dnssec-keygen.docbook revision cc3aafe737334d444781f8a34ffaf459e075bb9a
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
b99dbaab171d91e1b664397cc40e039d0c087c65fielding - Copyright (C) 2001-2003 Internet Software Consortium.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - Permission to use, copy, modify, and distribute this software for any
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - purpose with or without fee is hereby granted, provided that the above
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - copyright notice and this permission notice appear in all copies.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - PERFORMANCE OF THIS SOFTWARE.
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding<!-- $Id: dnssec-keygen.docbook,v 1.9 2004/06/11 01:12:40 marka Exp $ -->
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <refentryinfo>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding </refentryinfo>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <refentrytitle><application>dnssec-keygen</application></refentrytitle>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <refnamediv>
64185f9824e42f21ca7b9ae6c004484215c031a7rbb <refname><application>dnssec-keygen</application></refname>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <refpurpose>DNSSEC key generation tool</refpurpose>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding </refnamediv>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <refsynopsisdiv>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <cmdsynopsis>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding </cmdsynopsis>
ab2c1c1c83ec91415565da5a71fbc15d9685caa6fielding </refsynopsisdiv>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <command>dnssec-keygen</command> generates keys for DNSSEC
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding keys for use with TSIG (Transaction Signatures), as
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding defined in RFC 2845.
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein </refsect1>
694e8dc146faadc46b2455f3bd0998121fc76c5drbb <refsect1>
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein <variablelist>
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein <varlistentry>
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein <term>-a <replaceable class="parameter">algorithm</replaceable></term>
9625528fcf4fa27288f3be080a1979c8ef60d7dfrbb <listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Selects the cryptographic algorithm. The value of
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
fd0edaa8e3d4dd67d0604ccef2e96b071db96643fielding DSA, DH (Diffie Hellman), or HMAC-MD5. These values
024cd9589e52cf11ce765dfddb5b5f0c6e421a48gstein are case insensitive.
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm,
10a4cdd68ef1ca0e54af296fe1d08ac00150c90bwrowe and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx Note 2: HMAC-MD5 and DH automatically set the -k flag.
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx </listitem>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx </varlistentry>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx <varlistentry>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx <term>-b <replaceable class="parameter">keysize</replaceable></term>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx Specifies the number of bits in the key. The choice of key
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding 512 and 2048 bits. Diffie Hellman keys must be between
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe 128 and 4096 bits. DSA keys must be between 512 and 1024
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb bits and an exact multiple of 64. HMAC-MD5 keys must be
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding between 1 and 512 bits.
688f7d0bc138bb02f92288017920468e7e314f23stoddard </listitem>
688f7d0bc138bb02f92288017920468e7e314f23stoddard </varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard <varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard <term>-n <replaceable class="parameter">nametype</replaceable></term>
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe Specifies the owner type of the key. The value of
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe <option>nametype</option> must either be ZONE (for a DNSSEC
688f7d0bc138bb02f92288017920468e7e314f23stoddard zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)),
688f7d0bc138bb02f92288017920468e7e314f23stoddard USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding case insensitive.
688f7d0bc138bb02f92288017920468e7e314f23stoddard </listitem>
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe </varlistentry>
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <term>-c <replaceable class="parameter">class</replaceable></term>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx Indicates that the DNS record containing the key should have
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx the specified class. If not specified, class IN is used.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </listitem>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx </varlistentry>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx <varlistentry>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx If generating an RSAMD5/RSASHA1 key, use a large exponent.
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx </listitem>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx </varlistentry>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx <varlistentry>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx <term>-f <replaceable class="parameter">flag</replaceable></term>
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx Set the specified flag in the flag field of the KEY/DNSKEY record.
3e91d7dbd9861343e0cb06a12bde47066b45afe9dirkx The only recognized flag is KSK (Key Signing Key) DNSKEY.
3d96ee83babeec32482c9082c9426340cee8c44dwrowe </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <term>-g <replaceable class="parameter">generator</replaceable></term>
f79ab7cf4bb032a6c208b18eda06701885655358dougm If generating a Diffie Hellman key, use this generator.
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe Allowed values are 2 and 5. If no generator
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding is specified, a known prime from RFC 2539 will be used
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding if possible; otherwise the default is 2.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard Prints a short summary of the options and arguments to
688f7d0bc138bb02f92288017920468e7e314f23stoddard </listitem>
c37598fec5ebb98ce33abb0978590983d94064f7wrowe </varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard <varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard Generate KEY records rather than DNSKEY records.
688f7d0bc138bb02f92288017920468e7e314f23stoddard </listitem>
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe </varlistentry>
af1061f05535fd9dea78f2de1b67e05469232c23wrowe <varlistentry>
af1061f05535fd9dea78f2de1b67e05469232c23wrowe <term>-p <replaceable class="parameter">protocol</replaceable></term>
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe Sets the protocol value for the generated key. The protocol
688f7d0bc138bb02f92288017920468e7e314f23stoddard is a number between 0 and 255. The default is 3 (DNSSEC).
688f7d0bc138bb02f92288017920468e7e314f23stoddard Other possible values for this argument are listed in
688f7d0bc138bb02f92288017920468e7e314f23stoddard RFC 2535 and its successors.
