dnssec-keygen.docbook revision 268a4475065fe6a8cd7cc707820982cf5e98f430
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder [<!ENTITY mdash "—">]>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - Copyright (C) 2000-2003 Internet Software Consortium.
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - Permission to use, copy, modify, and distribute this software for any
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder - purpose with or without fee is hereby granted, provided that the above
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder - copyright notice and this permission notice appear in all copies.
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner - PERFORMANCE OF THIS SOFTWARE.
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner<!-- $Id: dnssec-keygen.docbook,v 1.11 2005/05/11 05:55:36 sra Exp $ -->
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <refentryinfo>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner </refentryinfo>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <refentrytitle><application>dnssec-keygen</application></refentrytitle>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <refnamediv>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <refname><application>dnssec-keygen</application></refname>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <refpurpose>DNSSEC key generation tool</refpurpose>
f8597aabc9db75dcf504e3151faf220a165c90d1Eugen Kuksa </refnamediv>
f8597aabc9db75dcf504e3151faf220a165c90d1Eugen Kuksa <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
f8597aabc9db75dcf504e3151faf220a165c90d1Eugen Kuksa </copyright>
60e6795dd310e10194e12bb660575aadf941328bEugen Kuksa </copyright>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <refsynopsisdiv>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <cmdsynopsis>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
60e6795dd310e10194e12bb660575aadf941328bEugen Kuksa <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
c9a7e6af169a2adfb92f42331cd578065ed83a2bChristian Maeder <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
ad270004874ce1d0697fb30d7309f180553bb315Christian Maeder <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
1a38107941725211e7c3f051f7a8f5e12199f03acmaeder </cmdsynopsis>
ce5b44277ea06257548ff625e928cb1290c6d297cmaeder </refsynopsisdiv>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder and RFC <TBA\>. It can also generate keys for use with
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder TSIG (Transaction Signatures), as defined in RFC 2845.
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder <term>-a <replaceable class="parameter">algorithm</replaceable></term>
3dde4051c307b609159a097f08a05108fdd036efJonathan von Schroeder Selects the cryptographic algorithm. The value of
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder DSA, DH (Diffie Hellman), or HMAC-MD5. These values
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder are case insensitive.
8b767d09a78927b111f5596fdff9ca7d2c1a439fChristian Maeder Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
4b4a0b61b72cf8478a5d4d5002bca9f699401363Christian Maeder and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
bab2d88d650448628730ed3b65c9f99c52500e8cChristian Maeder Note 2: HMAC-MD5 and DH automatically set the -k flag.
6a2dad705deefd1b7a7e09b84fd2d75f2213be47Christian Maeder </varlistentry>
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder <varlistentry>
014dc30f64ec25e4790cca987d4d1e6635430510Christian Maeder <term>-b <replaceable class="parameter">keysize</replaceable></term>
4ba08bfca0cc8d9da65397b8dfd2654fdb4c0e62Christian Maeder Specifies the number of bits in the key. The choice of key
feca1d35123d8c31aee238c9ce79947b0bf65494Christian Maeder size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder 512 and 2048 bits. Diffie Hellman keys must be between
f5c0884429b01e74c6e658ded921fb2e16dfb478Christian Maeder 128 and 4096 bits. DSA keys must be between 512 and 1024
db675e8302ddb0d6528088ce68f5e98a00e890e3Christian Maeder bits and an exact multiple of 64. HMAC-MD5 keys must be
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder between 1 and 512 bits.
6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder </varlistentry>
961087225d1d2b9534152a346d1a3755ed952fcdJens Elkner <varlistentry>
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner <term>-n <replaceable class="parameter">nametype</replaceable></term>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Specifies the owner type of the key. The value of
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <option>nametype</option> must either be ZONE (for a DNSSEC
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder a host (KEY)),
9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner These values are
961087225d1d2b9534152a346d1a3755ed952fcdJens Elkner case insensitive.
dc679edd4ca027663212afdf00926ae2ce19b555Christian Maeder </varlistentry>
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder <varlistentry>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <term>-c <replaceable class="parameter">class</replaceable></term>
ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder Indicates that the DNS record containing the key should have
4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder the specified class. If not specified, class IN is used.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </varlistentry>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <varlistentry>
d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder If generating an RSAMD5/RSASHA1 key, use a large exponent.
a84a8d508a0778b13a4d097a6dd34b95feae78acJens Elkner </varlistentry>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <varlistentry>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <term>-f <replaceable class="parameter">flag</replaceable></term>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Set the specified flag in the flag field of the KEY/DNSKEY record.
