1GENKRF(1) User Contributed Perl Documentation GENKRF(1)
2
3
4
6 genkrf - Generate a keyrec file from Key Signing Key (KSK) and/or Zone
7 Signing Key (ZSK) files
8
10 genkrf [options] <zone-file> [<signed-zone-file>]
11
13 genkrf generates a keyrec file from KSK and/or ZSK files. It generates
14 new KSK and ZSK keys if needed.
15
16 The name of the keyrec file to be generated is given by the -krfile
17 option. If this option is not specified, zone-name.krf is used as the
18 name of the keyrec file. If the keyrec file already exists, it will be
19 overwritten with new keyrec definitions.
20
21 The zone-file argument is required. It specifies the name of the zone
22 file from which the signed zone file was created. The optional signed-
23 zone-file argument specifies the name of the signed zone file. If it
24 is not given, then it defaults to zone-file.signed.
25
27 genkrf has a number of options that assist in creation of the keyrec
28 file. These options will be set to the first value found from this
29 search path:
30
31 command line options
32 DNSSEC-Tools configuration file
33 DNSSEC-Tools defaults
34
35 See tooloptions.pm(3) for more details. Exceptions to this are given
36 in the option descriptions.
37
38 The genkrf options are described below.
39
40 General genkrf Options
41
42 -zone zone-name
43 This option specifies the name of the zone. If it is not given
44 then zone-file will be used as the name of the zone.
45
46 -krfile keyrec-file
47 This option specifies the name of the keyrec file to be generated.
48 If it is not given, then zone-name.krf will be used.
49
50 -algorithm algorithm
51 This option specifies the algorithm used to generate encryption
52 keys.
53
54 -endtime endtime
55 This option specifies the time that the signature on the zone
56 expires, measured in seconds.
57
58 -random random-device
59 Source of randomness used to generate the zone's keys. See the man
60 page for dnssec-signzone for the valid format of this field.
61
62 -verbose
63 Display additional messages during processing. If this option is
64 given at least once, then a message will be displayed indicating
65 the successful generation of the keyrec file. If it is given
66 twice, then the values of all options will also be displayed.
67
68 -help
69 Display a usage message.
70
71 KSK-related Options
72
73 -kskcur KSK-name
74 This option specifies the Current KSK's key file being used to sign
75 the zone. If this option is not given, a new KSK will be created.
76
77 -kskcount KSK-count
78 This option specifies the number of KSK keys that will be gener‐
79 ated. If this option is not given, the default given in the
80 DNSSEC-Tools configuration file will be used.
81
82 -kskdir KSK-directory
83 This option specifies the absolute or relative path of the direc‐
84 tory where the KSK resides. If this option is not given, it
85 defaults to the current directory ".".
86
87 -ksklength KSK-length
88 This option specifies the length of the KSK encryption key.
89
90 -ksklife KSK-lifespan
91 This option specifies the lifespan of the KSK encryption key. This
92 lifespan is not inherent to the key itself. It is only used to
93 determine when the KSK must be rolled over.
94
95 ZSK-related Options
96
97 -zskcur ZSK-name
98 This option specifies the current ZSK being used to sign the zone.
99 If this option is not given, a new ZSK will be created.
100
101 -zskpub ZSK-name
102 This option specifies the published ZSK for the zone. If this
103 option is not given, a new ZSK will be created.
104
105 -zskcount ZSK-count
106 This option specifies the number of current and published ZSK keys
107 that will be generated. If this option is not given, the default
108 given in the DNSSEC-Tools configuration file will be used.
109
110 -zskdir ZSK-directory
111 This option specifies the absolute or relative path of the direc‐
112 tory where the ZSKs reside. If this option is not given, it
113 defaults to the current directory ".".
114
115 -zsklength ZSK-length
116 This option specifies the length of the ZSK encryption key.
117
118 -zsklife ZSK-lifespan
119 This option specifies the lifespan of the ZSK encryption key. This
120 lifespan is not inherent to the key itself. It is only used to
121 determine when the ZSK must be rolled over.
122
124 Copyright 2005-2007 SPARTA, Inc. All rights reserved. See the COPYING
125 file included with the DNSSEC-Tools package for details.
126
128 Wayne Morrison, tewok@users.sourceforge.net
129
131 dnssec-keygen(8), dnssec-signzone(8), zonesigner(8)
132
133 Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
134 Net::DNS::SEC::Tools::keyrec.pm(3)
135
136 conf(5), keyrec(5)
137
138
139
140perl v5.8.8 2007-09-14 GENKRF(1)