System Administration Commands dnssec-makekeyset(1M)
NAME
dnssec-makekeyset - DNSEC zone signing tool
SYNOPSIS
dnssec-makekeyset [-ahp] [-s start-time] [-e end-time]
[-r randomdev] [-t ttl] [-v level] key...
DESCRIPTION
The dnssec-makekeyset utility generates a key set from one
or more keys created by dnssec-keygen(1M). It creates a file
containing a KEY record for each key, and self-signs the key
set with each zone key. The output file is of the form
keyset-nnnn., where nnnn is the zone name.
OPTIONS
-a Verify all generated signatures.
-e end-time Specify the date and time when the gen-
erated SIG records expire. As with start-
time, an absolute time is indicated in
YMDHMS notation. A time relative to
the start time is indicated with ]N, which
is N seconds from the start time. A time
relative to the current time is indicated
with now]N. If no end-time is specified, 30
days from the start time is used as a
default.
-h Print a short summary of the options and
arguments to dnssec-makekeyset().
-p Use pseudo-random data when signing the
zone. This is faster, but less secure, than
using real random data. This option may be
useful when signing large zones or when the
entropy source is limited.
-r randomdev Specify the source of randomness. If the
operating system does not provide a
/dev/random or equivalent device, the
default source of randomness is keyboard
input. The randomdev argument specifies the
name of a character device or file contain-
ing random data to be used instead of the
default. The special value keyboard indi-
cates that keyboard input should be used.
SunOS 5.11 Last change: 20 Mar 2007 1
System Administration Commands dnssec-makekeyset(1M)
-s start-time Specify the date and time when the gen-
erated SIG records become valid. This can
be either an absolute or relative time. An
absolute start time is indicated by a
number in YMDHMS notation;
20000530144500 denotes 14:45:00 UTC on May
30th, 2000. A relative start time is indi-
cated by ]N, which is N seconds from the
current time. If no start-time is speci-
fied, the current time is used.
-t ttl Specify the TL (time to live) of the KEY
and SIG records. The default is 3600
seconds.
-v level Set the debugging level.
OPERANDS
The following operands are supported:
key The list of keys to be included in the keyset file.
These keys are expressed in the form Knnnn.]aaa]iiiii
as generated by dnssec-keygen.
EXAMPLES
Example 1 Generates a keyset containing the DSA key for
example.com.
The following command generates a keyset containing the DSA
key for example.com generated in the dnssec-keygen(1M)
manual page.
dnssec-makekeyset -t 86400 -s 20000701120000 -e ]2592000 \
Kexample.com.]003]26160
In this example, dnssec-makekeyset() creates the file
keyset-example.com. This file contains the specified key and
a self-generated signature.
The DNS administrator for example.com could send keyset-
example.com. to the DNS administrator for .com for signing,
SunOS 5.11 Last change: 20 Mar 2007 2
System Administration Commands dnssec-makekeyset(1M)
if the .com zone is DNSEC-aware and the administrators of
the two zones have some mechanism for authenticating each
other and exchanging the keys and signatures securely.
ATRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
ATRIBUTE TYPE ATRIBUTE VALUE
Availability SUNWbind9
Interface Stability External
SEE ALSO
dnssec-keygen(1M), dnssec-signkey(1M), attributes(5)
RFC 2535
BIND 9 Administrator Reference Manual
NOTES
Source for BIND9 is available in the SUNWbind9S package.
SunOS 5.11 Last change: 20 Mar 2007 3
|
