specified with the
-.Fl s
-option.
-.Ar start-time
-can either be an absolute or relative date.
-An absolute start time is indicated by a number in YYYYMMDDHHMMSS
-notation: 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
-A relative start time is supplied when
-.Ar start-time
-is given as +N: N seconds from the current time.
-If no
-.Fl s
-option is supplied, the current date and time is used for the start
-time of the SIG records.
-.Pp
-The expiry date for the SIG records can be set by the
-.Fl e
-option.
-Note that in this context, the expiry date specifies when the SIG
-records are no longer valid, not when they are deleted from caches on name
-servers.
-.Ar end-date
-also represents an absolute or relative date.
-YYYYMMDDHHMMSS notation is used as before to indicate an absolute date
-and time.
-When
-.Ar end-date
-is +N,
-it indicates that the SIG records will expire in N seconds after their
-start date.
-If
-.Ar end-date
-is supplied as now+N,
-the SIG records will expire in N seconds after the current time.
-When no expiry date is set for the SIG records,
-.Nm dnssec-signzone
-defaults to an expire time of 30 days from the start time of the SIG
-records.
-.Pp
-When a previously signed zone is passed as input to
-.Nm dnssec-signzone ,
-records may be resigned. Whether or not to resign records is configurable
-by using the
-.Fl i
-option, which specifies the cycle interval as an offset from the current time
-(in seconds). If a SIG record expires after the cycle interval, it is
-retained. Otherwise, it is considered to be expiring soon, and
-.Nm dnssec-signzone
-will remove it and generate a new SIG record to replace it.
-.Pp
-The default cycle interval is one quarter of the difference between the
-specified signature end and start dates. So if the
-.Fl e
-and
-.Fl s
-options are not specified,
-.Nm dnssec-signzone
-generates signatures that are valid for 30 days from the current date
-by default, with a cycle interval of 7.5 days. Therefore, if any SIG records
-are due to expire in less than 7.5 days, they would be replaced
-with new ones.
-.Pp
-.Nm dnssec-signzone
-may need random numbers in the process of signing the zone.
-If the system does not have a
-.Pa /dev/random
-device that can be used for generating random numbers,
-.Nm dnssec-signzone
-will prompt for keyboard input and use the time intervals between
-keystrokes to provide randomness.
-The
-.Fl r
-option overrides this behaviour, making
-.Nm dnssec-signzone
-use
-.Ar randomdev
-as a source of random data.
-.Pp
-The
-.Fl p
-option instructs
-.Nm dnssec-signzone
-to use pseudo-random data when signing the keys. This is faster, but
-less secure, than using genuinely random data for signing.
-This option may be useful when signing large zones or when the
-entropy source is limited.
-.Pp
-The
-.Fl t
-option causes
-.Nm dnssec-signzone
-to print various statistics after signing the zone.
-.Pp
-The
-.Fl c
-option specifies that the KEY records in the input and output key sets should
-have the specified class instead of IN.
-.Pp
-The
-.Fl d
-option specifies that
-.Nm dnssec-signzone
-should look in a directory other than the current directory for signedkey
-files.
-.Pp
-An option of
-.Fl h
-makes
-.Nm dnssec-signzone
-print a short summary of its command line options
-and arguments.
-.Pp
-The
-.Fl v
-option can be used to make
-.Nm dnssec-signzone
-more verbose.
-As the debugging/tracing level
-.Ar level
-increases,
-.Nm dnssec-signzone
-generates increasingly detailed reports about what it is doing.
-The default level is zero.
-.Pp
-The
-.Fl n
-option can be used to change the threading behavior. By default,
-.Nm dnssec-signzone
-attempts to determine the number of CPUs present, and create one thread
-per CPU. The
-.Fl n
-option causes a different number of threads to be created.
-.Sh EXAMPLE
-The example below shows how
-.Nm dnssec-signzone
-could be used to sign the
-.Dv example.com
-zone with the key that was generated in the example given in the
-man page for
-.Xr dnssec-keygen 8 .
