Provided by: dnssec-tools_2.2-2_all bug

NAME

       genkrf - Generate a keyrec file from Key Signing Key (KSK) and/or Zone Signing Key (ZSK)
       files

SYNOPSIS

         genkrf [options] <zone-file> [<signed-zone-file>]

DESCRIPTION

       genkrf generates a keyrec file from KSK and/or ZSK files.  It generates new KSK and ZSK
       keys if needed.

       The name of the keyrec file to be generated is given by the -krfile option.  If this
       option is not specified, zone-name.krf is used as the name of the keyrec file.  If the
       keyrec file already exists, it will be overwritten with new keyrec definitions.

       The zone-file argument is required.  It specifies the name of the zone file from which the
       signed zone file was created.  The optional signed-zone-file argument specifies the name
       of the signed zone file.  If it is not given, then it defaults to zone-file.signed.  The
       signed zone file field is, in effect, a dummy field as the zone file is not actually
       signed.

OPTIONS

       genkrf has a number of options that assist in creation of the keyrec file.  These options
       will be set to the first value found from this search path:

           command line options
           DNSSEC-Tools configuration file
           DNSSEC-Tools defaults

       See tooloptions.pm(3) for more details.  Exceptions to this are given in the option
       descriptions.

       The genkrf options are described below.

   General genkrf Options
       -zone zone-name
           This option specifies the name of the zone.  If it is not given then zone-file will be
           used as the name of the zone.

       -krfile keyrec-file
           This option specifies the name of the keyrec file to be generated.  If it is not
           given, then zone-name.krf will be used.

       -algorithm algorithm
           This option specifies the algorithm used to generate encryption keys.

       -endtime endtime
           This option specifies the time that the signature on the zone expires, measured in
           seconds.

       -random random-device
           Source of randomness used to generate the zone's keys. See the man page for dnssec-
           signzone for the valid format of this field.

       -verbose
           Display additional messages during processing.  If this option is given at least once,
           then a message will be displayed indicating the successful generation of the keyrec
           file.  If it is given twice, then the values of all options will also be displayed.

       -Version
           Displays the version information for genkrf and the DNSSEC-Tools package.

       -help
           Display a usage message.

   KSK-related Options
       -kskcur KSK-name
           This option specifies the Current KSK's key file being used to sign the zone.  If this
           option is not given, a new KSK will be created.

       -kskcount KSK-count
           This option specifies the number of KSK keys that will be generated.  If this option
           is not given, the default given in the DNSSEC-Tools configuration file will be used.

       -kskdir KSK-directory
           This option specifies the absolute or relative path of the directory where the KSK
           resides.  If this option is not given, it defaults to the current directory ".".

       -ksklength KSK-length
           This option specifies the length of the KSK encryption key.

       -ksklife KSK-lifespan
           This option specifies the lifespan of the KSK encryption key.  This lifespan is not
           inherent to the key itself.  It is only used to determine when the KSK must be rolled
           over.

   ZSK-related Options
       -zskcur ZSK-name
           This option specifies the current ZSK being used to sign the zone.  If this option is
           not given, a new ZSK will be created.

       -zskpub ZSK-name
           This option specifies the published ZSK for the zone.  If this option is not given, a
           new ZSK will be created.

       -zskcount ZSK-count
           This option specifies the number of current and published ZSK keys that will be
           generated.  If this option is not given, the default given in the DNSSEC-Tools
           configuration file will be used.

       -zskdir ZSK-directory
           This option specifies the absolute or relative path of the directory where the ZSKs
           reside.  If this option is not given, it defaults to the current directory ".".

       -zsklength ZSK-length
           This option specifies the length of the ZSK encryption key.

       -zsklife ZSK-lifespan
           This option specifies the lifespan of the ZSK encryption key.  This lifespan is not
           inherent to the key itself.  It is only used to determine when the ZSK must be rolled
           over.

COPYRIGHT

       Copyright 2005-2014 SPARTA, Inc.  All rights reserved.  See the COPYING file included with
       the DNSSEC-Tools package for details.

AUTHOR

       Wayne Morrison, tewok@tislabs.com

SEE ALSO

       dnssec-keygen(8), dnssec-signzone(8), zonesigner(8)

       Net::DNS::SEC::Tools::conf.pm(3), Net::DNS::SEC::Tools::defaults.pm(3),
       Net::DNS::SEC::Tools::keyrec.pm(3)

       conf(5), keyrec(5)