dnssec-keygen.docbook revision c6f4972c745f8903aba6dcca41f17a44c473db66
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5cd4555ad444fd391002ae32450572054369fd42Rob Austein "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein [<!ENTITY mdash "—">]>
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews<!-- $Id: dnssec-keygen.docbook,v 1.34 2010/08/16 22:21:06 marka Exp $ -->
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-keygen</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-keygen</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC key generation tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </copyright>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <cmdsynopsis>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refsynopsisdiv>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews and RFC 4034. It can also generate keys for use with
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt (Transaction Key) as defined in RFC 2930.
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt The <option>name</option> of the key is specified on the command
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt line. For DNSSEC keys, this must match the name of the zone for
41eeb37b516d1bac073781b6ec50a39a669987dfEvan Hunt which the key is being generated.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-a <replaceable class="parameter">algorithm</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Selects the cryptographic algorithm. For DNSSEC keys, the value
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt of <option>algorithm</option> must be one of RSAMD5, RSASHA1,
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt case insensitive.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt If no algorithm is specified, then RSASHA1 will be used by
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt default, unless the <option>-3</option> option is specified,
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt in which case NSEC3RSASHA1 will be used instead. (If
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt <option>-3</option> is used and an algorithm is specified,
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt that algorithm will be checked for compatibility with NSEC3.)
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt automatically set the -T KEY option.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-b <replaceable class="parameter">keysize</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the number of bits in the key. The choice of key
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt size depends on the algorithm used. RSA keys must be
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt between 512 and 2048 bits. Diffie Hellman keys must be between
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein 128 and 4096 bits. DSA keys must be between 512 and 1024
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt bits and an exact multiple of 64. HMAC keys must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein between 1 and 512 bits.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt The key size does not need to be specified if using a default
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt algorithm. The default key size is 1024 bits for zone signing
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt keys (ZSK's) and 2048 bits for key signing keys (KSK's,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt generated with <option>-f KSK</option>). However, if an
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt algorithm is explicitly specified with the <option>-a</option>,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt then there is no default key size, and the <option>-b</option>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt must be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-n <replaceable class="parameter">nametype</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the owner type of the key. The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <option>nametype</option> must either be ZONE (for a DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a host (KEY)),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
bf45f72ed319628eebce60c368177320943d001fMark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Use an NSEC3-capable algorithm to generate a DNSSEC key.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt If this option is used and no algorithm is explicitly
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt set on the command line, NSEC3RSASHA1 will be used by
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt default. Note that RSASHA256 and RSASHA512 algorithms
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt are NSEC3-capable.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Compatibility mode: generates an old-style key, without
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt any metadata. By default, <command>dnssec-keygen</command>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt will include the key's creation date in the metadata stored
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt with the private key, and other dates may be set there as well
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt (publication date, activation date, etc). Keys that include
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt this data may be incompatible with older versions of BIND; the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-c <replaceable class="parameter">class</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Indicates that the DNS record containing the key should have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the specified class. If not specified, class IN is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <term>-E <replaceable class="parameter">engine</replaceable></term>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont Uses a crypto hardware (OpenSSL engine) for random number
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont and, when supported, key generation. When compiled with PKCS#11
f80b665135127a12ca503c8830aa465aa1ddd17dEvan Hunt support it defaults to pkcs11; the empty name resets it to
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If generating an RSAMD5/RSASHA1 key, use a large exponent.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <term>-f <replaceable class="parameter">flag</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Set the specified flag in the flag field of the KEY/DNSKEY record.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt The only recognized flags are KSK (Key Signing Key) and REVOKE.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews </varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt Generate a key, but do not publish it or sign with it. This
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt option is incompatible with -P and -A.
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-g <replaceable class="parameter">generator</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If generating a Diffie Hellman key, use this generator.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Allowed values are 2 and 5. If no generator
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is specified, a known prime from RFC 2539 will be used
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein if possible; otherwise the default is 2.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the directory in which the key files are to be written.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Deprecated in favor of -T KEY.
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-p <replaceable class="parameter">protocol</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the protocol value for the generated key. The protocol
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is a number between 0 and 255. The default is 3 (DNSSEC).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Other possible values for this argument are listed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RFC 2535 and its successors.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews <varlistentry>
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews Quiet mode: Suppresses unnecessary output, including
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews progress indication. Without this option, when
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews <command>dnssec-keygen</command> is run interactively
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews to generate an RSA or DSA key pair, it will print a string
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews of symbols to <filename>stderr</filename> indicating the
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews progress of the key generation. A '.' indicates that a
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews random number has been found which passed an initial
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews sieve test; '+' means a number has passed a single
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews round of the Miller-Rabin primality test; a space
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews means that the number has passed all the tests and is
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews a satisfactory key.
