HP-UX Reference (11i v2 07/12) - 1 User Commands A-M (vol 1)
d
dnssec-makekeyset(1) dnssec-makekeyset(1)
If dnssec-makekeyset
is successful, it creates a file name of the form nnnn
.keyset. This file
contains the KEY and SIG records for domain nnnn, the domain name part from the key file identifier
produced when
dnssec-keygen
created the domain’s public and private keys. The
.keyset file
can then be transferred to the DNS administrator of the parent zone for them to sign the contents
with
dnssec-signkey
.
EXAMPLE
The following command generates a key set for the DSA key for
example.com that was shown in the
dnssec-keygen
man page. (Note the backslash is simply a line continuation character and not part of
the
dnssec-makekeyset
command syntax.)
dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 \
Kexample.com.+003+26160
dnssec-makekeyset
will create a file called example.com.keyset
containing a SIG and KEY
record for
example.com . These records will have a TTL of 86400 seconds (1 day). The SIG record
becomes valid at noon UTC on July 1st 2000 and expires 30 days (2592000 seconds) later.
The DNS administrator for
example.com could then send example.com.keyset
to the DNS
administrator for
.com so that they could sign the resource records in the file. This assumes that the
.com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenti-
cating each other and exchanging the keys and signatures securely.
FILES
/dev/random
SEE ALSO
dnssec-keygen(1), dnssec-signkey(1), dnssec-signzone(1), RFC2535.
250 Hewlett-Packard Company − 2 − HP-UX 11i Version 2: December 2007 Update