Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > D

dnssec-makekeyset(1)

HP-UX 11i Version 3: February 2007
» 

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index

NAME

dnssec-makekeyset — used to produce a set of DNSSEC keys

SYNOPSIS

dnssec-makekeyset [-a] [-h help] [-s start-time] [-e end-time] [-t TTL] [-r randomdev] [-p] [-v level] keyfile...

DESCRIPTION

dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen. It creates a file containing KEY and SIG records for some zone which can then be signed by the zone's parent if the parent zone is DNSSEC-aware.

keyfile should be a key identification string as reported by dnssec-keygen; such as, Knnnn.+aaa+iiiii, where nnnn is the name of the key, aaa is the encryption algorithm and iiiii is the key identifier. Multiple keyfile arguments can be supplied when there are several keys to be combined by dnssec-makekeyset into a key set.

Options

-a

This option is used to verify all generated signatures.

-e end-time

The expiration date for the SIG records can be set by the -e option. Note that in this context, the expiration date specifies when the SIG records are no longer valid, not when they are deleted from caches on name servers.

end-time represents either an absolute or relative date. The YYYYMMDDHHMMSS notation is used to indicate an absolute date and time.

When end-time is +N, it indicates that the SIG records will expire in N seconds after their start date. If end-time is written as now+N, the SIG records will expire in N seconds after the current time.

When no expiration date is set for the SIG records, dnssec-makekeyset defaults to an expire time of 30 days from the start time of the SIG records.

-h help

This option is used to display a short summary of the options provided with dnssec-makekeyset.

-p

This option is used to instruct dnssec-makekeyset to use pseudo-random data when self-signing the keyset. This is faster, but less secure, than using genuinely random data for signing. This option may be useful when the entropy source is limited.

-r randomdev

An alternate source of random data can be specified with the -r option. randomdev is the name of the file to use to obtain random data. By default, /dev/random is used if this device is available. If this file is not provided by the operating system and no -r option is used, dnssec-makekeyset will prompt the user for input from the keyboard and use the time between keystrokes to derive some random data.

-s start-time

For any SIG records that are in the key set, the start time when the SIG records become valid is specified with the -s option. start-time can either be an absolute or relative date.

An absolute start time is indicated by a number in YYYYMMDDHHMMSS notation; for example, 20000530144500 denotes 14:45:00 UTC on May 30th, 2000.

A relative start time is supplied when start-time is given as +N specifying N seconds from the current time.

If no -s option is supplied, the current date and time is used for the start time of the SIG records.

-t TTL

The -t option is followed by a time-to-live argument TTL which indicates the TTL value that will be assigned to the assembled KEY and SIG records in the output file. TTL is expressed in seconds. If no -t option is provided, dnssec-makekeyset prints a warning and uses a default TTL of 3600 seconds.

-v level

This option can be used to make dnssec-makekeyset more verbose. As the debugging/tracing level level increases, dnssec-makekeyset generates increasingly detailed reports about what it is doing. The default level is zero.

If dnssec-makekeyset is successful, it creates a file name of the form nnnn.keyset. This file contains the KEY and SIG records for domain nnnn, the domain name part from the key file identifier produced when dnssec-keygen created the domain's public and private keys. The .keyset file can then be transferred to the DNS administrator of the parent zone for them to sign the contents with dnssec-signkey.

EXAMPLE

The following command generates a key set for the DSA key for example.com that was shown in the dnssec-keygen man page. (Note the backslash is simply a line continuation character and not part of the dnssec-makekeyset command syntax.)

dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 \ Kexample.com.+003+26160

dnssec-makekeyset will create a file called example.com.keyset containing a SIG and KEY record for example.com. These records will have a TTL of 86400 seconds (1 day). The SIG record becomes valid at noon UTC on July 1st 2000 and expires 30 days (2592000 seconds) later.

The DNS administrator for example.com could then send example.com.keyset to the DNS administrator for .com so that they could sign the resource records in the file. This assumes that the .com zone is DNSSEC-aware and the administrators of the two zones have some mechanism for authenticating each other and exchanging the keys and signatures securely.

FILES

/dev/random

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.