dnssec-keygen.docbook revision d4ef65050feac78554addf6e16a06c6e2e0bd331
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Copyright (C) 2001 Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!-- $Id: dnssec-keygen.docbook,v 1.3 2001/04/10 21:50:26 bwelling Exp $ -->
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-keygen</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refname><application>dnssec-keygen</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refpurpose>DNSSEC key generation tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <command>dnssec-keygen</command> generates keys for DNSSEC
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington (Secure DNS), as defined in RFC 2535. It can also generate
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington keys for use with TSIG (Transaction Signatures), as
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington defined in RFC 2845.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-a <replaceable class="parameter">algorithm</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Selects the cryptographic algorithm. The value of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>algorithm</option> must be one of RSAMD5 or RSA,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington DSA, DH (Diffie Hellman), or HMAC-MD5. These values
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington are case insensitive.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Note that for DNSSEC, DSA is a mandatory to implement algorithm,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-b <replaceable class="parameter">keysize</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the number of bits in the key. The choice of key
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington size depends on the algorithm used. RSA keys must be between
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 512 and 2048 bits. Diffie Hellman keys must be between
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington 128 and 4096 bits. DSA keys must be between 512 and 1024
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington bits and an exact multiple of 64. HMAC-MD5 keys must be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington between 1 and 512 bits.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-n <replaceable class="parameter">nametype</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the owner type of the key. The value of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <option>nametype</option> must either be ZONE (for a DNSSEC
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington zone key), HOST or ENTITY (for a key associated with a host),
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or USER (for a key associated with a user). These values are
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington case insensitive.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-c <replaceable class="parameter">class</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Indicates that the DNS record containing the key should have
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the specified class. If not specified, class IN is used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If generating an RSA key, use a large exponent.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-g <replaceable class="parameter">generator</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If generating a Diffie Hellman key, use this generator.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Allowed values are 2 and 5. If no generator
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is specified, a known prime from RFC 2539 will be used
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington if possible; otherwise the default is 2.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Prints a short summary of the options and arguments to
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-p <replaceable class="parameter">protocol</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the protocol value for the generated key. The protocol
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is a number between 0 and 255. The default is 2 (email) for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington keys of type USER and 3 (DNSSEC) for all other key types.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Other possible values for this argument are listed in
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington RFC 2535 and its successors.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the source of randomness. If the operating
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington system does not provide a <filename>/dev/random</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington or equivalent device, the default source of randomness
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is keyboard input. <filename>randomdev</filename> specifies
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the name of a character device or file containing random
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data to be used instead of the default. The special value
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>keyboard</filename> indicates that keyboard
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington input should be used.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-s <replaceable class="parameter">strength</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the strength value of the key. The strength is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington a number between 0 and 15, and currently has no defined
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington purpose in DNSSEC.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-t <replaceable class="parameter">type</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Indicates the use of the key. <option>type</option> must be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington is AUTHCONF. AUTH refers to the ability to authenticate
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington data, and CONF the ability to encrypt data.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-v <replaceable class="parameter">level</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington When <command>dnssec-keygen</command> completes successfully,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington to the standard output. This is an identification string for
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the key it has generated. These strings can be used as arguments
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington <itemizedlist>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington <filename>aaa</filename> is the numeric representation of the
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington <filename>iiiii</filename> is the key identifier (or footprint).
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington </itemizedlist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <command>dnssec-keygen</command> creates two file, with names based
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington contains the public key, and
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>Knnnn.+aaa+iiiii.private</filename> contains the private
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The <filename>.key</filename> file contains a DNS KEY record that
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington can be inserted into a zone file (directly or with a $INCLUDE
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The <filename>.private</filename> file contains algorithm specific
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington fields. For obvious security reasons, this file does not have
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington general read permission.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Both <filename>.key</filename> and <filename>.private</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington files are generated for symmetric encryption algorithm such as
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington HMAC-MD5, even though the public and private key are equivalent.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To generate a 768-bit DSA key for the domain
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>example.com</userinput>, the following command would be
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The command would print a string of the form:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <userinput>Kexample.com.+003+26160</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington In this example, <command>dnssec-keygen</command> creates
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the files <filename>Kexample.com.+003+26160.key</filename> and
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <filename>Kexample.com.+003+26160.private</filename>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-makekeyset</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-signkey</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citerefentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle>dnssec-signzone</refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <corpauthor>Internet Software Consortium</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Local variables: