dnssec-keygen.docbook revision 0b062f4990db5cc6db2fe3398926f71b92a67407
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-keygen</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-keygen</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC key generation tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <command>dnssec-keygen</command> generates keys for DNSSEC
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (Secure DNS), as defined in RFC 2535. It can also generate
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington keys for use with TSIG (Transaction Signatures), as
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington defined in RFC 2845.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-a <replaceable class="parameter">algorithm</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Selects the cryptographic algorithm. The value of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>algorithm</option> must be one of RSAMD5 or RSA,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington DSA, DH (Diffie Hellman), or HMAC-MD5. These values
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are case insensitive.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Note that for DNSSEC, DSA is a mandatory to implement algorithm,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-b <replaceable class="parameter">keysize</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the number of bits in the key. The choice of key
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington size depends on the algorithm used. RSA keys must be between
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 512 and 2048 bits. Diffie Hellman keys must be between
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 128 and 4096 bits. DSA keys must be between 512 and 1024
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington bits and an exact multiple of 64. HMAC-MD5 keys must be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington between 1 and 512 bits.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-n <replaceable class="parameter">nametype</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the owner type of the key. The value of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>nametype</option> must either be ZONE (for a DNSSEC
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone key), HOST or ENTITY (for a key associated with a host),
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or USER (for a key associated with a user). These values are
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington case insensitive.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-c <replaceable class="parameter">class</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Indicates that the DNS record containing the key should have
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the specified class. If not specified, class IN is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If generating an RSA key, use a large exponent.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-g <replaceable class="parameter">generator</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If generating a Diffie Hellman key, use this generator.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Allowed values are 2 and 5. If no generator
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is specified, a known prime from RFC 2539 will be used
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington if possible; otherwise the default is 2.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-p <replaceable class="parameter">protocol</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the protocol value for the generated key. The protocol
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is a number between 0 and 255. The default is 2 (email) for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington keys of type USER and 3 (DNSSEC) for all other key types.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Other possible values for this argument are listed in
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington RFC 2535 and its successors.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the source of randomness. If the operating
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington system does not provide a <filename>/dev/random</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or equivalent device, the default source of randomness
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is keyboard input. <filename>randomdev</filename> specifies
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the name of a character device or file containing random
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data to be used instead of the default. The special value
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>keyboard</filename> indicates that keyboard
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-s <replaceable class="parameter">strength</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the strength value of the key. The strength is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington a number between 0 and 15, and currently has no defined
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington purpose in DNSSEC.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-t <replaceable class="parameter">type</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Indicates the use of the key. <option>type</option> must be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is AUTHCONF. AUTH refers to the ability to authenticate
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data, and CONF the ability to encrypt data.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-v <replaceable class="parameter">level</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When <command>dnssec-keygen</command> completes successfully,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to the standard output. This is an identification string for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the key it has generated. These strings can be used as arguments
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>aaa</filename> is the numeric representation of the algorithm.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>iiiii</filename> is the key identifier (or footprint).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <command>dnssec-keygen</command> creates two file, with names based
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington contains the public key, and
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>Knnnn.+aaa+iiiii.private</filename> contains the private
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The <filename>.key</filename> file contains a DNS KEY record that
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington can be inserted into a zone file (directly or with a $INCLUDE
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The <filename>.private</filename> file contains algorithm specific
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington fields. For obvious security reasons, this file does not have
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington general read permission.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Both <filename>.key</filename> and <filename>.private</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington files are generated for symmetric encryption algorithm such as
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington HMAC-MD5, even though the public and private key are equivalent.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To generate a 768-bit DSA key for the domain
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>example.com</userinput>, the following command would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The command would print a string of the form:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>Kexample.com.+003+26160</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington In this example, <command>dnssec-keygen</command> creates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the files <filename>Kexample.com.+003+26160.key</filename> and
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>Kexample.com.+003+26160.private</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-makekeyset</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-signkey</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-signzone</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <corpauthor>Internet Software Consortium</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Local variables: