Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎


     dnssec-makekeyset - DNSSEC zone signing tool

     dnssec-makekeyset [-ahp] [-s start-time] [-e  end-time]  [-r
     randomdev] [-t ttl] [-v level] key...

     The dnssec-makekeyset utility generates a key set  from  one
     or more keys created by dnssec-keygen(1M). It creates a file
     containing a KEY record for each key, and self-signs the key
     set  with  each  zone  key.  The  output file is of the form
     keyset-nnnn., where nnnn is the zone name.

     -a              Verify all generated signatures.

     -e end-time     Specify the date and time when the generated
                     SIG  records  expire. As with start-time, an
                     absolute time is indicated in YYYYMMDDHHMMSS
                     notation.  A time relative to the start time
                     is indicated with +N,  which  is  N  seconds
                     from  the start time. A time relative to the
                     current time is indicated with now+N. If  no
                     end-time  is  specified,  30  days  from the
                     start time is used as a default.

     -h              Print a short summary  of  the  options  and
                     arguments to dnssec-makekeyset().

     -p              Use  pseudo-random  data  when  signing  the
                     zone.  This is faster, but less secure, than
                     using real random data. This option  may  be
                     useful  when signing large zones or when the
                     entropy source is limited.

     -r randomdev    Specify the source  of  randomness.  If  the
                     operating   system   does   not   provide  a
                     /dev/random  or   equivalent   device,   the
                     default  source  of  randomness  is keyboard
                     input. The randomdev argument specifies  the
                     name  of a character device or file contain-
                     ing random data to be used  instead  of  the
                     default.    The   special   value   keyboard
                     indicates  that  keyboard  input  should  be

     -s start-time   Specify the date and time when the generated
                     SIG records become valid. This can be either
                     an absolute or relative  time.  An  absolute
                     start  time  is  indicated  by  a  number in
                     YYYYMMDDHHMMSS   notation;    20000530144500
                     denotes  14:45:00  UTC  on May 30th, 2000. A
                     relative start  time  is  indicated  by  +N,
                     which is N seconds from the current time. If
                     no start-time is specified, the current time
                     is used.

     -t ttl          Specify the TTL (time to live)  of  the  KEY
                     and   SIG   records.  The  default  is  3600

     -v level        Set the debugging level.

     The following operands are supported:

     key             The list of  keys  to  be  included  in  the
                     keyset file. These keys are expressed in the
                     form  Knnnn.+aaa+iiiii   as   generated   by

     Example 1: Generates a keyset containing  the  DSA  key  for

     The following command generates a keyset containing the  DSA
     key  for  example.com  generated  in  the  dnssec-keygen(1M)
     manual page.

     dnssec-makekeyset -t 86400 -s 20000701120000 -e +2592000 \

     In  this  example,  dnssec-makekeyset()  creates  the   file
     keyset-example.com. This file contains the specified key and
     a self-generated signature.
     The DNS administrator for  example.com  could  send  keyset-
     example.com.  to the DNS administrator for .com for signing,
     if the .com zone is DNSSEC-aware and the  administrators  of
     the  two  zones  have some mechanism for authenticating each
     other and exchanging the keys and signatures securely.

     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWbind9                   |
    | Interface Stability         | External                    |

     dnssec-keygen(1M), dnssec-signkey(1M), attributes(5)

     RFC 2535

     BIND 9 Administrator Reference Manual

     Source for BIND9 is available in the SUNWbind9S package.

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.