2 - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2001, 2003 Internet Software Consortium.
5 - Permission to use, copy, modify, and distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <!-- $Id: dnssec-makekeyset.html,v 1.4.2.4 2004/06/03 05:21:11 marka Exp $ -->
23 >dnssec-makekeyset</TITLE
26 CONTENT="Modular DocBook HTML Stylesheet Version 1.73
40 >dnssec-makekeyset</SPAN
52 >dnssec-makekeyset</SPAN
53 > -- DNSSEC zone signing tool</DIV
55 CLASS="REFSYNOPSISDIV"
126 >dnssec-makekeyset</B
127 > generates a key set from one
128 or more keys created by <B
132 a file containing a KEY record for each key, and self-signs the key
133 set with each zone key. The output file is of the form
160 > Verify all generated signatures.
172 > Specify the date and time when the generated SIG records
173 become valid. This can be either an absolute or relative
174 time. An absolute start time is indicated by a number
175 in YYYYMMDDHHMMSS notation; 20000530144500 denotes
176 14:45:00 UTC on May 30th, 2000. A relative start time is
177 indicated by +N, which is N seconds from the current time.
181 > is specified, the current
194 > Specify the date and time when the generated SIG records
199 time is indicated in YYYYMMDDHHMMSS notation. A time relative
200 to the start time is indicated with +N, which is N seconds from
201 the start time. A time relative to the current time is
202 indicated with now+N. If no <TT
206 specified, 30 days from the start time is used as a default.
213 > Prints a short summary of the options and arguments to
216 >dnssec-makekeyset</B
224 > Use pseudo-random data when signing the zone. This is faster,
225 but less secure, than using real random data. This option
226 may be useful when signing large zones or when the entropy
239 > Specifies the source of randomness. If the operating
240 system does not provide a <TT
244 or equivalent device, the default source of randomness
245 is keyboard input. <TT
249 the name of a character device or file containing random
250 data to be used instead of the default. The special value
254 > indicates that keyboard
255 input should be used.
267 > Specify the TTL (time to live) of the KEY and SIG records.
268 The default is 3600 seconds.
280 > Sets the debugging level.
287 > The list of keys to be included in the keyset file. These keys
288 are expressed in the form <TT
290 >Knnnn.+aaa+iiiii</TT
309 > The following command generates a keyset containing the DSA key for
325 >dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
330 > In this example, <B
332 >dnssec-makekeyset</B
336 >keyset-example.com.</TT
338 contains the specified key and a self-generated signature.
341 > The DNS administrator for <TT
349 >keyset-example.com.</TT
351 administrator for <TT
356 > for signing, if the
357 .com zone is DNSSEC-aware and the administrators of the two zones
358 have some mechanism for authenticating each other and exchanging
359 the keys and signatures securely.
373 CLASS="REFENTRYTITLE"
380 CLASS="REFENTRYTITLE"
381 >dnssec-signkey</SPAN
386 >BIND 9 Administrator Reference Manual</I
402 > Internet Systems Consortium