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder The only recognized flag is KSK (Key Signing Key) DNSKEY.
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder </varlistentry>
961087225d1d2b9534152a346d1a3755ed952fcdJens Elkner <varlistentry>
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder <term>-g <replaceable class="parameter">generator</replaceable></term>
e6d5dbbc3308f05197868806e0b860f4f53875f1Christian Maeder If generating a Diffie Hellman key, use this generator.
363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder Allowed values are 2 and 5. If no generator
e4f4d096e5e6d60dd91c746d0e833d0ac7a29c50Christian Maeder is specified, a known prime from RFC 2539 will be used
961087225d1d2b9534152a346d1a3755ed952fcdJens Elkner if possible; otherwise the default is 2.
f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder </varlistentry>
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <varlistentry>
93f5b72fdb9ee734caa750b43dd79bbb590dcd73Christian Maeder Prints a short summary of the options and arguments to
328a85c807f2a95c3f147d10b05927eaf862ebebChristian Maeder </varlistentry>
06dd4e7c29f33f6122a910719e3bd9062256e397Andy Gimblett <varlistentry>
5b818f10e11fc79def1fdd5c8a080d64a6438d87Christian Maeder Generate KEY records rather than DNSKEY records.
819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder </varlistentry>
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <varlistentry>
140287998aa8592c9c403bd9e308e447ba92ae11Christian Maeder <term>-p <replaceable class="parameter">protocol</replaceable></term>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder Sets the protocol value for the generated key. The protocol
3554301a34639efb6c9961a8571775d0061284c9Christian Maeder is a number between 0 and 255. The default is 3 (DNSSEC).
8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers Other possible values for this argument are listed in
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder RFC 2535 and its successors.
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder </varlistentry>
383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder <varlistentry>
383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder <term>-r <replaceable class="parameter">randomdev</replaceable></term>
3554301a34639efb6c9961a8571775d0061284c9Christian Maeder Specifies the source of randomness. If the operating
3554301a34639efb6c9961a8571775d0061284c9Christian Maeder system does not provide a <filename>/dev/random</filename>
383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder or equivalent device, the default source of randomness
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder is keyboard input. <filename>randomdev</filename>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder the name of a character device or file containing random
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder data to be used instead of the default. The special value
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder <filename>keyboard</filename> indicates that keyboard
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder input should be used.
a14767aeac3e78ed100f5b75e210ba563ee10dbaChristian Maeder </varlistentry>
a14767aeac3e78ed100f5b75e210ba563ee10dbaChristian Maeder <varlistentry>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <term>-s <replaceable class="parameter">strength</replaceable></term>
54ea981a0503c396c2923a1c06421c6235baf27fChristian Maeder Specifies the strength value of the key. The strength is
54ea981a0503c396c2923a1c06421c6235baf27fChristian Maeder a number between 0 and 15, and currently has no defined
54ea981a0503c396c2923a1c06421c6235baf27fChristian Maeder purpose in DNSSEC.
697e63e30aa3c309a1ef1f9357745111f8dfc5a9Christian Maeder </varlistentry>
aded505f9b42cc38975559c2a5d175ae95de436bChristian Maeder <varlistentry>
f9e0b18852b238ddb649d341194e05d7200d1bbeChristian Maeder <term>-t <replaceable class="parameter">type</replaceable></term>
819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder Indicates the use of the key. <option>type</option> must be
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
254df6f22d01eacf7c57b85729e0445747b630d9Christian Maeder is AUTHCONF. AUTH refers to the ability to authenticate
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder data, and CONF the ability to encrypt data.
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder </varlistentry>
254df6f22d01eacf7c57b85729e0445747b630d9Christian Maeder <varlistentry>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder <term>-v <replaceable class="parameter">level</replaceable></term>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder Sets the debugging level.
