HP-UX Reference (11i v1 05/09) - 1 User Commands A-M (vol 1)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

211

212

213

214

215

216

217

218

219

220

dnssec-makekeyset(1) dnssec-makekeyset(1)

NAME

dnssec-makekeyset - used to produce a set of DNSSEC keys

SYNOPSIS

dnssec-makekeyset

[-h help][-s start-time][

-e end-time][-t TTL][-r randomdev][-p]

[

-v level] keyfile...

DESCRIPTION

dnssec-makekeyset

generates a key set from one or more keys created by

dnssec-keygen.It

creates a ﬁle containing KEY and SIG records for some zone which can then be signed by the zone’s parent

if the parent zone is DNSSEC-aware.

keyﬁle should be a key identiﬁcation string as reported by

dnssec-keygen

; such as, Knnnn.+aaa+iiiii,

where nnnn is the name of the key, aaa is the encryption algorithm and iiiii is the key identiﬁer. Multiple

keyﬁle arguments can be supplied when there are several keys to be combined by

dnssec-makekeyset

into a key set.

Options

-e end-time The expiration date for the SIG records can be set by the -e

option. Note that in this

context, the expiration date speciﬁes when the SIG records are no longer valid, not

when they are deleted from caches on name servers.

end-time can represents an absolute or relative date. The YYYYMMDDHHMMSS

notation is used to indicate an absolute date and time.

When end-time is

+N, it indicates that the SIG records will expire in N seconds after

their start date. If end-time is written as

now+N, the SIG records will expire in N

seconds after the current time.

When no expiration date is set for the SIG records,

dnssec-makekeyset

defaults

to an expire time of 30 days from the start time of the SIG records.

-h help This option is used to display a short summary of the options provided with

dnssec-makekeyset

-p This option is used to instruct dnssec-makekeyset

to use pseudo-random data

when self-signing the keyset. This is faster, but less secure, than using genuinely ran-

dom data for signing. This option may be useful when the entropy source is limited.

-r randomdev

An alternate source of random data can be speciﬁed with the -r option. randomdev

is the name of the ﬁle to use to obtain random data. By default,

/dev/random is

used if this device is available. If this ﬁle is not provided by the operating system and

-r option is used, dnssec-makekeyset

will prompt the user for input from

the keyboard and use the time between keystrokes to derive some random data.

-s start-time For any SIG records that are in the key set, the start time when the SIG records

become valid is speciﬁed with the -s option. start-time can either be an absolute or

relative date.

An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation;

for example, 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.

A relative start time is supplied when start-time is given as +N specifying N seconds

from the current time.

If no -s option is supplied, the current date and time is used for the start time of the

SIG records.

-t TTL The -t option is followed by a time-to-live argument TTL which indicates the TTL

value that will be assigned to the assembled KEY and SIG records in the output ﬁle.

TTL is expressed in seconds. If no -t option is provided, dnssec-makekeyset

prints a warning and uses a default TTL of 3600 seconds.

-v level This option can be used to make dnssec-makekeyset more verbose. As the

debugging/tracing level level increases,

dnssec-makekeyset generates increas-

ingly detailed reports about what it is doing. The default level is zero.

If dnssec-makekeyset is successful, it creates a ﬁle name of the form nnnn.keyset. This ﬁle

contains the KEY and SIG records for domain nnnn, the domain name part from the key ﬁle identiﬁer

HP-UX 11i Version 1: September 2005 − 1 − Hewlett-Packard Company Section 1−−187