dnssec-keygen.docbook revision b0c15bd9792112fb47f6d956e580e4369e92f4e7
280a8a0544b4aeb52414d20e8c6e6c5b1108562eTinderbox User<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt<!--
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2001, 2002 Internet Software Consortium.
c7fd128f8ea8a527fe27c1b95ab46df7155bc8e4Tinderbox User -
c7fd128f8ea8a527fe27c1b95ab46df7155bc8e4Tinderbox User - Permission to use, copy, modify, and distribute this software for any
ba9e87b35e561bc7354ce3f4b9685b747b7be507Tinderbox User - purpose with or without fee is hereby granted, provided that the above
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews - copyright notice and this permission notice appear in all copies.
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
59663800d2ec04777dae2791dd92aa563faf94c8Evan Hunt - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
0726d872f6f36901ea09321df57084614e5bb6faTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
1ca2cf024391992fe14b2df7d3ae0f575d074452Evan Hunt - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews-->
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<!-- $Id: dnssec-keygen.docbook,v 1.6 2003/01/18 02:40:58 marka Exp $ -->
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
2b7254075b883d70852a2757210793603085a0f1Tinderbox User<refentry>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <refentryinfo>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <date>June 30, 2000</date>
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews </refentryinfo>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <refmeta>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <refentrytitle><application>dnssec-keygen</application></refentrytitle>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <manvolnum>8</manvolnum>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <refmiscinfo>BIND9</refmiscinfo>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </refmeta>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refnamediv>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <refname><application>dnssec-keygen</application></refname>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <refpurpose>DNSSEC key generation tool</refpurpose>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </refnamediv>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <refsynopsisdiv>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews <cmdsynopsis>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <command>dnssec-keygen</command>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <arg><option>-e</option></arg>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-h</option></arg>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <arg choice="req">name</arg>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </cmdsynopsis>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </refsynopsisdiv>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <refsect1>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <title>DESCRIPTION</title>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <command>dnssec-keygen</command> generates keys for DNSSEC
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews (Secure DNS), as defined in RFC 2535. It can also generate
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews keys for use with TSIG (Transaction Signatures), as
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews defined in RFC 2845.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </para>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </refsect1>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <refsect1>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <title>OPTIONS</title>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <variablelist>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <term>-a <replaceable class="parameter">algorithm</replaceable></term>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <listitem>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <para>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Selects the cryptographic algorithm. The value of
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <option>algorithm</option> must be one of RSAMD5 or RSA,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews DSA, DH (Diffie Hellman), or HMAC-MD5. These values
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews are case insensitive.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </para>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <para>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User Note that for DNSSEC, DSA is a mandatory to implement algorithm,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User </para>
3ccf87473f7cf6d9faac156df38a935a238f96fdTinderbox User </listitem>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews </varlistentry>
b378314925e78f21853a98cec924788ce1822c6cTinderbox User
ebe53509ca55a141131c104b6d722236b606e0efTinderbox User <varlistentry>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews <term>-b <replaceable class="parameter">keysize</replaceable></term>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <listitem>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Specifies the number of bits in the key. The choice of key
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews size depends on the algorithm used. RSA keys must be between
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User 512 and 2048 bits. Diffie Hellman keys must be between
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt 128 and 4096 bits. DSA keys must be between 512 and 1024
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User bits and an exact multiple of 64. HMAC-MD5 keys must be
3ccf87473f7cf6d9faac156df38a935a238f96fdTinderbox User between 1 and 512 bits.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </para>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </listitem>
551e6d2414c4f47d58a9bb0b37f206f915a4f5acTinderbox User </varlistentry>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <varlistentry>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <term>-n <replaceable class="parameter">nametype</replaceable></term>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <listitem>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Specifies the owner type of the key. The value of
51aeb0ae19596e99b029cfa933e73b76ebec480aTinderbox User <option>nametype</option> must either be ZONE (for a DNSSEC
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews zone key), HOST or ENTITY (for a key associated with a host),
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User or USER (for a key associated with a user). These values are
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User case insensitive.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </listitem>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson </varlistentry>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <varlistentry>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <term>-c <replaceable class="parameter">class</replaceable></term>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <listitem>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <para>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews Indicates that the DNS record containing the key should have
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews the specified class. If not specified, class IN is used.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </para>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </listitem>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </varlistentry>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <varlistentry>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <term>-e</term>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <listitem>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews If generating an RSA key, use a large exponent.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson </para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </listitem>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </varlistentry>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews <term>-f <replaceable class="parameter">flag</replaceable></term>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <listitem>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <para>
ebe53509ca55a141131c104b6d722236b606e0efTinderbox User Set the specified flag in the flag field of the key record.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The only recognized flag is KSK (Key Signing Key).