-The zone file for this zone is
-.Dv example.com ,
-which is the same as the origin, so there is no need to use the
-.Fl o
-option to set the origin.
-The zone's keys were either appended to the zone file or
-incorporated using a
-.Dv $INCLUDE
-statement.
-If there was a
-.Ar signedkey
-file from the parent zone - i.e.
-.Dv signedkey-example.com.
-- it should be present in the current directory.
-This allows the parent zone's signature to be included in the signed
-version of the
-.Dv example.com
-zone.
-.Pp
-.Dl # dnssec-signzone example.com Kexample.com.+003+26160
-.Pp
-.Nm dnssec-signzone
-will create a file called
-.Dv example.com.signed ,
-the signed version of the
-.Dv example.com
-zone.
-This file can then be referenced in a
-.Dv zone{}
-statement in
-.Pa /etc/named.conf
-so that it can be loaded by the name server.
-.Sh FILES
-.Pa /dev/random
-.Sh SEE ALSO
-.Xr RFC2535,
-.Xr dnssec-keygen 8 ,
-.Xr dnssec-signkey 8 .
+The default cycle interval is one quarter of the difference
+between the signature end and start times. So if neither
+\fBend-time\fR or \fBstart-time\fR
+are specified, \fBdnssec-signzone\fR generates
+signatures that are valid for 30 days, with a cycle
+interval of 7.5 days. Therefore, if any existing SIG records
+are due to expire in less than 7.5 days, they would be
+replaced.
+.TP
+\fB-n \fIncpus\fB\fR
+Specifies the number of threads to use. By default, one
+thread is started for each detected CPU.
+.TP
+\fB-o \fIorigin\fB\fR
+The zone origin. If not specified, the name of the zone file
+is assumed to be the origin.
+.TP
+\fB-p\fR
+Use pseudo-random data when signing the zone. This is faster,
+but less secure, than using real random data. This option
+may be useful when signing large zones or when the entropy
+source is limited.
+.TP
+\fB-r \fIrandomdev\fB\fR
+Specifies the source of randomness. If the operating
+system does not provide a \fI/dev/random\fR
+or equivalent device, the default source of randomness
+is keyboard input. \fIrandomdev\fR specifies
+the name of a character device or file containing random
+data to be used instead of the default. The special value
+\fIkeyboard\fR indicates that keyboard
+input should be used.
+.TP
+\fB-t\fR
+Print statistics at completion.
+.TP
+\fB-v \fIlevel\fB\fR
+Sets the debugging level.
+.TP
+\fBzonefile\fR
+The file containing the zone to be signed.
+Sets the debugging level.
+.TP
+\fBkey\fR
+The keys used to sign the zone. If no keys are specified, the
+default all zone keys that have private key files in the
+current directory.
+.SH "EXAMPLE"
+.PP
+The following command signs the \fBexample.com\fR
+zone with the DSA key generated in the \fBdnssec-keygen\fR
+man page. The zone's keys must be in the zone. If there are
+\fIsignedkey\fR files associated with this zone
+or any child zones, they must be in the current directory.
+\fBexample.com\fR, the following command would be
+issued:
+.PP
+\fBdnssec-signzone -o example.com db.example.com Kexample.com.+003+26160\fR
+.PP
+The command would print a string of the form:
+.PP
+In this example, \fBdnssec-signzone\fR creates
+the file \fIdb.example.com.signed\fR. This file
+should be referenced in a zone statement in a
+\fInamed.conf\fR file.
+.SH "SEE ALSO"
+.PP
+\fBdnssec-keygen\fR(8),
+\fBdnssec-signkey\fR(8),
+\fIBIND 9 Administrator Reference Manual\fR,
+\fIRFC 2535\fR.
+.SH "AUTHOR"
+.PP
+Internet Software Consortium
--- /dev/null
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
+
+<refentry>
+ <refentryinfo>
+ <date>June 30, 2000</date>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle><application>dnssec-signzone</application></refentrytitle>
+ <manvolnum>8</manvolnum>
+ <refmiscinfo>BIND9</refmiscinfo>
+ </refmeta>
+
+ <refnamediv>
+ <refname><application>dnssec-signzone</application></refname>
+ <refpurpose>DNSSEC zone signing tool</refpurpose>
+ </refnamediv>
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>dnssec-signzone</command>
+ <arg><option>-a</option></arg>
+ <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
+ <arg><option>-d <replaceable class="parameter">directory</replaceable></option></arg>
+ <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
+ <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
+ <arg><option>-f <replaceable class="parameter">output-file</replaceable></option></arg>
+ <arg><option>-h</option></arg>
+ <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
+ <arg><option>-n <replaceable class="parameter">nthreads</replaceable></option></arg>
+ <arg><option>-o <replaceable class="parameter">origin</replaceable></option></arg>
+ <arg><option>-p</option></arg>
+ <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
+ <arg><option>-t</option></arg>
+ <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
+ <arg choice="req">zonefile</arg>
+ <arg rep="repeat">key</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+ <refsect1>
+ <title>DESCRIPTION</title>
+ <para>
+ <command>dnssec-signzone</command> signs a zone. It generates NXT
+ and SIG records and produces a signed version of the zone. If there
+ is a <filename>signedkey</filename> file from the zone's parent,
+ the parent's signatures will be incorporated into the generated
+ signed zone file. The security status of delegations from the the
+ signed zone (that is, whether the child zones are secure or not) is
+ determined by the presence or absence of a
+ <filename>signedkey</filename> file for each child zone.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>OPTIONS</title>
+
+ <variablelist>
+ <varlistentry>
+ <term>-a</term>
+ <listitem>
+ <para>
+ Verify all generated signatures.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-c <replaceable class="parameter">class</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the DNS class of the zone.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-d <replaceable class="parameter">directory</replaceable></term>
+ <listitem>
+ <para>
+ Look for <filename>signedkey</filename> files in
+ <option>directory</option> as the directory
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-s <replaceable class="parameter">start-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <option>start-time</option> is specified, the current
+ time is used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-e <replaceable class="parameter">end-time</replaceable></term>
+ <listitem>
+ <para>
+ Specify the date and time when the generated SIG records
+ expire. As with <option>start-time</option>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <option>end-time</option> is
+ specified, 30 days from the start time is used as a default.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-f <replaceable class="parameter">output-file</replaceable></term>
+ <listitem>
+ <para>
+ The name of the output file containing the signed zone. The
+ default is to append <filename>.signed</filename> to the
+ input file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-h</term>
+ <listitem>
+ <para>
+ Prints a short summary of the options and arguments to
+ <command>dnssec-signzone</command>.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-i <replaceable class="parameter">interval</replaceable></term>
+ <listitem>
+ <para>
+ When a previously signed zone is passed as input, records
+ may be resigned. The <option>interval</option> option
+ specifies the cycle interval as an offset from the current
+ time (in seconds). If a SIG record expires after the
+ cycle interval, it is retained. Otherwise, it is considered
+ to be expiring soon, and it will be replaced.
+ </para>
+ <para>
+ The default cycle interval is one quarter of the difference
+ between the signature end and start times. So if neither
+ <option>end-time</option> or <option>start-time</option>
+ are specified, <command>dnssec-signzone</command> generates
+ signatures that are valid for 30 days, with a cycle
+ interval of 7.5 days. Therefore, if any existing SIG records
+ are due to expire in less than 7.5 days, they would be
+ replaced.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-n <replaceable class="parameter">ncpus</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the number of threads to use. By default, one
+ thread is started for each detected CPU.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-o <replaceable class="parameter">origin</replaceable></term>
+ <listitem>
+ <para>
+ The zone origin. If not specified, the name of the zone file
+ is assumed to be the origin.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-p</term>
+ <listitem>
+ <para>
+ Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-r <replaceable class="parameter">randomdev</replaceable></term>
+ <listitem>
+ <para>
+ Specifies the source of randomness. If the operating
+ system does not provide a <filename>/dev/random</filename>
+ or equivalent device, the default source of randomness
+ is keyboard input. <filename>randomdev</filename> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <filename>keyboard</filename> indicates that keyboard
+ input should be used.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-t</term>
+ <listitem>
+ <para>
+ Print statistics at completion.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>-v <replaceable class="parameter">level</replaceable></term>
+ <listitem>
+ <para>
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>zonefile</term>
+ <listitem>
+ <para>
+ The file containing the zone to be signed.
+ Sets the debugging level.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>key</term>
+ <listitem>
+ <para>
+ The keys used to sign the zone. If no keys are specified, the
+ default all zone keys that have private key files in the
+ current directory.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
+ <title>EXAMPLE</title>
+ <para>
+ The following command signs the <userinput>example.com</userinput>
+ zone with the DSA key generated in the <command>dnssec-keygen</command>
+ man page. The zone's keys must be in the zone. If there are
+ <filename>signedkey</filename> files associated with this zone
+ or any child zones, they must be in the current directory.
+ <userinput>example.com</userinput>, the following command would be
+ issued:
+ </para>
+ <para>
+ <userinput>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</userinput>
+ </para>
+ <para>
+ The command would print a string of the form:
+ </para>
+ <para>
+ In this example, <command>dnssec-signzone</command> creates
+ the file <filename>db.example.com.signed</filename>. This file
+ should be referenced in a zone statement in a
+ <filename>named.conf</filename> file.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>SEE ALSO</title>
+ <para>
+ <citerefentry>
+ <refentrytitle>dnssec-keygen</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citerefentry>
+ <refentrytitle>dnssec-signkey</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </citerefentry>,
+ <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
+ <citetitle>RFC 2535</citetitle>.
+ </para>
+ </refsect1>
+
+ <refsect1>
+ <title>AUTHOR</title>
+ <para>
+ <corpauthor>Internet Software Consortium</corpauthor>
+ </para>
+ </refsect1>
+
+</refentry>
+
+<!--
+ - Local variables:
+ - mode: sgml
+ - End:
+-->
--- /dev/null
+<!--
+ - Copyright (C) 2000, 2001 Internet Software Consortium.
+ -
+ - Permission to use, copy, modify, and distribute this software for any
+ - purpose with or without fee is hereby granted, provided that the above
+ - copyright notice and this permission notice appear in all copies.
+ -
+ - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
+ - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
+ - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
+ - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
+ - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
+ - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
+ - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
+ - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+-->
+<HTML
+><HEAD
+><TITLE
+>dnssec-signzone</TITLE
+><META
+NAME="GENERATOR"
+CONTENT="Modular DocBook HTML Stylesheet Version 1.61
+"></HEAD
+><BODY
+CLASS="REFENTRY"
+BGCOLOR="#FFFFFF"
+TEXT="#000000"
+LINK="#0000FF"
+VLINK="#840084"
+ALINK="#0000FF"
+><H1
+><A
+NAME="AEN1"
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+></A
+></H1
+><DIV
+CLASS="REFNAMEDIV"
+><A
+NAME="AEN9"
+></A
+><H2
+>Name</H2
+><SPAN
+CLASS="APPLICATION"
+>dnssec-signzone</SPAN
+> -- DNSSEC zone signing tool</DIV
+><DIV
+CLASS="REFSYNOPSISDIV"
+><A
+NAME="AEN13"
+></A
+><H2
+>Synopsis</H2
+><P
+><B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> [<TT
+CLASS="OPTION"
+>-a</TT
+>] [<TT
+CLASS="OPTION"
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>output-file</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-h</TT
+>] [<TT
+CLASS="OPTION"
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>interval</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>nthreads</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>origin</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-p</TT
+>] [<TT
+CLASS="OPTION"
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></TT
+>] [<TT
+CLASS="OPTION"
+>-t</TT
+>] [<TT
+CLASS="OPTION"
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></TT
+>] {zonefile} [key...]</P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN56"
+></A
+><H2
+>DESCRIPTION</H2
+><P
+> <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> signs a zone. It generates NXT
+ and SIG records and produces a signed version of the zone. If there
+ is a <TT
+CLASS="FILENAME"
+>signedkey</TT
+> file from the zone's parent,
+ the parent's signatures will be incorporated into the generated
+ signed zone file. The security status of delegations from the the
+ signed zone (that is, whether the child zones are secure or not) is
+ determined by the presence or absence of a
+ <TT
+CLASS="FILENAME"
+>signedkey</TT
+> file for each child zone.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN62"
+></A
+><H2
+>OPTIONS</H2
+><P
+></P
+><DIV
+CLASS="VARIABLELIST"
+><DL
+><DT
+>-a</DT
+><DD
+><P
+> Verify all generated signatures.
+ </P
+></DD
+><DT
+>-c <TT
+CLASS="REPLACEABLE"
+><I
+>class</I
+></TT
+></DT
+><DD
+><P
+> Specifies the DNS class of the zone.
+ </P
+></DD
+><DT
+>-d <TT
+CLASS="REPLACEABLE"
+><I
+>directory</I
+></TT
+></DT
+><DD
+><P
+> Look for <TT
+CLASS="FILENAME"
+>signedkey</TT
+> files in
+ <TT
+CLASS="OPTION"
+>directory</TT
+> as the directory
+ </P
+></DD
+><DT
+>-s <TT
+CLASS="REPLACEABLE"
+><I
+>start-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ become valid. This can be either an absolute or relative
+ time. An absolute start time is indicated by a number
+ in YYYYMMDDHHMMSS notation; 20000530144500 denotes
+ 14:45:00 UTC on May 30th, 2000. A relative start time is
+ indicated by +N, which is N seconds from the current time.
+ If no <TT
+CLASS="OPTION"
+>start-time</TT
+> is specified, the current
+ time is used.
+ </P
+></DD
+><DT
+>-e <TT
+CLASS="REPLACEABLE"
+><I
+>end-time</I
+></TT
+></DT
+><DD
+><P
+> Specify the date and time when the generated SIG records
+ expire. As with <TT
+CLASS="OPTION"
+>start-time</TT
+>, an absolute
+ time is indicated in YYYYMMDDHHMMSS notation. A time relative
+ to the start time is indicated with +N, which is N seconds from
+ the start time. A time realtive to the current time is
+ indicated with now+N. If no <TT
+CLASS="OPTION"
+>end-time</TT
+> is
+ specified, 30 days from the start time is used as a default.
+ </P
+></DD
+><DT
+>-f <TT
+CLASS="REPLACEABLE"
+><I
+>output-file</I
+></TT
+></DT
+><DD
+><P
+> The name of the output file containing the signed zone. The
+ default is to append <TT
+CLASS="FILENAME"
+>.signed</TT
+> to the
+ input file.
+ </P
+></DD
+><DT
+>-h</DT
+><DD
+><P
+> Prints a short summary of the options and arguments to
+ <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+>.
+ </P
+></DD
+><DT
+>-i <TT
+CLASS="REPLACEABLE"
+><I
+>interval</I
+></TT
+></DT
+><DD
+><P
+> When a previously signed zone is passed as input, records
+ may be resigned. The <TT
+CLASS="OPTION"
+>interval</TT
+> option
+ specifies the cycle interval as an offset from the current
+ time (in seconds). If a SIG record expires after the
+ cycle interval, it is retained. Otherwise, it is considered
+ to be expiring soon, and it will be replaced.
+ </P
+><P
+> The default cycle interval is one quarter of the difference
+ between the signature end and start times. So if neither
+ <TT
+CLASS="OPTION"
+>end-time</TT
+> or <TT
+CLASS="OPTION"
+>start-time</TT
+>
+ are specified, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> generates
+ signatures that are valid for 30 days, with a cycle
+ interval of 7.5 days. Therefore, if any existing SIG records
+ are due to expire in less than 7.5 days, they would be
+ replaced.
+ </P
+></DD
+><DT
+>-n <TT
+CLASS="REPLACEABLE"
+><I
+>ncpus</I
+></TT
+></DT
+><DD
+><P
+> Specifies the number of threads to use. By default, one
+ thread is started for each detected CPU.
+ </P
+></DD
+><DT
+>-o <TT
+CLASS="REPLACEABLE"
+><I
+>origin</I
+></TT
+></DT
+><DD
+><P
+> The zone origin. If not specified, the name of the zone file
+ is assumed to be the origin.
+ </P
+></DD
+><DT
+>-p</DT
+><DD
+><P
+> Use pseudo-random data when signing the zone. This is faster,
+ but less secure, than using real random data. This option
+ may be useful when signing large zones or when the entropy
+ source is limited.
+ </P
+></DD
+><DT
+>-r <TT
+CLASS="REPLACEABLE"
+><I
+>randomdev</I
+></TT
+></DT
+><DD
+><P
+> Specifies the source of randomness. If the operating
+ system does not provide a <TT
+CLASS="FILENAME"
+>/dev/random</TT
+>
+ or equivalent device, the default source of randomness
+ is keyboard input. <TT
+CLASS="FILENAME"
+>randomdev</TT
+> specifies
+ the name of a character device or file containing random
+ data to be used instead of the default. The special value
+ <TT
+CLASS="FILENAME"
+>keyboard</TT
+> indicates that keyboard
+ input should be used.
+ </P
+></DD
+><DT
+>-t</DT
+><DD
+><P
+> Print statistics at completion.
+ </P
+></DD
+><DT
+>-v <TT
+CLASS="REPLACEABLE"
+><I
+>level</I
+></TT
+></DT
+><DD
+><P
+> Sets the debugging level.
+ </P
+></DD
+><DT
+>zonefile</DT
+><DD
+><P
+> The file containing the zone to be signed.
+ Sets the debugging level.
+ </P
+></DD
+><DT
+>key</DT
+><DD
+><P
+> The keys used to sign the zone. If no keys are specified, the
+ default all zone keys that have private key files in the
+ current directory.
+ </P
+></DD
+></DL
+></DIV
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN154"
+></A
+><H2
+>EXAMPLE</H2
+><P
+> The following command signs the <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>
+ zone with the DSA key generated in the <B
+CLASS="COMMAND"
+>dnssec-keygen</B
+>
+ man page. The zone's keys must be in the zone. If there are
+ <TT
+CLASS="FILENAME"
+>signedkey</TT
+> files associated with this zone
+ or any child zones, they must be in the current directory.
+ <TT
+CLASS="USERINPUT"
+><B
+>example.com</B
+></TT
+>, the following command would be
+ issued:
+ </P
+><P
+> <TT
+CLASS="USERINPUT"
+><B
+>dnssec-signzone -o example.com db.example.com Kexample.com.+003+26160</B
+></TT
+>
+ </P
+><P
+> The command would print a string of the form:
+ </P
+><P
+> In this example, <B
+CLASS="COMMAND"
+>dnssec-signzone</B
+> creates
+ the file <TT
+CLASS="FILENAME"
+>db.example.com.signed</TT
+>. This file
+ should be referenced in a zone statement in a
+ <TT
+CLASS="FILENAME"
+>named.conf</TT
+> file.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN168"
+></A
+><H2
+>SEE ALSO</H2
+><P
+> <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-keygen</SPAN
+>(8)</SPAN
+>,
+ <SPAN
+CLASS="CITEREFENTRY"
+><SPAN
+CLASS="REFENTRYTITLE"
+>dnssec-signkey</SPAN
+>(8)</SPAN
+>,
+ <I
+CLASS="CITETITLE"
+>BIND 9 Administrator Reference Manual</I
+>,
+ <I
+CLASS="CITETITLE"
+>RFC 2535</I
+>.
+ </P
+></DIV
+><DIV
+CLASS="REFSECT1"
+><A
+NAME="AEN179"
+></A
+><H2
+>AUTHOR</H2
+><P
+> Internet Software Consortium
+ </P
+></DIV
+></BODY
+></HTML
+>
\ No newline at end of file
projects / thirdparty / bind9.git / commitdiff
