dnssec-keygen.docbook revision 1c6d1ca3356928847d4ad068c4d346254c35337c
1c6d1ca3356928847d4ad068c4d346254c35337cTinderbox User - Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-keygen</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-keygen</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC key generation tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-3</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-C</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-G</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-h</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-k</option></arg>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-q</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-V</option></arg>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-z</option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>DESCRIPTION</title></info>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews and RFC 4034. It can also generate keys for use with
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt (Transaction Key) as defined in RFC 2930.
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt The <option>name</option> of the key is specified on the command
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt line. For DNSSEC keys, this must match the name of the zone for
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt which the key is being generated.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-a <replaceable class="parameter">algorithm</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Selects the cryptographic algorithm. For DNSSEC keys, the value
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews ECDSAP256SHA256 or ECDSAP384SHA384.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews case insensitive.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews If no algorithm is specified, then RSASHA1 will be used by
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews default, unless the <option>-3</option> option is specified,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews in which case NSEC3RSASHA1 will be used instead. (If
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <option>-3</option> is used and an algorithm is specified,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews that algorithm will be checked for compatibility with NSEC3.)
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews automatically set the -T KEY option.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-b <replaceable class="parameter">keysize</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the number of bits in the key. The choice of key
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews size depends on the algorithm used. RSA keys must be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews between 512 and 2048 bits. Diffie Hellman keys must be between
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews 128 and 4096 bits. DSA keys must be between 512 and 1024
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews bits and an exact multiple of 64. HMAC keys must be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews between 1 and 512 bits. Elliptic curve algorithms don't need
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews this parameter.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews The key size does not need to be specified if using a default
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews algorithm. The default key size is 1024 bits for zone signing
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews keys (ZSKs) and 2048 bits for key signing keys (KSKs,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews generated with <option>-f KSK</option>). However, if an
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews algorithm is explicitly specified with the <option>-a</option>,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews then there is no default key size, and the <option>-b</option>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews must be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-n <replaceable class="parameter">nametype</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the owner type of the key. The value of
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <option>nametype</option> must either be ZONE (for a DNSSEC
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews a host (KEY)),
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Use an NSEC3-capable algorithm to generate a DNSSEC key.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews If this option is used and no algorithm is explicitly
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews set on the command line, NSEC3RSASHA1 will be used by
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews default. Note that RSASHA256, RSASHA512, ECCGOST,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt are NSEC3-capable.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Compatibility mode: generates an old-style key, without
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt any metadata. By default, <command>dnssec-keygen</command>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt will include the key's creation date in the metadata stored
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt with the private key, and other dates may be set there as well
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt (publication date, activation date, etc). Keys that include
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt this data may be incompatible with older versions of BIND; the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Indicates that the DNS record containing the key should have
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews the specified class. If not specified, class IN is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-E <replaceable class="parameter">engine</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the cryptographic hardware to use, when applicable.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews When BIND is built with OpenSSL PKCS#11 support, this defaults
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews to the string "pkcs11", which identifies an OpenSSL engine
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews that can drive a cryptographic accelerator or hardware service
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews module. When BIND is built with native PKCS#11 cryptography
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews (--enable-native-pkcs11), it defaults to the path of the PKCS#11
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews provider library specified via "--with-pkcs11".
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-f <replaceable class="parameter">flag</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews </varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Generate a key, but do not publish it or sign with it. This
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews option is incompatible with -P and -A.
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-g <replaceable class="parameter">generator</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews If generating a Diffie Hellman key, use this generator.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Allowed values are 2 and 5. If no generator
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is specified, a known prime from RFC 2539 will be used
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews if possible; otherwise the default is 2.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-K <replaceable class="parameter">directory</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the directory in which the key files are to be written.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Deprecated in favor of -T KEY.
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews </varlistentry>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-L <replaceable class="parameter">ttl</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the default TTL to use for this key when it is converted
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews into a DNSKEY RR. If the key is imported into a zone,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews this is the TTL that will be used for it, unless there was
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews already a DNSKEY RRset in place, in which case the existing TTL
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews would take precedence. If this value is not set and there
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is no existing DNSKEY RRset, the TTL will default to the
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews SOA TTL. Setting the default TTL to <literal>0</literal>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews or <literal>none</literal> is the same as leaving it unset.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-p <replaceable class="parameter">protocol</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the protocol value for the generated key. The protocol
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Other possible values for this argument are listed in
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews RFC 2535 and its successors.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Quiet mode: Suppresses unnecessary output, including
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews progress indication. Without this option, when
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <command>dnssec-keygen</command> is run interactively
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews to generate an RSA or DSA key pair, it will print a string
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews of symbols to <filename>stderr</filename> indicating the
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews progress of the key generation. A '.' indicates that a
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews random number has been found which passed an initial
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews sieve test; '+' means a number has passed a single
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews round of the Miller-Rabin primality test; a space
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews means that the number has passed all the tests and is
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews a satisfactory key.
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-r <replaceable class="parameter">randomdev</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the source of randomness. If the operating
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews system does not provide a <filename>/dev/random</filename>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews or equivalent device, the default source of randomness
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is keyboard input. <filename>randomdev</filename>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews the name of a character device or file containing random
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews data to be used instead of the default. The special value
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <filename>keyboard</filename> indicates that keyboard
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-S <replaceable class="parameter">key</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Create a new key which is an explicit successor to an
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews existing key. The name, algorithm, size, and type of the
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews key will be set to match the existing key. The activation
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date of the new key will be set to the inactivation date of
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews the existing one. The publication date will be set to the
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews activation date minus the prepublication interval, which
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews defaults to 30 days.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-s <replaceable class="parameter">strength</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the strength value of the key. The strength is
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews a number between 0 and 15, and currently has no defined
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews purpose in DNSSEC.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-T <replaceable class="parameter">rrtype</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the resource record type to use for the key.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <option>rrtype</option> must be either DNSKEY or KEY. The
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews default is DNSKEY when using a DNSSEC algorithm, but it can be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews overridden to KEY for use with SIG(0).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Using any TSIG algorithm (HMAC-* or DH) forces this option
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-t <replaceable class="parameter">type</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Indicates the use of the key. <option>type</option> must be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews data, and CONF the ability to encrypt data.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman Prints version information.
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>TIMING OPTIONS</title></info>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt If the argument begins with a '+' or '-', it is interpreted as
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt an offset from the present time. For convenience, if such an offset
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt then the offset is computed in years (defined as 365 24-hour days,
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt ignoring leap years), months (defined as 30 24-hour days), weeks,
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt days, hours, or minutes, respectively. Without a suffix, the offset
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt is computed in seconds. To explicitly prevent a date from being
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt set, use 'none' or 'never'.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-P <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which a key is to be published to the zone.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews After that date, the key will be included in the zone but will
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews not be used to sign it. If not set, and if the -G option has
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews not been used, the default is "now".
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which CDS and CDNSKEY records that match this
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews key are to be published to the zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-A <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the key is to be activated. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will be included in the zone and used to sign
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews it. If not set, and if the -G option has not been used, the
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews default is "now". If set, if and -P is not set, then
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews the publication date will be set to the activation date
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews minus the prepublication interval.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-R <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the key is to be revoked. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will be flagged as revoked. It will be included
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews in the zone and will be used to sign it.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-I <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the key is to be retired. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will still be included in the zone, but it
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews will not be used to sign it.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews </varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-D <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the key is to be deleted. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will no longer be included in the zone. (It
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews may remain in the key repository, however.)
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews </varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the CDS and CDNSKEY records that match this
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews key are to be deleted.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <term>-i <replaceable class="parameter">interval</replaceable></term>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews Sets the prepublication interval for a key. If set, then
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews the publication and activation dates must be separated by at least
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews this much time. If the activation date is specified but the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews publication date isn't, then the publication date will default
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews to this much time before the activation date; conversely, if
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews the publication date is specified but activation date isn't,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews then activation will be set to this much time after publication.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews If the key is being created as an explicit successor to another
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews key, then the default prepublication interval is 30 days;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews otherwise it is zero.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews As with date offsets, if the argument is followed by one of
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews interval is measured in years, months, weeks, days, hours,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews or minutes, respectively. Without a suffix, the interval is
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews measured in seconds.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>GENERATED KEYS</title></info>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein successfully,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to the standard output. This is an identification string for
79399226b7bd15afb3e97fa9a5ea678359968997Mark Andrews the key it has generated.
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington <itemizedlist>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <para><filename>nnnn</filename> is the key name.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <para><filename>aaa</filename> is the numeric representation
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <para><filename>iiiii</filename> is the key identifier (or
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington </itemizedlist>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews creates two files, with names based
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein contains the public key, and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <filename>Knnnn.+aaa+iiiii.private</filename> contains the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <filename>.key</filename> file contains a DNS KEY record
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein can be inserted into a zone file (directly or with a $INCLUDE
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews The <filename>.private</filename> file contains
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews algorithm-specific
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein fields. For obvious security reasons, this file does not have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein general read permission.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Both <filename>.key</filename> and <filename>.private</filename>
2a8aa1049204bc9829b25b9ccaa99d25e3ced8d2Francis Dupont files are generated for symmetric cryptography algorithms such as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein HMAC-MD5, even though the public and private key are equivalent.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein To generate a 768-bit DSA key for the domain
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <userinput>example.com</userinput>, the following command would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The command would print a string of the form:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><userinput>Kexample.com.+003+26160</userinput>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein In this example, <command>dnssec-keygen</command> creates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the files <filename>Kexample.com.+003+26160.key</filename>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews <filename>Kexample.com.+003+26160.private</filename>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>