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </para>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews </listitem>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </varlistentry>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-g <replaceable class="parameter">generator</replaceable></term>
51aeb0ae19596e99b029cfa933e73b76ebec480aTinderbox User <listitem>
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews <para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If generating a Diffie Hellman key, use this generator.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Allowed values are 2 and 5. If no generator
51aeb0ae19596e99b029cfa933e73b76ebec480aTinderbox User is specified, a known prime from RFC 2539 will be used
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews if possible; otherwise the default is 2.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </para>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </listitem>
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User </varlistentry>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <varlistentry>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <term>-h</term>
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User <listitem>
b378314925e78f21853a98cec924788ce1822c6cTinderbox User <para>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Prints a short summary of the options and arguments to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <command>dnssec-keygen</command>.
2b7254075b883d70852a2757210793603085a0f1Tinderbox User </para>
66317da170ed35b08f5847db2d48b225826327cbTinderbox User </listitem>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </varlistentry>
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews
b625bdae12277225b076a002dd4af80902529181Tinderbox User <varlistentry>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <term>-p <replaceable class="parameter">protocol</replaceable></term>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews <listitem>
2b7254075b883d70852a2757210793603085a0f1Tinderbox User <para>
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User Sets the protocol value for the generated key. The protocol
415d630b6309922caee8469384a6fab75cf05032Mark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater Other possible values for this argument are listed in
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews RFC 2535 and its successors.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </para>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </listitem>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </varlistentry>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <varlistentry>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <term>-r <replaceable class="parameter">randomdev</replaceable></term>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <listitem>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews Specifies the source of randomness. If the operating
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User system does not provide a <filename>/dev/random</filename>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews or equivalent device, the default source of randomness
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews is keyboard input. <filename>randomdev</filename> specifies
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User the name of a character device or file containing random
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews data to be used instead of the default. The special value
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <filename>keyboard</filename> indicates that keyboard
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater input should be used.
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </para>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </listitem>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <varlistentry>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <term>-s <replaceable class="parameter">strength</replaceable></term>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <listitem>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews <para>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User Specifies the strength value of the key. The strength is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews a number between 0 and 15, and currently has no defined
415d630b6309922caee8469384a6fab75cf05032Mark Andrews purpose in DNSSEC.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater </para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </listitem>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </varlistentry>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <term>-t <replaceable class="parameter">type</replaceable></term>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater <listitem>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <para>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Indicates the use of the key. <option>type</option> must be
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
415d630b6309922caee8469384a6fab75cf05032Mark Andrews data, and CONF the ability to encrypt data.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson </para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </listitem>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews </varlistentry>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User <listitem>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <para>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews Sets the debugging level.
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </para>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </listitem>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User </varlistentry>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User </variablelist>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User </refsect1>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
dc7e5458bbcb59ea310ed64ac7e77016e62e9c15Tinderbox User <refsect1>
5b3dd19d815f0389d566d20c2fee57cb37d1dd47Tinderbox User <title>GENERATED KEYS</title>
1fce11b1d3f2d461d261156b8cdc64ab864f06a9Tinderbox User <para>
fab54780409846f7c71f6026d665f18c77c649efTinderbox User When <command>dnssec-keygen</command> completes successfully,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User to the standard output. This is an identification string for
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the key it has generated. These strings can be used as arguments
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User to <command>dnssec-makekeyset</command>.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <itemizedlist>
689fb19ba11ed40363cbc031d0396befdb409b89Tinderbox User <listitem>
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt <para>
8927a982bde7e4b665966b55f0fa57c5cf21b9d8Mark Andrews <filename>nnnn</filename> is the key name.
