bin/dnssec/dnssec-makekeyset.html

	dnssec-makekeyset.html revision 8de7014e56565605a51898a2a33a8b08fd3f1e57
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz<!--
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - Copyright (C) 2000, 2001  Internet Software Consortium.
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz -
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - Permission to use, copy, modify, and distribute this software for any
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - purpose with or without fee is hereby granted, provided that the above
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - copyright notice and this permission notice appear in all copies.
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz -
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz-->
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz<HTML
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><HEAD
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><TITLE
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>dnssec-makekeyset</TITLE
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><META
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzNAME="GENERATOR"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCONTENT="Modular DocBook HTML Stylesheet Version 1.61
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz"></HEAD
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><BODY
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REFENTRY"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzBGCOLOR="#FFFFFF"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzTEXT="#000000"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzLINK="#0000FF"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzVLINK="#840084"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzALINK="#0000FF"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><H1
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzNAME="AEN1"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><SPAN
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="APPLICATION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>dnssec-makekeyset</SPAN
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></H1
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><DIV
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REFNAMEDIV"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzNAME="AEN9"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><H2
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>Name</H2
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><SPAN
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="APPLICATION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>dnssec-makekeyset</SPAN
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><DIV
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REFSYNOPSISDIV"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzNAME="AEN13"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><H2
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>Synopsis</H2
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><P
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><B
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="COMMAND"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>dnssec-makekeyset</B
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>  [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-a</TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-s <TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REPLACEABLE"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>start-time</I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-e <TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REPLACEABLE"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>end-time</I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-h</TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-p</TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-r <TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REPLACEABLE"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>randomdev</I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-t</TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REPLACEABLE"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>ttl</I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] [<TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="OPTION"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>-v <TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REPLACEABLE"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>level</I
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></TT
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>] {key...}</P
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></DIV
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><DIV
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="REFSECT1"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzNAME="AEN38"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz></A
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><H2
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>DESCRIPTION</H2
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz><P
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>        <B
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="COMMAND"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>dnssec-makekeyset</B
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz> generates a key set from one
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz	or more keys created by <B
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland MainzCLASS="COMMAND"
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>dnssec-keygen</B
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz>.  It creates
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz	a file containing a KEY record for each key, and self-signs the key
34f9b3eef6fdadbda0a846aa4d68691ac40eace5Roland Mainz	set with each zone key.  The output file is of the form
	<TT
CLASS="FILENAME"
>keyset-nnnn.</TT
>, where <TT
CLASS="FILENAME"
>nnnn</TT
>
	is the zone name.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN45"
></A
><H2
>OPTIONS</H2
><P
></P
><DIV
CLASS="VARIABLELIST"
><DL
><DT
>-a</DT
><DD
><P
>	      Verify all generated signatures.
	  </P
></DD
><DT
>-s <TT
CLASS="REPLACEABLE"
><I
>start-time</I
></TT
></DT
><DD
><P
>	       Specify the date and time when the generated SIG records
	       become valid.  This can be either an absolute or relative
	       time.  An absolute start time is indicated by a number
	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
	       14:45:00 UTC on May 30th, 2000.  A relative start time is
	       indicated by +N, which is N seconds from the current time.
	       If no <TT
CLASS="OPTION"
>start-time</TT
> is specified, the current
	       time is used.
	  </P
></DD
><DT
>-e <TT
CLASS="REPLACEABLE"
><I
>end-time</I
></TT
></DT
><DD
><P
>	       Specify the date and time when the generated SIG records
	       expire.  As with <TT
CLASS="OPTION"
>start-time</TT
>, an absolute
	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
	       to the start time is indicated with +N, which is N seconds from
	       the start time.  A time realtive to the current time is
	       indicated with now+N.  If no <TT
CLASS="OPTION"
>end-time</TT
> is
	       specified, 30 days from the start time is used as a default.
	  </P
></DD
><DT
>-h</DT
><DD
><P
>	       Prints a short summary of the options and arguments to
	       <B
CLASS="COMMAND"
>dnssec-makekeyset</B
>.
	  </P
></DD
><DT
>-p</DT
><DD
><P
>	       Use pseudo-random data when signing the zone.  This is faster,
	       but less secure, than using real random data.  This option
	       may be useful when signing large zones or when the entropy
	       source is limited.
	  </P
></DD
><DT
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></DT
><DD
><P
>	       Specifies the source of randomness.  If the operating
	       system does not provide a <TT
CLASS="FILENAME"
>/dev/random</TT
>
	       or equivalent device, the default source of randomness
	       is keyboard input.  <TT
CLASS="FILENAME"
>randomdev</TT
> specifies
	       the name of a character device or file containing random
	       data to be used instead of the default.  The special value
	       <TT
CLASS="FILENAME"
>keyboard</TT
> indicates that keyboard
	       input should be used.
	  </P
></DD
><DT
>-t <TT
CLASS="REPLACEABLE"
><I
>ttl</I
></TT
></DT
><DD
><P
>	       Specify the TTL (time to live) of the KEY and SIG records.
	       The default is 3600 seconds.
	  </P
></DD
><DT
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></DT
><DD
><P
>	       Sets the debugging level.
	  </P
></DD
><DT
>key</DT
><DD
><P
>	       Lists the keys included in the keyset file.  These keys
	       are expressed in the form <TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii</TT
>
	       as generated by <B
CLASS="COMMAND"
>dnssec-keygen</B
>.
	  </P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN98"
></A
><H2
>EXAMPLE</H2
><P
>        The following command generates a keyset containing the DSA key for
	<TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
> generated in the
	<B
CLASS="COMMAND"
>dnssec-keygen</B
> man page.
    </P
><P
>        <TT
CLASS="USERINPUT"
><B
>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
></TT
>
    </P
><P
>        In this example, <B
CLASS="COMMAND"
>dnssec-makekeyset</B
> creates
	the file <TT
CLASS="FILENAME"
>keyset-example.com.</TT
>.  This file
	contains the specified key and a self-generated signature.
    </P
><P
>        The DNS administrator for <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
> could
	send <TT
CLASS="FILENAME"
>keyset-example.com.</TT
> to the DNS
	administrator for <TT
CLASS="USERINPUT"
><B
>.com</B
></TT
> for signing, if the
	.com zone is DNSSEC-aware and the administrators of the two zones
	have some mechanism for authenticating each other and exchanging
	the keys and signatures securely.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN112"
></A
><H2
>SEE ALSO</H2
><P
>      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-keygen</SPAN
>(8)</SPAN
>,
      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signkey</SPAN
>(8)</SPAN
>,
      <I
CLASS="CITETITLE"
>BIND 9 Administrator Reference Manual</I
>,
      <I
CLASS="CITETITLE"
>RFC 2535</I
>.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN123"
></A
><H2
>AUTHOR</H2
><P
>        Internet Software Consortium
    </P
></DIV
></BODY
></HTML
>