*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> dnssec-makekeyset (1)              


 dnssec-makekeyset(1)                                   dnssec-makekeyset(1)

 NAME    [Toc]    [Back]
      dnssec-makekeyset - used to produce a set of DNSSEC keys

 SYNOPSIS    [Toc]    [Back]
      dnssec-makekeyset [-a] [-h help] [-s start-time] [-e end-time] [-t TTL]
           [-r randomdev] [-p] [-v level] keyfile...

 DESCRIPTION    [Toc]    [Back]
      dnssec-makekeyset generates a key set from one or more keys created by
      dnssec-keygen.  It creates a file containing KEY and SIG records for
      some zone which can then be signed by the zone's parent if the parent
      zone is DNSSEC-aware.

      keyfile should be a key identification string as reported by dnssec-
      keygen; such as, Knnnn.+aaa+iiiii, where nnnn is the name of the key,
      aaa is the encryption algorithm and iiiii is the key identifier.
      Multiple keyfile arguments can be supplied when there are several keys
      to be combined by dnssec-makekeyset into a key set.

    Options    [Toc]    [Back]
           -a             This option is used to verify all generated

           -e end-time    The expiration date for the SIG records can be set
                          by the -e option.  Note that in this context, the
                          expiration date specifies when the SIG records are
                          no longer valid, not when they are deleted from
                          caches on name servers.

                          end-time represents either an absolute or relative
                          date.  The YYYYMMDDHHMMSS notation is used to
                          indicate an absolute date and time.

                          When end-time is +N, it indicates that the SIG
                          records will expire in N seconds after their start
                          date.  If end-time is written as now+N, the SIG
                          records will expire in N seconds after the current

                          When no expiration date is set for the SIG
                          records, dnssec-makekeyset defaults to an expire
                          time of 30 days from the start time of the SIG

           -h help        This option is used to display a short summary of
                          the options provided with dnssec-makekeyset.

           -p             This option is used to instruct dnssec-makekeyset
                          to use pseudo-random data when self-signing the
                          keyset.  This is faster, but less secure, than
                          using genuinely random data for signing.  This

 Hewlett-Packard Company            - 1 -   HP-UX 11i Version 2: August 2003

 dnssec-makekeyset(1)                                   dnssec-makekeyset(1)

                          option may be useful when the entropy source is

           -r randomdev   An alternate source of random data can be
                          specified with the -r option.  randomdev is the
                          name of the file to use to obtain random data.  By
                          default, /dev/random is used if this device is
                          available.  If this file is not provided by the
                          operating system and no -r option is used,
                          dnssec-makekeyset will prompt the user for input
                          from the keyboard and use the time between
                          keystrokes to derive some random data.

           -s start-time  For any SIG records that are in the key set, the
                          start time when the SIG records become valid is
                          specified with the -s option.  start-time can
                          either be an absolute or relative date.

                          An absolute start time is indicated by a number in
                          YYYYMMDDHHMMSS notation; for example,
                          20000530144500 denotes 14:45:00 UTC on May 30th,

                          A relative start time is supplied when start-time
                          is given as +N specifying N seconds from the
                          current time.

                          If no -s option is supplied, the current date and
                          time is used for the start time of the SIG

           -t TTL         The -t option is followed by a time-to-live
                          argument TTL which indicates the TTL value that
                          will be assigned to the assembled KEY and SIG
                          records in the output file.  TTL is expressed in
                          seconds.  If no -t option is provided, dnssec-
                          makekeyset prints a warning and uses a default TTL
                          of 3600 seconds.

           -v level       This option can be used to make dnssec-makekeyset
                          more verbose.  As the debugging/tracing level
                          level increases, dnssec-makekeyset generates
                          increasingly detailed reports about what it is
                          doing.  The default level is zero.

           If dnssec-makekeyset is successful, it creates a file name of the
           form nnnn.keyset.  This file contains the KEY and SIG records for
           domain nnnn, the domain name part from the key file identifier
           produced when dnssec-keygen created the domain's public and
           private keys.  The .keyset file can then be transferred to the
           DNS administrator of the parent zone for them to sign the

 Hewlett-Packard Company            - 2 -   HP-UX 11i Version 2: August 2003

 dnssec-makekeyset(1)                                   dnssec-makekeyset(1)

           contents with dnssec-signkey.

 EXAMPLE    [Toc]    [Back]
      The following command generates a key set for the DSA key for
      example.com that was shown in the dnssec-keygen man page.  (Note the
      backslash is simply a line continuation character and not part of the
      dnssec-makekeyset command syntax.)

           dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 \

      dnssec-makekeyset will create a file called example.com.keyset
      containing a SIG and KEY record for example.com.  These records will
      have a TTL of 86400 seconds (1 day).  The SIG record becomes valid at
      noon UTC on July 1st 2000 and expires 30 days (2592000 seconds) later.

      The DNS administrator for example.com could then send
      example.com.keyset to the DNS administrator for .com so that they
      could sign the resource records in the file.  This assumes that the
      .com zone is DNSSEC-aware and the administrators of the two zones have
      some mechanism for authenticating each other and exchanging the keys
      and signatures securely.

 FILES    [Toc]    [Back]

 SEE ALSO    [Toc]    [Back]
      dnssec-keygen(1), dnssec-signkey(1), dnssec-signzone(1), RFC2535.

 Hewlett-Packard Company            - 3 -   HP-UX 11i Version 2: August 2003
[ Back ]
 Similar pages
Name OS Title
dnssec-keygen HP-UX key generation tool for DNSSEC
dnssec-signzone HP-UX DNSSEC zone signing tool
dnssec-signkey HP-UX DNSSEC keyset signing tool
t_error IRIX produce error message
t_error Tru64 Produce an error message
t_error HP-UX produce error message
t_strerror IRIX produce an error message string
splain OpenBSD produce verbose warning diagnostics
t_strerror HP-UX produce an error message string
mac_dup IRIX produce a duplicate copy of a MAC label
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service