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </listitem>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User <listitem>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <filename>aaa</filename> is the numeric representation of the
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews algorithm.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </listitem>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <listitem>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <filename>iiiii</filename> is the key identifier (or footprint).
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </listitem>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </itemizedlist>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
c317b09bf112121245fafe61f38b95dc6e96acabTinderbox User <command>dnssec-keygen</command> creates two file, with names based
cdf1c3d486ec082ef6c92297d22d54a67cca0c90Tinderbox User on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews contains the public key, and
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <filename>Knnnn.+aaa+iiiii.private</filename> contains the private
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews key.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The <filename>.key</filename> file contains a DNS KEY record that
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews can be inserted into a zone file (directly or with a $INCLUDE
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews statement).
8ac5ddf659a81ed668579818981fc1a5f28405d1Tinderbox User </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews The <filename>.private</filename> file contains algorithm specific
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews fields. For obvious security reasons, this file does not have
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews general read permission.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Both <filename>.key</filename> and <filename>.private</filename>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews files are generated for symmetric encryption algorithm such as
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews HMAC-MD5, even though the public and private key are equivalent.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </refsect1>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
e5c7ef08d1bf9f8388de8174a47da78b9eeb7e5cTinderbox User <refsect1>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <title>EXAMPLE</title>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
2b7254075b883d70852a2757210793603085a0f1Tinderbox User To generate a 768-bit DSA key for the domain
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <userinput>example.com</userinput>, the following command would be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews issued:
1f9754245cbd5eec2d2a667bb292f62f72386d4bMark Andrews </para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <para>
e5c7ef08d1bf9f8388de8174a47da78b9eeb7e5cTinderbox User <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
2ca9cf1582ae972f8edc2b03bd846973b05dee6bTinderbox User The command would print a string of the form:
e1ebc476b08b4a498fcf3477e42c986eb1991360Tinderbox User </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
33b0d10552ea5f7716385b2cedff64daa1486c50Tinderbox User <userinput>Kexample.com.+003+26160</userinput>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews In this example, <command>dnssec-keygen</command> creates
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews the files <filename>Kexample.com.+003+26160.key</filename> and
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User <filename>Kexample.com.+003+26160.private</filename>
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User </para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews </refsect1>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <refsect1>
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User <title>SEE ALSO</title>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User <para>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <citerefentry>
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User <refentrytitle>dnssec-makekeyset</refentrytitle>
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User <manvolnum>8</manvolnum>
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User </citerefentry>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <citerefentry>
8ac5ddf659a81ed668579818981fc1a5f28405d1Tinderbox User <refentrytitle>dnssec-signkey</refentrytitle>
076e51f1ff9497ae61a99994189ed8bf5a0d3472Tinderbox User <manvolnum>8</manvolnum>
c4a35623959c143db02800584b8116d5b9cd72adTinderbox User </citerefentry>,
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt <citerefentry>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User <refentrytitle>dnssec-signzone</refentrytitle>
3ccf87473f7cf6d9faac156df38a935a238f96fdTinderbox User <manvolnum>8</manvolnum>
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews </citerefentry>,
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
5e145d312503505bed49bcd72d1062b82989cadaTinderbox User <citetitle>RFC 2535</citetitle>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <citetitle>RFC 2845</citetitle>,
415d630b6309922caee8469384a6fab75cf05032Mark Andrews <citetitle>RFC 2539</citetitle>.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson </para>
415d630b6309922caee8469384a6fab75cf05032Mark Andrews </refsect1>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews
9218b940febade3085fd6d95a15e67d5f94833f0Tinderbox User <refsect1>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <title>AUTHOR</title>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <para>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <corpauthor>Internet Software Consortium</corpauthor>
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews </para>
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont </refsect1>
c1e2310a3725eeed45e5e7c86750c64c5a02e993Francis Dupont
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User</refentry>
4b61b671f5de767ec1d1b8e6cf7b849bddf08e98Tinderbox User
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<!--
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont - Local variables:
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - mode: sgml
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews - End:
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews-->
baeaed18341c015e9ad54ffa21973184c1bc432bMark Andrews