688f7d0bc138bb02f92288017920468e7e314f23stoddard </listitem>
688f7d0bc138bb02f92288017920468e7e314f23stoddard </varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard <varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard <term>-r <replaceable class="parameter">randomdev</replaceable></term>
688f7d0bc138bb02f92288017920468e7e314f23stoddard Specifies the source of randomness. If the operating
688f7d0bc138bb02f92288017920468e7e314f23stoddard system does not provide a <filename>/dev/random</filename>
688f7d0bc138bb02f92288017920468e7e314f23stoddard or equivalent device, the default source of randomness
688f7d0bc138bb02f92288017920468e7e314f23stoddard is keyboard input. <filename>randomdev</filename> specifies
688f7d0bc138bb02f92288017920468e7e314f23stoddard the name of a character device or file containing random
688f7d0bc138bb02f92288017920468e7e314f23stoddard data to be used instead of the default. The special value
688f7d0bc138bb02f92288017920468e7e314f23stoddard input should be used.
688f7d0bc138bb02f92288017920468e7e314f23stoddard </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </varlistentry>
50e228f0b8429c27e411611f4863fafaba403b47wrowe <varlistentry>
50e228f0b8429c27e411611f4863fafaba403b47wrowe <term>-s <replaceable class="parameter">strength</replaceable></term>
50e228f0b8429c27e411611f4863fafaba403b47wrowe Specifies the strength value of the key. The strength is
50e228f0b8429c27e411611f4863fafaba403b47wrowe a number between 0 and 15, and currently has no defined
50e228f0b8429c27e411611f4863fafaba403b47wrowe purpose in DNSSEC.
50e228f0b8429c27e411611f4863fafaba403b47wrowe </listitem>
50e228f0b8429c27e411611f4863fafaba403b47wrowe </varlistentry>
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe <varlistentry>
50e228f0b8429c27e411611f4863fafaba403b47wrowe <term>-t <replaceable class="parameter">type</replaceable></term>
50e228f0b8429c27e411611f4863fafaba403b47wrowe Indicates the use of the key. <option>type</option> must be
50e228f0b8429c27e411611f4863fafaba403b47wrowe one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe is AUTHCONF. AUTH refers to the ability to authenticate
50e228f0b8429c27e411611f4863fafaba403b47wrowe data, and CONF the ability to encrypt data.
50e228f0b8429c27e411611f4863fafaba403b47wrowe </listitem>
50e228f0b8429c27e411611f4863fafaba403b47wrowe </varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <varlistentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <term>-v <replaceable class="parameter">level</replaceable></term>
688f7d0bc138bb02f92288017920468e7e314f23stoddard Sets the debugging level.
af1061f05535fd9dea78f2de1b67e05469232c23wrowe </listitem>
af1061f05535fd9dea78f2de1b67e05469232c23wrowe </varlistentry>
688f7d0bc138bb02f92288017920468e7e314f23stoddard </variablelist>
688f7d0bc138bb02f92288017920468e7e314f23stoddard </refsect1>
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe When <command>dnssec-keygen</command> completes successfully,
af1061f05535fd9dea78f2de1b67e05469232c23wrowe it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe to the standard output. This is an identification string for
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe the key it has generated. These strings can be used as arguments
232d34b7cf6d59a22886d49be799efc6ad82998bwrowe <itemizedlist>
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe </listitem>
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb <filename>aaa</filename> is the numeric representation of the
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe </listitem>
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb <filename>iiiii</filename> is the key identifier (or footprint).
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </listitem>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </itemizedlist>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <command>dnssec-keygen</command> creates two file, with names based
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding contains the public key, and
f2e16ea0697f128c32da623a0b2b9d0f81c5ebcawrowe <filename>Knnnn.+aaa+iiiii.private</filename> contains the private
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe The <filename>.key</filename> file contains a DNS KEY record that
688f7d0bc138bb02f92288017920468e7e314f23stoddard can be inserted into a zone file (directly or with a $INCLUDE
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe statement).
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe The <filename>.private</filename> file contains algorithm specific
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe fields. For obvious security reasons, this file does not have
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe general read permission.
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe Both <filename>.key</filename> and <filename>.private</filename>
af1061f05535fd9dea78f2de1b67e05469232c23wrowe files are generated for symmetric encryption algorithm such as
af1061f05535fd9dea78f2de1b67e05469232c23wrowe HMAC-MD5, even though the public and private key are equivalent.
af1061f05535fd9dea78f2de1b67e05469232c23wrowe </refsect1>
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe To generate a 768-bit DSA key for the domain
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe <userinput>example.com</userinput>, the following command would be
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding The command would print a string of the form:
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe In this example, <command>dnssec-keygen</command> creates
b2c2c8a4bc977c0a6bb937af995efc56dc3879a3wrowe the files <filename>Kexample.com.+003+26160.key</filename> and
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <filename>Kexample.com.+003+26160.private</filename>
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb </refsect1>
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb <refsect1>
12b41741aa68f0f4a5d908ca7f7d58a583b17bb0rbb <citerefentry>
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe </citerefentry>,
c009b049a26ae2c609e0f14a946dcf40b84b6f50wrowe <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </refsect1>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding </refsect1>
c38e75a12c92f05c3e3a1b412c14d2ef766633e1ben</refentry>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - Local variables:
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - mode: sgml