4fc9de0da898448f1d3597ebbd8c04a066464c21Christian Maeder </varlistentry>
d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder </variablelist>
0d0278c34a374b29c2d6c58b39b8b56e283d48e8Christian Maeder When <command>dnssec-keygen</command> completes
1842453990fed8a1bd7a5ac792d7982c1d2bfcd5Christian Maeder successfully,
0d0278c34a374b29c2d6c58b39b8b56e283d48e8Christian Maeder it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
1842453990fed8a1bd7a5ac792d7982c1d2bfcd5Christian Maeder to the standard output. This is an identification string for
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder the key it has generated. These strings can be used as arguments
61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder <itemizedlist>
01e278bdd7dce13b9303ed3d79683d83c89d09f9Liam O'Reilly <para><filename>nnnn</filename> is the key name.
8c812cd83569e973f10cf69a342424ceabc07af9Christian Maeder <para><filename>aaa</filename> is the numeric representation
7a3fe82695aa32657693e05712f84d7f81672f2eJonathan von Schroeder <para><filename>iiiii</filename> is the key identifier (or
05a206508bc898f87fe6ab6e069814df3c29d303Dominik Luecke </itemizedlist>
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder creates two file, with names based
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
81f49ee02aaa3bc870401f8883bf52742eb3ea7aJonathan von Schroeder contains the public key, and
d54cd08a4cfa26256c38d8ed12c343adbfe1a0e3Christian Maeder <filename>Knnnn.+aaa+iiiii.private</filename> contains the
63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder The <filename>.key</filename> file contains a DNS KEY record
0b349288edfa50fdf38fda1a14e1562d03f92574Christian Maeder can be inserted into a zone file (directly or with a $INCLUDE
1b3a2f98d1cd01fc9e0591f69507e20526727559Dominik Luecke The <filename>.private</filename> file contains algorithm
e39a1626bee36d6ad13a2c0014a80ef179a65bcbChristian Maeder fields. For obvious security reasons, this file does not have
f8e1a1eca871a26a535a4ee7d51902ba94b1db1eChristian Maeder general read permission.
005e0f0c6b0cc898003b03801158c208f3071fc5Kristina Sojakova Both <filename>.key</filename> and <filename>.private</filename>
abf2487c3aece95c371ea89ac64319370dcb6483Klaus Luettich files are generated for symmetric encryption algorithm such as
23b4e542dca35852f58d1fb3f7d9078c1de5ab06Christian Maeder HMAC-MD5, even though the public and private key are equivalent.
878a5ecd6acf973907e25e5be6e4a792ea19a05eEwaryst Schulz To generate a 768-bit DSA key for the domain
c2e192ace9ef7cfb0e59563f1b24477b2b65cff3Dominik Dietrich <userinput>example.com</userinput>, the following command would be
48aa0645e25883048369afc02aac3f49b14a50daChristian Maeder <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
bff4b3f816be4c1e1d8ded76f1d5af786839e1a9Christian Maeder The command would print a string of the form:
3a9fce5398f4621558ca220c66c87cee59adc258Jonathan von Schroeder <para><userinput>Kexample.com.+003+26160</userinput>
0a03acf9fa28e6ff00f4d7c9c6acbae64cf09c56Ewaryst Schulz In this example, <command>dnssec-keygen</command> creates
a604cbad8e2202147b5c6bb9f2e06ae61162d654Felix Gabriel Mance the files <filename>Kexample.com.+003+26160.key</filename>
308834907a120fd8771e18292ed2ca9cd767c12dChristian Maeder <filename>Kexample.com.+003+26160.private</filename>
d62661e54e2662d53b583ae48609f5037701078dcmaeder <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
9f226cec9f978edaba67aee4c4e04e3d3b994b87Daniel Calegari </citerefentry>,
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
456238178f89e5a3de2988ee6c8af924297d52d9Christian Maeder <para><corpauthor>Internet Systems Consortium</corpauthor>
1535e1d8c82db5f7e2402261983c4c2ef39f4f39Mihai Codescu - Local variables: