DNSSEC-MAKEKEYSET(8)                                      DNSSEC-MAKEKEYSET(8)

       dnssec-makekeyset - DNSSEC zone signing tool

       dnssec-makekeyset [ -a ]  [ -s start-time ]  [ -e end-time ]  [ -h ]  [
       -p ]  [ -r randomdev ]  [ -tttl ]  [ -v level ]  key...

       dnssec-makekeyset generates a key set from one or more keys created  by
       dnssec-keygen.  It creates a file containing a KEY record for each key,
       and self-signs the key set with each zone key. The output  file  is  of
       the form keyset-nnnn., where nnnn is the zone name.

       -a     Verify all generated signatures.

       -s start-time
              Specify  the date and time when the generated SIG records become
              valid. This can be either an absolute or relative time. An abso-
              lute start time is indicated by a number in YYYYMMDDHHMMSS nota-
              tion; 20000530144500 denotes 14:45:00 UTC on May 30th,  2000.  A
              relative  start time is indicated by +N, which is N seconds from
              the current time.  If no start-time is  specified,  the  current
              time is used.

       -e end-time
              Specify the date and time when the generated SIG records expire.
              As with start-time, an absolute time is indicated in YYYYMMDDHH-
              MMSS  notation.  A  time relative to the start time is indicated
              with +N, which is N seconds from the start time. A time realtive
              to  the  current time is indicated with now+N. If no end-time is
              specified, 30 days from the start time is used as a default.

       -h     Prints a short summary of the options and arguments  to  dnssec-

       -p     Use  pseudo-random  data  when signing the zone. This is faster,
              but less secure, than using real random data. This option may be
              useful  when  signing  large zones or when the entropy source is

       -r randomdev
              Specifies the source of randomness. If the operating system does
              not  provide  a  /dev/random  or  equivalent device, the default
              source of randomness is keyboard input. randomdev specifies  the
              name  of a character device or file containing random data to be
              used instead of the default. The special  value  keyboard  indi-
              cates that keyboard input should be used.

       -t ttl Specify  the TTL (time to live) of the KEY and SIG records.  The
              default is 3600 seconds.

       -v level
              Sets the debugging level.

       key    The list of keys to be included in the keyset file.  These  keys
              are  expressed  in  the  form  Knnnn.+aaa+iiiii  as generated by

       The following command generates a keyset containing  the  DSA  key  for generated in the dnssec-keygen man page.

       dnssec-makekeyset   -t  86400  -s  20000701120000  -e  +2592000  Kexam-

       In  this  example,  dnssec-makekeyset  creates  the  file  keyset-exam-  This  file  contains  the specified key and a self-generated

       The DNS administrator for could send to
       the DNS administrator for .com for signing, if the .com zone is DNSSEC-
       aware and the administrators of the two zones have some  mechanism  for
       authenticating  each  other  and  exchanging  the  keys  and signatures

       dnssec-keygen(8), dnssec-signkey(8),  BIND  9  Administrator  Reference
       Manual, RFC 2535.

       Internet Software Consortium

BIND9                            June 30, 2000            DNSSEC-MAKEKEYSET(8)