dnssec-makekeyset - DNSSEC zone signing tool
dnssec-makekeyset [ -a ] [ -s start-time ] [ -e end-time ] [ -h ] [ -p ] [ -r randomdev ] [ -tttl ] [ -v level ] key...
dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen. It creates a file containing a KEY record for each key, and self-signs the key set with each zone key. The output file is of the form keyset-nnnn., where nnnn is the zone name.
-a Verify all generated signatures. -s start-time Specify the date and time when the generated SIG records become valid. This can be either an absolute or relative time. An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by +N, which is N seconds from the current time. If no start-time is specified, the current time is used. -e end-time Specify the date and time when the generated SIG records expire. As with start-time, an absolute time is indicated in YYYYMMDDHHMMSS notation. A time relative to the start time is indicated with +N, which is N seconds from the start time. A time realtive to the current time is indicated with now+N. If no end-time is specified, 30 days from the start time is used as a default. -h Prints a short summary of the options and arguments to dnssec-makekeyset. -p Use pseudo-random data when signing the zone. This is faster, but less secure, than using real random data. This option may be use- ful when signing large zones or when the entropy source is limited. -r randomdev Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. randomdev specifies the name of a character device or file containing random data to be used instead of the default. The special value keyboard indicates that keyboard input should be used. -t ttl Specify the TTL (time to live) of the KEY and SIG records. The default is 3600 seconds. -v level Sets the debugging level. key The list of keys to be included in the keyset file. These keys are expressed in the form Knnnn.+aaa+iiiii as generated by dnssec- keygen.
The following command generates a keyset containing the DSA key for example.com generated in the dnssec-keygen man page. dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160 In this example, dnssec-makekeyset creates the file keyset-example.com.. This file contains the specified key and a self-generated signa- ture. The DNS administrator for example.com could send keyset-example.com. to the DNS administrator for .com for signing, if the .com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and exchanging the keys and signa- tures securely.
dnssec-keygen(8), dnssec-signkey(8), BIND 9 Administrator Reference Manual, RFC 2535.
Internet Software Consortium BIND9 June 30, 2000 DNSSEC-MAKEKEYSET(8)

Featured Tech Videos