NAME¶
genkrf - Generate a keyrec file from Key Signing Key (KSK) and/or Zone Signing
Key (ZSK) files
SYNOPSIS¶
genkrf [options] <zone-file> [<signed-zone-file>]
DESCRIPTION¶
genkrf generates a
keyrec file from KSK and/or ZSK files. It
generates new KSK and ZSK keys if needed.
The name of the
keyrec file to be generated is given by the
-krfile option. If this option is not specified,
zone-name.krf
is used as the name of the
keyrec file. If the
keyrec file
already exists, it will be overwritten with new
keyrec definitions.
The
zone-file argument is required. It specifies the name of the zone
file from which the signed zone file was created. The optional
signed-zone-file argument specifies the name of the signed zone file.
If it is not given, then it defaults to
zone-file.signed. The signed
zone file field is, in effect, a dummy field as the zone file is not actually
signed.
OPTIONS¶
genkrf has a number of options that assist in creation of the
keyrec file. These options will be set to the first value found from
this search path:
command line options
DNSSEC-Tools configuration file
DNSSEC-Tools defaults
See
tooloptions.pm(3) for more details. Exceptions to this
are given in the option descriptions.
The
genkrf options are described below.
General genkrf Options¶
- -zone zone-name
- This option specifies the name of the zone. If it is not
given then zone-file will be used as the name of the zone.
- -krfile keyrec-file
- This option specifies the name of the keyrec file to
be generated. If it is not given, then zone-name.krf will be
used.
- -algorithm algorithm
- This option specifies the algorithm used to generate
encryption keys.
- -endtime endtime
- This option specifies the time that the signature on the
zone expires, measured in seconds.
- -random random-device
- Source of randomness used to generate the zone's keys. See
the man page for dnssec-signzone for the valid format of this
field.
- -verbose
- Display additional messages during processing. If this
option is given at least once, then a message will be displayed indicating
the successful generation of the keyrec file. If it is given twice,
then the values of all options will also be displayed.
- -Version
- Displays the version information for genkrf and the
DNSSEC-Tools package.
- -help
- Display a usage message.
- -kskcur KSK-name
- This option specifies the Current KSK's key file being used
to sign the zone. If this option is not given, a new KSK will be
created.
- -kskcount KSK-count
- This option specifies the number of KSK keys that will be
generated. If this option is not given, the default given in the
DNSSEC-Tools configuration file will be used.
- -kskdir KSK-directory
- This option specifies the absolute or relative path of the
directory where the KSK resides. If this option is not given, it defaults
to the current directory ".".
- -ksklength KSK-length
- This option specifies the length of the KSK encryption
key.
- -ksklife KSK-lifespan
- This option specifies the lifespan of the KSK encryption
key. This lifespan is not inherent to the key itself. It is
only used to determine when the KSK must be rolled over.
- -zskcur ZSK-name
- This option specifies the current ZSK being used to sign
the zone. If this option is not given, a new ZSK will be created.
- -zskpub ZSK-name
- This option specifies the published ZSK for the zone. If
this option is not given, a new ZSK will be created.
- -zskcount ZSK-count
- This option specifies the number of current and published
ZSK keys that will be generated. If this option is not given, the default
given in the DNSSEC-Tools configuration file will be used.
- -zskdir ZSK-directory
- This option specifies the absolute or relative path of the
directory where the ZSKs reside. If this option is not given, it defaults
to the current directory ".".
- -zsklength ZSK-length
- This option specifies the length of the ZSK encryption
key.
- -zsklife ZSK-lifespan
- This option specifies the lifespan of the ZSK encryption
key. This lifespan is not inherent to the key itself. It is
only used to determine when the ZSK must be rolled over.
COPYRIGHT¶
Copyright 2005-2012 SPARTA, Inc. All rights reserved. See the COPYING file
included with the DNSSEC-Tools package for details.
AUTHOR¶
Wayne Morrison, tewok@tislabs.com
SEE ALSO¶
dnssec-keygen(8),
dnssec-signzone (8),
zonesigner (8)
Net::DNS::SEC::Tools::conf.pm(3),
Net::DNS::SEC::Tools::defaults.pm (3),
Net::DNS::SEC::Tools::keyrec.pm(3)
conf(5),
keyrec(5)