1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 .. highlight: console 13 14 .. iscman:: dnssec-ksr 15 .. program:: dnssec-ksr 16 .. _man_dnssec-ksr: 17 18 dnssec-ksr - Create signed key response (SKR) files for offline KSK setups 19 -------------------------------------------------------------------------- 20 21 Synopsis 22 ~~~~~~~~ 23 24 :program:`dnssec-ksr` [**-E** engine] [**-e** date/offset] [**-F**] [**-f** file] [**-h**] [**-i** date/offset] [**-K** directory] [**-k** policy] [**-l** file] [**-o**] [**-V**] [**-v** level] {command} {zone} 25 26 Description 27 ~~~~~~~~~~~ 28 29 The :program:`dnssec-ksr` can be used to issue several commands that are needed 30 to generate presigned RRsets for a zone where the private key file of the Key 31 Signing Key (KSK) is typically offline. This requires Zone Signing Keys 32 (ZSKs) to be pregenerated, and the DNSKEY, CDNSKEY, and CDS RRsets to be 33 already signed in advance. 34 35 The latter is done by creating Key Signing Requests (KSRs) that can be imported 36 to the environment where the KSK is available. Once there, this program can 37 create Signed Key Responses (SKRs) that can be loaded by an authoritative DNS 38 server. 39 40 Options 41 ~~~~~~~ 42 43 .. option:: -E engine 44 45 This option specifies the cryptographic hardware to use, when applicable. 46 47 When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL 48 engine identifier that drives the cryptographic accelerator or 49 hardware service module (usually ``pkcs11``). 50 51 .. option:: -e date/offset 52 53 This option sets the end date for which keys or SKRs need to be generated 54 (depending on the command). 55 56 .. option:: -F 57 58 This options turns on FIPS (US Federal Information Processing Standards) 59 mode if the underlying crytographic library supports running in FIPS 60 mode. 61 62 .. option:: -f 63 64 This option sets the SKR file to be signed when issuing a ``sign`` command. 65 66 .. option:: -h 67 68 This option prints a short summary of the options and arguments to 69 :program:`dnssec-ksr`. 70 71 .. option:: -i date/offset 72 73 This option sets the start date for which keys or SKRs need to be generated 74 (depending on the command). 75 76 .. option:: -K directory 77 78 This option sets the directory in which the key files are to be read or 79 written (depending on the command). 80 81 .. option:: -k policy 82 83 This option sets the specific ``dnssec-policy`` for which keys need to 84 be generated, or signed. 85 86 .. option:: -l file 87 88 This option provides a configuration file that contains a ``dnssec-policy`` 89 statement (matching the policy set with :option:`-k`). 90 91 .. option:: -o 92 93 Normally when pregenerating keys, ZSKs are created. When this option is 94 set, create KSKs instead. 95 96 .. option:: -V 97 98 This option prints version information. 99 100 .. option:: -v level 101 102 This option sets the debugging level. Level 1 is intended to be usefully 103 verbose for general users; higher levels are intended for developers. 104 105 ``command`` 106 107 The KSR command to be executed. See below for the available commands. 108 109 ``zone`` 110 111 The name of the zone for which the KSR command is being executed. 112 113 Commands 114 ~~~~~~~~ 115 116 .. option:: keygen 117 118 Pregenerate a number of keys, given a DNSSEC policy and an interval. The 119 number of generated keys depends on the interval and the key lifetime. 120 121 .. option:: request 122 123 Create a Key Signing Request (KSR), given a DNSSEC policy and an interval. 124 This will generate a file with a number of key bundles, where each bundle 125 contains the currently published ZSKs (according to the timing metadata). 126 127 .. option:: sign 128 129 Sign a Key Signing Request (KSR), given a DNSSEC policy and an interval, 130 creating a Signed Key Response (SKR). This will add the corresponding DNSKEY, 131 CDS, and CDNSKEY records for the KSK that is being used for signing. 132 133 Exit Status 134 ~~~~~~~~~~~ 135 136 The :program:`dnssec-ksr` command exits 0 on success, or non-zero if an error 137 occurred. 138 139 Examples 140 ~~~~~~~~ 141 142 When you need to generate ZSKs for the zone "example.com" for the next year, 143 given a ``dnssec-policy`` named "mypolicy": 144 145 :: 146 147 dnssec-ksr -i now -e +1y -k mypolicy -l named.conf keygen example.com 148 149 Creating a KSR for the same zone and period can be done with: 150 151 :: 152 153 dnssec-ksr -i now -e +1y -k mypolicy -l named.conf request example.com > ksr.txt 154 155 Typically you would now transfer the KSR to the system that has access to 156 the KSK. 157 158 Signing the KSR created above can be done with: 159 160 :: 161 162 dnssec-ksr -i now -e +1y -k kskpolicy -l named.conf -f ksr.txt sign example.com 163 164 Make sure that the DNSSEC parameters in ``kskpolicy`` match those 165 in ``mypolicy``. 166 167 See Also 168 ~~~~~~~~ 169 170 :iscman:`dnssec-keygen(8) <dnssec-keygen>`, 171 :iscman:`dnssec-signzone(8) <dnssec-signzone>`, 172 BIND 9 Administrator Reference Manual. 173
Indexes created Mon Mar 02 05:31:46 UTC 2026