dnssec-makekeyset.1 (2010 09)
d
dnssec-makekeyset(1) dnssec-makekeyset(1)
NAME
dnssec-makekeyset - used to produce a set of DNSSEC keys
SYNOPSIS
dnssec-makekeyset
[-a][-h help ][
-s start-time ][-e end-time ][-t TTL][-r randomdev ]
[
-p][-v level ] keyfile...
DESCRIPTION
dnssec-makekeyset
generates a key set from one or more keys created by
dnssec-keygen
.It
creates a file containing KEY and SIG records for some zone which can then be signed by the zone’s
parent if the parent zone is DNSSEC-aware.
keyfile should be a key identification string as reported by
dnssec-keygen
; such as, Knnnn.+aaa+iiiii,
where nnnn is the name of the key, aaa is the encryption algorithm and iiiii is the key identifier. Multi-
ple keyfile arguments can be supplied when there are several keys to be combined by
dnssec-
makekeyset into a key set.
Options
-a This option is used to verify all generated signatures.
-e end-time The expiration date for the SIG records can be set by the
-e option. Note that in
this context, the expiration date specifies when the SIG records are no longer valid,
not when they are deleted from caches on name servers.
end-time represents either an absolute or relative date. The
YYYYMMDDHHMMSS notation is used to indicate an absolute date and time.
When end-time is
+N, it indicates that the SIG records will expire in N seconds
after their start date. If end-time is written as
now+N, the SIG records will expire
in N seconds after the current time.
When no expiration date is set for the SIG records,
dnssec-makekeyset
defaults to an expire time of 30 days from the start time of the SIG records.
-h help This option is used to display a short summary of the options provided with
dnssec-makekeyset
.
-p This option is used to instruct dnssec-makekeyset
to use pseudo-random data
when self-signing the keyset. This is faster, but less secure, than using genuinely
random data for signing. This option may be useful when the entropy source is lim-
ited.
-r randomdev An alternate source of random data can be specified with the
-r option. randomdev
is the name of the file to use to obtain random data. By default,
/dev/random
is
used if this device is available. If this file is not provided by the operating system
and no
-r option is used, dnssec-makekeyset
will prompt the user for input
from the keyboard and use the time between keystrokes to derive some random
data.
-s start-time For any SIG records that are in the key set, the start time when the SIG records
become valid is specified with the -s option. start-time can either be an absolute or
relative date.
An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation;
for example,
20000530144500 denotes 14:45:00 UTC on May 30th, 2000.
A relative start time is supplied when start-time is given as
+N specifying N
seconds from the current time.
If no
-s option is supplied, the current date and time is used for the start time of
the SIG records.
-t TTL The -t option is followed by a time-to-live argument TTL which indicates the TTL
value that will be assigned to the assembled KEY and SIG records in the output file.
TTL is expressed in seconds. If no -t option is provided, dnssec-makekeyset
prints a warning and uses a default TTL of 3600 seconds.
-v level This option can be used to make dnssec-makekeyset more verbose. As the
debugging/tracing level level increases, dnssec-makekeyset generates increas-
ingly detailed reports about what it is doing. The default level is zero.
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1