dnssec-makekeyset

 

---

DNSSEC-MAKEKEYSET(8)        System Manager's Manual       DNSSEC-MAKEKEYSET(8)

NAME
     dnssec-makekeyset - produce a set of DNSSEC keys

SYNOPSIS
     dnssec-makekeyset [-h] [-s start-time] [-e end-time] [-t TTL]
                       [-r randomdev] [-p] [-v level] keyfile ....

DESCRIPTION
     dnssec-makekeyset generates a key set from one or more keys created by
     dnssec-keygen(8).  It creates a file containing KEY and SIG records for
     some zone which can then be signed by the zone's parent if the parent
     zone is DNSSEC-aware.  keyfile should be a key identification string as
     reported by dnssec-keygen(8): i.e.  Knnnn.+aaa+iiiii where nnnn is the
     name of the key, aaa is the encryption algorithm and iiiii is the key
     identifier.  Multiple keyfile arguments can be supplied when there are
     several keys to be combined by dnssec-makekeyset into a key set.

     For any SIG records that are in the key set, the start time when the SIG
     records become valid is specified with the -s option.  start-time can
     either be an absolute or relative date.  An absolute start time is indi­
     cated by a number in YYYYMMDDHHMMSS notation: 20000530144500 denotes
     14:45:00 UTC on May 30th, 2000.  A relative start time is supplied when
     start-time is given as +N: N seconds from the current time.  If no -s
     option is supplied, the current date and time is used for the start time
     of the SIG records.

     The expiry date for the SIG records can be set by the -e option.  Note
     that in this context, the expiry date specifies when the SIG records are
     no longer valid, not when they are deleted from caches on name servers.
     end-date also represents an absolute or relative date.  YYYYMMDDHHMMSS
     notation is used as before to indicate an absolute date and time.  When
     end-date is +N, it indicates that the SIG records will expire in N sec­
     onds after their start date.  If end-date is written as now+N, the SIG
     records will expire in N seconds after the current time.  When no expiry
     date is set for the SIG records, dnssec-makekeyset defaults to an expire
     time of 30 days from the start time of the SIG records.

     An alternate source of random data can be specified with the -r option.
     randomdev is the name of the file to use to obtain random data.  By
     default /dev/random is used if this device is available.  If it is not
     provided by the operating system and no -r option is used,
     dnssec-makekeyset will prompt the user for input from the keyboard and
     use the time between keystrokes to derive some random data.

     The -p option instructs dnssec-makekeyset to use pseudo-random data when
     self-signing the keyset.  This is faster, but less secure, than using
     genuinely random data for signing.  This option may be useful when the
     entropy source is limited.

     The -t option is followed by a time-to-live argument TTL which indicates
     the TTL value that will be assigned to the assembled KEY and SIG records
     in the output file.  TTL is expressed in seconds.  If no -t option is
     provided, dnssec-makekeyset prints a warning and uses a default TTL of
     3600 seconds.

     The -v option can be used to make dnssec-makekeyset more verbose.  As the
     debugging/tracing level level increases, dnssec-makekeyset generates
     increasingly detailed reports about what it is doing.  The default level
     is zero.

     The -h option makes dnssec-makekeyset to print a short summary of its
     options and arguments.

     If dnssec-makekeyset is successful, it creates a file name of the form
     keyset-nnnn..  This file contains the KEY and SIG records for domain
     nnnn, the domain name part from the key file identifier produced when
     dnssec-keygen created the domain's public and private keys.  The keyset
     file can then be transferred to the DNS administrator of the parent zone
     for them to sign the contents with dnssec-signkey(8).

EXAMPLE
     The following command generates a key set for the DSA key for example.com
     that was shown in the dnssec-keygen(8) man page.  The backslash is for
     typographic reasons and would not be provided on the command line when
     running dnssec-makekeyset.
           # dnssec-makekeyset -t 86400 -s 20000701120000 \
           -e +2592000 Kexample.com.+003+26160

     dnssec-makekeyset will create a file called keyset-example.com. contain­
     ing a SIG and KEY record for example.com. These records will have a TTL
     of 86400 seconds (1 day).  The SIG record becomes valid at noon UTC on
     July 1st 2000 and expires 30 days (2592000 seconds) later.

     The DNS administrator for example.com could then send keyset-example.com.
     to the DNS administrator for .com so that they could sign the resource
     records in the file.  This assumes that the .com zone is DNSSEC-aware and
     the administrators of the two zones have some mechanism for authenticat­
     ing each other and exchanging the keys and signatures securely.

FILES
     /dev/random.

SEE ALSO
     RFC2535, dnssec-keygen(8), dnssec-signkey(8).

BIND9 9                          Jun 30, 2000                          BIND9 9

---