bin/dnssec/dnssec-makekeyset.html

	dnssec-makekeyset.html revision d4ef65050feac78554addf6e16a06c6e2e0bd331
3139N/A<!--
3139N/A - Copyright (C) 2001  Internet Software Consortium.
3139N/A -
3139N/A - Permission to use, copy, modify, and distribute this software for any
3139N/A - purpose with or without fee is hereby granted, provided that the above
3139N/A - copyright notice and this permission notice appear in all copies.
2825N/A -
3356N/A - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
3474N/A - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
3139N/A - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
3139N/A - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
3139N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
3139N/A - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
3139N/A - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
3356N/A - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
3139N/A-->
3139N/A
3139N/A<!-- $Id: dnssec-makekeyset.html,v 1.2 2001/04/10 21:50:31 bwelling Exp $ -->
3139N/A
3139N/A<HTML
3139N/A><HEAD
3139N/A><TITLE
3139N/A>dnssec-makekeyset</TITLE
3139N/A><META
3139N/ANAME="GENERATOR"
3139N/ACONTENT="Modular DocBook HTML Stylesheet Version 1.61
3139N/A"></HEAD
3139N/A><BODY
3139N/ACLASS="REFENTRY"
3139N/ABGCOLOR="#FFFFFF"
3139N/ATEXT="#000000"
3139N/ALINK="#0000FF"
3139N/AVLINK="#840084"
3139N/AALINK="#0000FF"
3139N/A><H1
3139N/A><A
3139N/ANAME="AEN1"
3139N/A><SPAN
3139N/ACLASS="APPLICATION"
3139N/A>dnssec-makekeyset</SPAN
3139N/A></A
3139N/A></H1
3139N/A><DIV
3139N/ACLASS="REFNAMEDIV"
3139N/A><A
3139N/ANAME="AEN9"
3139N/A></A
3139N/A><H2
3139N/A>Name</H2
3139N/A><SPAN
3139N/ACLASS="APPLICATION"
3139N/A>dnssec-makekeyset</SPAN
3139N/A>&nbsp;--&nbsp;DNSSEC zone signing tool</DIV
3139N/A><DIV
3139N/ACLASS="REFSYNOPSISDIV"
3139N/A><A
3139N/ANAME="AEN13"
3139N/A></A
3139N/A><H2
3139N/A>Synopsis</H2
3139N/A><P
3139N/A><B
3139N/ACLASS="COMMAND"
3139N/A>dnssec-makekeyset</B
3139N/A>  [<TT
3139N/ACLASS="OPTION"
3139N/A>-a</TT
3139N/A>] [<TT
3387N/ACLASS="OPTION"
3139N/A>-s <TT
3139N/ACLASS="REPLACEABLE"
3387N/A><I
3387N/A>start-time</I
3139N/A></TT
3387N/A></TT
3139N/A>] [<TT
3139N/ACLASS="OPTION"
3139N/A>-e <TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3139N/A>end-time</I
3139N/A></TT
3139N/A></TT
3139N/A>] [<TT
3387N/ACLASS="OPTION"
3387N/A>-h</TT
3139N/A>] [<TT
3139N/ACLASS="OPTION"
3139N/A>-p</TT
3139N/A>] [<TT
3139N/ACLASS="OPTION"
3139N/A>-r <TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3139N/A>randomdev</I
3139N/A></TT
3139N/A></TT
3139N/A>] [<TT
3139N/ACLASS="OPTION"
3139N/A>-t</TT
3139N/A><TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3387N/A>ttl</I
3139N/A></TT
3139N/A>] [<TT
3139N/ACLASS="OPTION"
3139N/A>-v <TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3139N/A>level</I
3139N/A></TT
3139N/A></TT
3139N/A>] {key...}</P
3139N/A></DIV
3139N/A><DIV
3139N/ACLASS="REFSECT1"
3139N/A><A
3139N/ANAME="AEN38"
3139N/A></A
3139N/A><H2
3139N/A>DESCRIPTION</H2
3387N/A><P
3387N/A>        <B
3387N/ACLASS="COMMAND"
3387N/A>dnssec-makekeyset</B
3387N/A> generates a key set from one
3387N/A	or more keys created by <B
3139N/ACLASS="COMMAND"
3139N/A>dnssec-keygen</B
3139N/A>.  It creates
3139N/A	a file containing a KEY record for each key, and self-signs the key
3139N/A	set with each zone key.  The output file is of the form
3139N/A	<TT
3139N/ACLASS="FILENAME"
3139N/A>keyset-nnnn.</TT
3139N/A>, where <TT
3139N/ACLASS="FILENAME"
3139N/A>nnnn</TT
3139N/A>
3139N/A	is the zone name.
3139N/A    </P
3139N/A></DIV
3139N/A><DIV
3139N/ACLASS="REFSECT1"
3139N/A><A
3139N/ANAME="AEN45"
3139N/A></A
3139N/A><H2
3139N/A>OPTIONS</H2
3139N/A><P
3139N/A></P
3139N/A><DIV
3139N/ACLASS="VARIABLELIST"
3139N/A><DL
3139N/A><DT
3139N/A>-a</DT
3139N/A><DD
3139N/A><P
3139N/A>	      Verify all generated signatures.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>-s <TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3139N/A>start-time</I
3139N/A></TT
3177N/A></DT
3177N/A><DD
3139N/A><P
3139N/A>	       Specify the date and time when the generated SIG records
3139N/A	       become valid.  This can be either an absolute or relative
3139N/A	       time.  An absolute start time is indicated by a number
3139N/A	       in YYYYMMDDHHMMSS notation; 20000530144500 denotes
3139N/A	       14:45:00 UTC on May 30th, 2000.  A relative start time is
3139N/A	       indicated by +N, which is N seconds from the current time.
3139N/A	       If no <TT
3139N/ACLASS="OPTION"
3139N/A>start-time</TT
3139N/A> is specified, the current
3139N/A	       time is used.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>-e <TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3139N/A>end-time</I
3139N/A></TT
3139N/A></DT
3139N/A><DD
3139N/A><P
3139N/A>	       Specify the date and time when the generated SIG records
3139N/A	       expire.  As with <TT
3139N/ACLASS="OPTION"
3139N/A>start-time</TT
3139N/A>, an absolute
3139N/A	       time is indicated in YYYYMMDDHHMMSS notation.  A time relative
3139N/A	       to the start time is indicated with +N, which is N seconds from
3139N/A	       the start time.  A time realtive to the current time is
3139N/A	       indicated with now+N.  If no <TT
3139N/ACLASS="OPTION"
3139N/A>end-time</TT
3139N/A> is
3139N/A	       specified, 30 days from the start time is used as a default.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>-h</DT
3139N/A><DD
3139N/A><P
3139N/A>	       Prints a short summary of the options and arguments to
3139N/A	       <B
3139N/ACLASS="COMMAND"
3139N/A>dnssec-makekeyset</B
3139N/A>.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>-p</DT
3139N/A><DD
3177N/A><P
3139N/A>	       Use pseudo-random data when signing the zone.  This is faster,
3139N/A	       but less secure, than using real random data.  This option
3139N/A	       may be useful when signing large zones or when the entropy
3356N/A	       source is limited.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>-r <TT
3139N/ACLASS="REPLACEABLE"
3356N/A><I
3139N/A>randomdev</I
3139N/A></TT
3139N/A></DT
3139N/A><DD
3139N/A><P
3139N/A>	       Specifies the source of randomness.  If the operating
3139N/A	       system does not provide a <TT
3139N/ACLASS="FILENAME"
3387N/A>/dev/random</TT
3139N/A>
3139N/A	       or equivalent device, the default source of randomness
3387N/A	       is keyboard input.  <TT
3356N/ACLASS="FILENAME"
3139N/A>randomdev</TT
3139N/A> specifies
3139N/A	       the name of a character device or file containing random
3139N/A	       data to be used instead of the default.  The special value
3139N/A	       <TT
3139N/ACLASS="FILENAME"
3139N/A>keyboard</TT
3139N/A> indicates that keyboard
3139N/A	       input should be used.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>-t <TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3139N/A>ttl</I
3139N/A></TT
3139N/A></DT
3139N/A><DD
3139N/A><P
3139N/A>	       Specify the TTL (time to live) of the KEY and SIG records.
3139N/A	       The default is 3600 seconds.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>-v <TT
3139N/ACLASS="REPLACEABLE"
3139N/A><I
3139N/A>level</I
3139N/A></TT
3387N/A></DT
3139N/A><DD
3139N/A><P
3139N/A>	       Sets the debugging level.
