dnssec-makekeyset command

Purpose

Domain name system security extensions (DNSSEC) zone signing tool.

Syntax

dnssec-makekeyset [-a] [-s start-time] [-e end-time] [-h] [-p] [-r randomdev] [-t ttl] [-v level] {key...}

Description

The dnssec-makekeyset command generates a key set from one or more keys that are created by the dnssec-keygen command. It creates a file that contains a KEY record for each key, and self-signs the key set with each zone key. The output file is of the form keyset-nnnn., where nnnn is the zone name.

Flags

Item	Description
-a	Verifies all generated signatures.
-s `start-time`	Specifies the date and time when the generated SIG records become valid. It can be either an absolute or relative time. An absolute start time is indicated by a number in `YYYYMMDDHHMMSS` notation; 20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative start time is indicated by `+N`, which is `N` seconds from the current time. If no `start-time` is specified, the current time is used.
-e `end-time`	Specifies the date and time when the generated SIG records expire. As with the `start-time` value, an absolute time is indicated in `YYYYMMDDHHMMSS` notation. A time relative to the start time is indicated with `+N`, which is `N` seconds from the start time. A time relative to the current time is indicated with `now+N`. If no `end-time` is specified, 30 days time from the start time is used as a default.
-h	Prints a short summary of the options and arguments to the dnssec-makekeyset command.
-p	Uses pseudo-random data when you sign the zone. It is faster, but less secure, than using real random data. This option might be useful when you sign large zones or when the entropy source is limited.
-r `randomdev`	Specifies the source of randomness. If the operating system does not provide a /dev/random or equivalent device, the default source of randomness is keyboard input. The `randomdev` value specifies the name of a character device or file that contains random data to be used instead of the default. The special value keyboard indicates that keyboard input must be used.
-t `ttl`	Specifies the TTL (time to live) of the KEY and SIG records. The default is 3600 seconds.
-v `level`	Sets the debugging level.

Parameters

Item	Description
key	The list of keys to be included in the key set file. These keys are expressed in the form `Knnnn.+aaa+iiiii` as generated by the dnssec-keygen command.

Examples

The following command generates a key set that contains the DSA key for example.com generated in the dnssec-keygen man page.

dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160

In this example, the dnssec-makekeyset command creates the file keyset-example.com.. This file contains the specified key and a self-generated signature. The DNS administrator for example.com can send keyset-example.com. to the DNS administrator for .com for signing, if the .com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and exchanging the keys and signatures securely.