bin/dnssec/dnssec-keygen.docbook

	dnssec-keygen.docbook revision 8ffa8320abcc17ae593af566cb946a58fe293860
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
938440694b33cd752e9e4b71a526368b4811c177Tinderbox User
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<refentry>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson  <refentryinfo>
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater    <date>June 30, 2000</date>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson  </refentryinfo>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson  <refmeta>
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews    <refentrytitle><application>dnssec-keygen</application></refentrytitle>
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews    <manvolnum>8</manvolnum>
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews    <refmiscinfo>BIND9</refmiscinfo>
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews  </refmeta>
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews  <refnamediv>
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews    <refname><application>dnssec-keygen</application></refname>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson    <refpurpose>DNSSEC key generation tool</refpurpose>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refnamediv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <command>dnssec-keygen</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-e</option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-h</option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
86b0285d7e65601645db4090d62ee6cb63abad6cAndreas Gustafsson      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <arg choice="req">name</arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </cmdsynopsis>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </refsynopsisdiv>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews
938440694b33cd752e9e4b71a526368b4811c177Tinderbox User  <refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <title>DESCRIPTION</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <command>dnssec-keygen</command> generates keys for DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    (Secure DNS), as defined in RFC 2535.  It can also generate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    keys for use with TSIG (Transaction Signatures), as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    defined in RFC 2845.
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
86b0285d7e65601645db4090d62ee6cb63abad6cAndreas Gustafsson  <refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <title>OPTIONS</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <variablelist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          Selects the cryptographic algorithm.  The value of
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson          <option>algorithm</option> must be one of RSAMD5 or RSA,
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson          DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          are case insensitive.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson      </para>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          Note that for DNSSEC, DSA is a mandatory to implement algorithm,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          and RSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson        <term>-b <replaceable class="parameter">keysize</replaceable></term>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Specifies the number of bits in the key.  The choice of key
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           size depends on the algorithm used.  RSA keys must be between
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           512 and 2048 bits.  Diffie Hellman keys must be between
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           128 and 4096 bits.  DSA keys must be between 512 and 1024
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson           bits and an exact multiple of 64.  HMAC-MD5 keys must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           between 1 and 512 bits.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson      </para>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-n <replaceable class="parameter">nametype</replaceable></term>
86b0285d7e65601645db4090d62ee6cb63abad6cAndreas Gustafsson    <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt           Specifies the owner type of the key.  The value of
86b0285d7e65601645db4090d62ee6cb63abad6cAndreas Gustafsson           <option>nametype</option> must either be ZONE (for a DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           zone key), HOST or ENTITY (for a key associated with a host),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           or USER (for a key associated with a user).  These values are
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           case insensitive.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
86b0285d7e65601645db4090d62ee6cb63abad6cAndreas Gustafsson      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-c <replaceable class="parameter">class</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Indicates that the DNS record containing the key should have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           the specified class.  If not specified, class IN is used.
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson      </para>
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson    </listitem>
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson      </varlistentry>
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson      <varlistentry>
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson        <term>-e</term>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson    <listitem>
8eea877894ea5bcf5cdd9ca124a8601ad421d753Andreas Gustafsson      <para>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson           If generating an RSA key, use a large exponent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
86b0285d7e65601645db4090d62ee6cb63abad6cAndreas Gustafsson    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-g <replaceable class="parameter">generator</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           If generating a Diffie Hellman key, use this generator.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Allowed values are 2 and 5.  If no generator
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           is specified, a known prime from RFC 2539 will be used
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           if possible; otherwise the default is 2.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-h</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Prints a short summary of the options and arguments to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           <command>dnssec-keygen</command>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-p <replaceable class="parameter">protocol</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson           Sets the protocol value for the generated key.  The protocol
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           is a number between 0 and 255.  The default is 2 (email) for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           keys of type USER and 3 (DNSSEC) for all other key types.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Other possible values for this argument are listed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           RFC 2535 and its successors.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Specifies the source of randomness.  If the operating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           system does not provide a <filename>/dev/random</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           or equivalent device, the default source of randomness
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           is keyboard input.  <filename>randomdev</filename> specifies
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           the name of a character device or file containing random
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           data to be used instead of the default.  The special value
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           <filename>keyboard</filename> indicates that keyboard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           input should be used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-s <replaceable class="parameter">strength</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Specifies the strength value of the key.  The strength is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           a number between 0 and 15, and currently has no defined
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           purpose in DNSSEC.
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-t <replaceable class="parameter">type</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Indicates the use of the key.  <option>type</option> must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           is AUTHCONF.  AUTH refers to the ability to authenticate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           data, and CONF the ability to encrypt data.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <term>-v <replaceable class="parameter">level</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           Sets the debugging level.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </variablelist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <title>GENERATED KEYS</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        When <command>dnssec-keygen</command> completes successfully,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    to the standard output.  This is an identification string for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    the key it has generated.  These strings can be used as arguments
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    to <command>dnssec-makekeyset</command>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <itemizedlist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <filename>nnnn</filename> is the key name.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <filename>aaa</filename> is the numeric representation of the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          algorithm.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <filename>iiiii</filename> is the key identifier (or footprint).
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson        </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </itemizedlist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <command>dnssec-keygen</command> creates two file, with names based
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    contains the public key, and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <filename>Knnnn.+aaa+iiiii.private</filename> contains the private
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    key.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        The <filename>.key</filename> file contains a DNS KEY record that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    can be inserted into a zone file (directly or with a $INCLUDE
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    statement).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        The <filename>.private</filename> file contains algorithm specific
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    fields.  For obvious security reasons, this file does not have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    general read permission.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        Both <filename>.key</filename> and <filename>.private</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    files are generated for symmetric encryption algorithm such as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    HMAC-MD5, even though the public and private key are equivalent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <title>EXAMPLE</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        To generate a 768-bit DSA key for the domain
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <userinput>example.com</userinput>, the following command would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    issued:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        The command would print a string of the form:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <userinput>Kexample.com.+003+26160</userinput>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        In this example, <command>dnssec-keygen</command> creates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    the files <filename>Kexample.com.+003+26160.key</filename> and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <filename>Kexample.com.+003+26160.private</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <title>SEE ALSO</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <refentrytitle>dnssec-makekeyset</refentrytitle>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <manvolnum>8</manvolnum>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </citerefentry>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <refentrytitle>dnssec-signkey</refentrytitle>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <manvolnum>8</manvolnum>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </citerefentry>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <refentrytitle>dnssec-signzone</refentrytitle>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <manvolnum>8</manvolnum>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      </citerefentry>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <citetitle>RFC 2535</citetitle>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <citetitle>RFC 2845</citetitle>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <citetitle>RFC 2539</citetitle>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <title>AUTHOR</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <corpauthor>Internet Software Consortium</corpauthor>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsect1>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</refentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson<!--
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Local variables:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - mode: sgml
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - End:
ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson-->
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein