dnssec-makekeyset.docbook revision dafcb997e390efa4423883dafd100c975c4095d6
7241a726fb5331ffaccfb2526002e01bc6347ce4Peter Major<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - Copyright (C) 2001, 2003 Internet Software Consortium.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - Permission to use, copy, modify, and distribute this software for any
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - purpose with or without fee is hereby granted, provided that the above
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - copyright notice and this permission notice appear in all copies.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
7241a726fb5331ffaccfb2526002e01bc6347ce4Peter Major - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
7241a726fb5331ffaccfb2526002e01bc6347ce4Peter Major - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott - PERFORMANCE OF THIS SOFTWARE.
7241a726fb5331ffaccfb2526002e01bc6347ce4Peter Major<!-- $Id: dnssec-makekeyset.docbook,v 1.5 2004/03/05 04:57:41 marka Exp $ -->
7241a726fb5331ffaccfb2526002e01bc6347ce4Peter Major <refentryinfo>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </refentryinfo>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <refentrytitle><application>dnssec-makekeyset</application></refentrytitle>
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott <refname><application>dnssec-makekeyset</application></refname>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <refpurpose>DNSSEC zone signing tool</refpurpose>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </refnamediv>
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott <refsynopsisdiv>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <cmdsynopsis>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <arg><option>-s <replaceable class="parameter">start-time</replaceable></option></arg>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <arg><option>-e <replaceable class="parameter">end-time</replaceable></option></arg>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <arg><option>-t</option><replaceable class="parameter">ttl</replaceable></arg>
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </cmdsynopsis>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </refsynopsisdiv>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <command>dnssec-makekeyset</command> generates a key set from one
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott or more keys created by <command>dnssec-keygen</command>. It creates
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott a file containing a KEY record for each key, and self-signs the key
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott set with each zone key. The output file is of the form
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <filename>keyset-nnnn.</filename>, where <filename>nnnn</filename>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott is the zone name.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <variablelist>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <varlistentry>
d0da70ccbba38b773e7a7cc71bc124b06206d201Robert Wapshott Verify all generated signatures.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </varlistentry>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <varlistentry>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <term>-s <replaceable class="parameter">start-time</replaceable></term>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott Specify the date and time when the generated SIG records
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott become valid. This can be either an absolute or relative
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott time. An absolute start time is indicated by a number
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott in YYYYMMDDHHMMSS notation; 20000530144500 denotes
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott 14:45:00 UTC on May 30th, 2000. A relative start time is
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott indicated by +N, which is N seconds from the current time.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott If no <option>start-time</option> is specified, the current
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott time is used.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </varlistentry>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <varlistentry>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <term>-e <replaceable class="parameter">end-time</replaceable></term>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell Specify the date and time when the generated SIG records
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott expire. As with <option>start-time</option>, an absolute
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott time is indicated in YYYYMMDDHHMMSS notation. A time relative
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott to the start time is indicated with +N, which is N seconds from
2210fc30709625f254e6a6d5dc89c3bfefa48816Robert Wapshott the start time. A time relative to the current time is
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell indicated with now+N. If no <option>end-time</option> is
2210fc30709625f254e6a6d5dc89c3bfefa48816Robert Wapshott specified, 30 days from the start time is used as a default.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </varlistentry>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <varlistentry>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott Prints a short summary of the options and arguments to
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </varlistentry>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <varlistentry>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott Use pseudo-random data when signing the zone. This is faster,
2210fc30709625f254e6a6d5dc89c3bfefa48816Robert Wapshott but less secure, than using real random data. This option
35ab1c5bca11317474fe12bdd8d22c17cdaf2697Robert Wapshott may be useful when signing large zones or when the entropy
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott source is limited.
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott </varlistentry>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <varlistentry>
72450cb9c2ca854c6d3479832c2738196c1d3282Robert Wapshott <term>-r <replaceable class="parameter">randomdev</replaceable></term>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell Specifies the source of randomness. If the operating
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell system does not provide a <filename>/dev/random</filename>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell or equivalent device, the default source of randomness
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell is keyboard input. <filename>randomdev</filename> specifies
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell the name of a character device or file containing random
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell data to be used instead of the default. The special value
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <filename>keyboard</filename> indicates that keyboard
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell input should be used.
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell </varlistentry>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <varlistentry>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell <term>-t <replaceable class="parameter">ttl</replaceable></term>
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell Specify the TTL (time to live) of the KEY and SIG records.
2210fc30709625f254e6a6d5dc89c3bfefa48816Robert Wapshott The default is 3600 seconds.
cc7c18212481f5e9ee508afe2ffcaecb6b9330f5Craig McDonnell </varlistentry>
2210fc30709625f254e6a6d5dc89c3bfefa48816Robert Wapshott <varlistentry>
2210fc30709625f254e6a6d5dc89c3bfefa48816Robert Wapshott <term>-v <replaceable class="parameter">level</replaceable></term>
2210fc30709625f254e6a6d5dc89c3bfefa48816Robert Wapshott Sets the debugging level.
<userinput>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</userinput>