3139N/A	  </P
3139N/A></DD
3139N/A><DT
3139N/A>key</DT
3139N/A><DD
3139N/A><P
3474N/A>	       Lists the keys included in the keyset file.  These keys
3139N/A	       are expressed in the form <TT
3139N/ACLASS="FILENAME"
3139N/A>Knnnn.+aaa+iiiii</TT
3139N/A>
3139N/A	       as generated by <B
3139N/ACLASS="COMMAND"
3139N/A>dnssec-keygen</B
3139N/A>.
3139N/A	  </P
3139N/A></DD
3139N/A></DL
3139N/A></DIV
3139N/A></DIV
3139N/A><DIV
3139N/ACLASS="REFSECT1"
3139N/A><A
3139N/ANAME="AEN98"
3139N/A></A
3139N/A><H2
3139N/A>EXAMPLE</H2
3139N/A><P
3139N/A>        The following command generates a keyset containing the DSA key for
3474N/A	<TT
3139N/ACLASS="USERINPUT"
3139N/A><B
3139N/A>example.com</B
3139N/A></TT
3139N/A> generated in the
3139N/A	<B
3139N/ACLASS="COMMAND"
3139N/A>dnssec-keygen</B
3139N/A> man page.
3139N/A    </P
3139N/A><P
3139N/A>        <TT
3139N/ACLASS="USERINPUT"
3139N/A><B
3474N/A>dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 Kexample.com.+003+26160</B
3474N/A></TT
3474N/A>
3474N/A    </P
3139N/A><P
3139N/A>        In this example, <B
3139N/ACLASS="COMMAND"
3139N/A>dnssec-makekeyset</B
3139N/A> creates
3139N/A	the file <TT
3139N/ACLASS="FILENAME"
3139N/A>keyset-example.com.</TT
3139N/A>.  This file
3139N/A	contains the specified key and a self-generated signature.
3139N/A    </P
3139N/A><P
3139N/A>        The DNS administrator for <TT
3139N/ACLASS="USERINPUT"
3139N/A><B
3139N/A>example.com</B
3139N/A></TT
3139N/A> could
3139N/A	send <TT
3139N/ACLASS="FILENAME"
3139N/A>keyset-example.com.</TT
3139N/A> to the DNS
3139N/A	administrator for <TT
3139N/ACLASS="USERINPUT"
3139N/A><B
3139N/A>.com</B
3139N/A></TT
3139N/A> for signing, if the
3139N/A	.com zone is DNSSEC-aware and the administrators of the two zones
3139N/A	have some mechanism for authenticating each other and exchanging
3139N/A	the keys and signatures securely.
3139N/A    </P
3139N/A></DIV
3139N/A><DIV
3139N/ACLASS="REFSECT1"
3139N/A><A
3139N/ANAME="AEN112"
3139N/A></A
3139N/A><H2
3139N/A>SEE ALSO</H2
3139N/A><P
3139N/A>      <SPAN
3139N/ACLASS="CITEREFENTRY"
3139N/A><SPAN
3139N/ACLASS="REFENTRYTITLE"
3139N/A>dnssec-keygen</SPAN
3139N/A>(8)</SPAN
3139N/A>,
3139N/A      <SPAN
3139N/ACLASS="CITEREFENTRY"
3139N/A><SPAN
3139N/ACLASS="REFENTRYTITLE"
3139N/A>dnssec-signkey</SPAN
3139N/A>(8)</SPAN
3139N/A>,
3139N/A      <I
3139N/ACLASS="CITETITLE"
3139N/A>BIND 9 Administrator Reference Manual</I
3139N/A>,
3139N/A      <I
3139N/ACLASS="CITETITLE"
3139N/A>RFC 2535</I
3139N/A>.
3139N/A    </P
3139N/A></DIV
3139N/A><DIV
3139N/ACLASS="REFSECT1"
3139N/A><A
3139N/ANAME="AEN123"
3139N/A></A
3139N/A><H2
3139N/A>AUTHOR</H2
3139N/A><P
3139N/A>        Internet Software Consortium
3139N/A    </P
3139N/A></DIV
3139N/A></BODY
3139N/A></HTML
3139N/A>