c6d2578fd67bc1a427d13fd0699b25a187feec8aMark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-r <replaceable class="parameter">randomdev</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the source of randomness. If the operating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein system does not provide a <filename>/dev/random</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein or equivalent device, the default source of randomness
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is keyboard input. <filename>randomdev</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the name of a character device or file containing random
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein data to be used instead of the default. The special value
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <filename>keyboard</filename> indicates that keyboard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <term>-S <replaceable class="parameter">key</replaceable></term>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews Create a new key which is an explicit successor to an
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews existing key. The name, algorithm, size, and type of the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews key will be set to match the existing key. The activation
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews date of the new key will be set to the inactivation date of
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews the existing one. The publication date will be set to the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews activation date minus the prepublication interval, which
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews defaults to 30 days.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-s <replaceable class="parameter">strength</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the strength value of the key. The strength is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein a number between 0 and 15, and currently has no defined
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein purpose in DNSSEC.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-T <replaceable class="parameter">rrtype</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Specifies the resource record type to use for the key.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <option>rrtype</option> must be either DNSKEY or KEY. The
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt default is DNSKEY when using a DNSSEC algorithm, but it can be
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt overridden to KEY for use with SIG(0).
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Using any TSIG algorithm (HMAC-* or DH) forces this option
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-t <replaceable class="parameter">type</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Indicates the use of the key. <option>type</option> must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is AUTHCONF. AUTH refers to the ability to authenticate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein data, and CONF the ability to encrypt data.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-v <replaceable class="parameter">level</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt If the argument begins with a '+' or '-', it is interpreted as
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt an offset from the present time. For convenience, if such an offset
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt then the offset is computed in years (defined as 365 24-hour days,
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt ignoring leap years), months (defined as 30 24-hour days), weeks,
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt days, hours, or minutes, respectively. Without a suffix, the offset
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt is computed in seconds.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-P <replaceable class="parameter">date/offset</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which a key is to be published to the zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt After that date, the key will be included in the zone but will
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt not be used to sign it. If not set, and if the -G option has
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt not been used, the default is "now".
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-A <replaceable class="parameter">date/offset</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be activated. After that
eec29cfd40361662b25bad50e1b94f7738a8fea0Jeremy Reed date, the key will be included in the zone and used to sign
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt it. If not set, and if the -G option has not been used, the
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt default is "now".
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-R <replaceable class="parameter">date/offset</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be revoked. After that
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt date, the key will be flagged as revoked. It will be included
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt in the zone and will be used to sign it.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <term>-I <replaceable class="parameter">date/offset</replaceable></term>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt Sets the date on which the key is to be retired. After that
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt date, the key will still be included in the zone, but it
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt will not be used to sign it.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-D <replaceable class="parameter">date/offset</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be deleted. After that
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt date, the key will no longer be included in the zone. (It
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt may remain in the key repository, however.)
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <varlistentry>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews <term>-i <replaceable class="parameter">interval</replaceable></term>
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews Sets the prepublication interval for a key. If set, then
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews the publication and activation dates must be separated by at least
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews this much time. If the activation date is specified but the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews publication date isn't, then the publication date will default
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews to this much time before the activation date; conversely, if
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews the publication date is specified but activation date isn't,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews then activation will be set to this much time after publication.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews If the key is being created as an explicit successor to another
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews key, then the default prepublication interval is 30 days;
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews otherwise it is zero.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews As with date offsets, if the argument is followed by one of
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews interval is measured in years, months, weeks, days, hours,
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews or minutes, respectively. Without a suffix, the interval is
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews measured in seconds.
c6f4972c745f8903aba6dcca41f17a44c473db66Mark Andrews </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </variablelist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein successfully,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to the standard output. This is an identification string for
79399226b7bd15afb3e97fa9a5ea678359968997Mark Andrews the key it has generated.
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington <itemizedlist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><filename>nnnn</filename> is the key name.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><filename>aaa</filename> is the numeric representation
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><filename>iiiii</filename> is the key identifier (or
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington </itemizedlist>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews creates two files, with names based
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein contains the public key, and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <filename>Knnnn.+aaa+iiiii.private</filename> contains the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <filename>.key</filename> file contains a DNS KEY record
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein can be inserted into a zone file (directly or with a $INCLUDE
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews The <filename>.private</filename> file contains
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews algorithm-specific
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein fields. For obvious security reasons, this file does not have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein general read permission.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Both <filename>.key</filename> and <filename>.private</filename>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews files are generated for symmetric encryption algorithms such as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein HMAC-MD5, even though the public and private key are equivalent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein To generate a 768-bit DSA key for the domain
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <userinput>example.com</userinput>, the following command would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The command would print a string of the form:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><userinput>Kexample.com.+003+26160</userinput>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein In this example, <command>dnssec-keygen</command> creates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the files <filename>Kexample.com.+003+26160.key</filename>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews <filename>Kexample.com.+003+26160.private</filename>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <para><corpauthor>Internet Systems Consortium</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Local variables: