genkrf man page

genkrf — Generate a keyrec file from Key Signing Key (KSK) and/or Zone Signing Key (ZSK) files


  genkrf [options] <zone-file> [<signed-zone-file>]


genkrf generates a keyrec file from KSK and/or ZSK files.  It generates new KSK and ZSK keys if needed.

The name of the keyrec file to be generated is given by the -krfile option.  If this option is not specified, zone-name.krf is used as the name of the keyrec file.  If the keyrec file already exists, it will be overwritten with new keyrec definitions.

The zone-file argument is required.  It specifies the name of the zone file from which the signed zone file was created.  The optional signed-zone-file argument specifies the name of the signed zone file.  If it is not given, then it defaults to zone-file.signed.  The signed zone file field is, in effect, a dummy field as the zone file is not actually signed.


genkrf has a number of options that assist in creation of the keyrec file.  These options will be set to the first value found from this search path:

    command line options
    DNSSEC-Tools configuration file
    DNSSEC-Tools defaults

See for more details. Exceptions to this are given in the option descriptions.

The genkrf options are described below.

General genkrf Options

-zone zone-name

This option specifies the name of the zone.  If it is not given then zone-file will be used as the name of the zone.

-krfile keyrec-file

This option specifies the name of the keyrec file to be generated. If it is not given, then zone-name.krf will be used.

-algorithm algorithm

This option specifies the algorithm used to generate encryption keys.

-endtime endtime

This option specifies the time that the signature on the zone expires, measured in seconds.

-random random-device

Source of randomness used to generate the zone's keys. See the man page for dnssec-signzone for the valid format of this field.


Display additional messages during processing.  If this option is given at least once, then a message will be displayed indicating the successful generation of the keyrec file.  If it is given twice, then the values of all options will also be displayed.


Displays the version information for genkrf and the DNSSEC-Tools package.


Display a usage message.


Wayne Morrison,

See Also

dnssec-keygen(8), dnssec-signzone(8), zonesigner(8),,

conf(5), keyrec(5)


2015-06-30 perl v5.24.0 User Contributed Perl Documentation