DNSSEC-MAKEKEYSET(8) DNSSEC-MAKEKEYSET(8)
NAME
dnssec-makekeyset - DNSSEC zone signing tool
SYNOPSIS
dnssec-makekeyset [ -a ] [ -s start-time ] [ -e end-time ] [ -h ] [ -p ] [ -r randomdev ] [ -tttl ] [ -v level ] key...
DESCRIPTION
dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen. It creates a file containing a KEY record for each
key, and self-signs the key set with each zone key. The output file is of the form keyset-nnnn., where nnnn is the zone name.
OPTIONS
-a Verify all generated signatures.
-s start-time
Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute
start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
start time is indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time is used.
-e end-time
Specify the date and time when the generated SIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS
notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time realtive to the
current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default.
-h Prints a short summary of the options and arguments to dnssec-makekeyset.
-p Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be use-
ful when signing large zones or when the entropy source is limited.
-r randomdev
Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source
of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used
instead of the default. The special value keyboard indicates that keyboard input should be used.
-t ttl Specify the TTL (time to live) of the KEY and SIG records. The default is 3600 seconds.
-v level
Sets the debugging level.
key The list of keys to be included in the keyset file. These keys are expressed in the form Knnnn.+aaa+iiiii as generated by dnssec-
keygen.
EXAMPLE
The following command generates a keyset containing the DSA key for example.com generated in the dnssec-keygen man page.
dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160
In this example, dnssec-makekeyset creates the file keyset-example.com.. This file contains the specified key and a self-generated signa-
ture.
The DNS administrator for example.com could send keyset-example.com. to the DNS administrator for .com for signing, if the .com zone is
DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and exchanging the keys and signa-
tures securely.
SEE ALSO
dnssec-keygen(8), dnssec-signkey(8), BIND 9 Administrator Reference Manual, RFC 2535.
AUTHOR
Internet Software Consortium
BIND9 June 30, 2000 DNSSEC-MAKEKEYSET(8)
