dnssec-makekeyset.1 (2010 09)
d
dnssec-makekeyset(1) dnssec-makekeyset(1)
If dnssec-makekeyset
is successful, it creates a file name of the form nnnn
.keyset. This file
contains the KEY and SIG records for domain nnnn, the domain name part from the key file
identifier produced when
dnssec-keygen
created the domain’s public and private keys. The
.keyset file can then be transferred to the DNS administrator of the parent zone for them to sign
the contents with dnssec-signkey
.
EXAMPLE
The following command generates a key set for the DSA key for
example.com that was shown in the
dnssec-keygen
man page. (Note the backslash is simply a line continuation character and not part of
the
dnssec-makekeyset
command syntax.)
dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 \
Kexample.com.+003+26160
dnssec-makekeyset
will create a file called example.com.keyset
containing a SIG and KEY
record for
example.com. These records will have a TTL of 86400 seconds (1 day). The SIG record
becomes valid at noon UTC on July 1st 2000 and expires 30 days (2592000 seconds) later.
The DNS administrator for
example.com could then send example.com.keyset
to the DNS
administrator for
.com so that they could sign the resource records in the file. This assumes that the
.com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authen-
ticating each other and exchanging the keys and signatures securely.
FILES
/dev/random
SEE ALSO
dnssec-keygen(1), dnssec-signkey(1), dnssec-signzone(1), RFC2535.
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010