bin/dnssec/dnssec-keygen.docbook

	dnssec-keygen.docbook revision dde8659175c5798267fb0fdefd7576e4efe271b3
5cd4555ad444fd391002ae32450572054369fd42Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5cd4555ad444fd391002ae32450572054369fd42Rob Austein               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein           [<!ENTITY mdash "&#8212;">]>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!--
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater - Copyright (C) 2004, 2005, 2007-2009  Internet Systems Consortium, Inc. ("ISC")
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - Copyright (C) 2000-2003  Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington -
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington-->
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater<!-- $Id: dnssec-keygen.docbook,v 1.24 2009/06/17 23:53:04 tbox Exp $ -->
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<refentry id="man.dnssec-keygen">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <date>June 30, 2000</date>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refmeta>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refentrytitle><application>dnssec-keygen</application></refentrytitle>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <manvolnum>8</manvolnum>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refmiscinfo>BIND9</refmiscinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refmeta>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refname><application>dnssec-keygen</application></refname>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <refpurpose>DNSSEC key generation tool</refpurpose>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refnamediv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  <docinfo>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2004</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2005</year>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews      <year>2007</year>
3398334b3acda24b086957286288ca9852662b12Automatic Updater      <year>2008</year>
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater      <year>2009</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2000</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2001</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2002</year>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <year>2003</year>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews      <holder>Internet Software Consortium.</holder>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </copyright>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein  </docinfo>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <command>dnssec-keygen</command>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt      <arg ><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt      <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-e</option></arg>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-h</option></arg>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews      <arg><option>-k</option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <arg choice="req">name</arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </cmdsynopsis>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsynopsisdiv>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>DESCRIPTION</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><command>dnssec-keygen</command>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      and RFC 4034.  It can also generate keys for use with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      TSIG (Transaction Signatures), as defined in RFC 2845.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>OPTIONS</title>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Selects the cryptographic algorithm.  The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt        These values are case insensitive.  The default is RSASHA1 for
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt            DNSSEC key generation.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        mandatory.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Note 2: HMAC-MD5 and DH automatically set the -k flag.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-b <replaceable class="parameter">keysize</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the number of bits in the key.  The choice of key
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt            between 512 and 2048 bits.  Diffie Hellman keys must be between
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            128 and 4096 bits.  DSA keys must be between 512 and 1024
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            bits and an exact multiple of 64.  HMAC-MD5 keys must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            between 1 and 512 bits.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt            When generating a DNSSEC key with the default algorithm, this
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt            value defaults to 1024, or 2048 if the KSK flag is set.
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt          <para>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-n <replaceable class="parameter">nametype</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the owner type of the key.  The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <option>nametype</option> must either be ZONE (for a DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            a host (KEY)),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
bf45f72ed319628eebce60c368177320943d001fMark Andrews            These values are case insensitive.  Defaults to ZONE for DNSKEY
bf45f72ed319628eebce60c368177320943d001fMark Andrews        generation.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-c <replaceable class="parameter">class</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Indicates that the DNS record containing the key should have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            the specified class.  If not specified, class IN is used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-e</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            If generating an RSAMD5/RSASHA1 key, use a large exponent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      <varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews        <term>-f <replaceable class="parameter">flag</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Set the specified flag in the flag field of the KEY/DNSKEY record.
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt            The only recognized flag is KSK (Key Signing Key) DNSKEY.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews      </varlistentry>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-g <replaceable class="parameter">generator</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            If generating a Diffie Hellman key, use this generator.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Allowed values are 2 and 5.  If no generator
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is specified, a known prime from RFC 2539 will be used
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            if possible; otherwise the default is 2.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-h</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Prints a short summary of the options and arguments to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <command>dnssec-keygen</command>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews      <varlistentry>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews        <term>-k</term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Generate KEY records rather than DNSKEY records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews      </varlistentry>
cc3aafe737334d444781f8a34ffaf459e075bb9aMark Andrews
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-p <replaceable class="parameter">protocol</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Sets the protocol value for the generated key.  The protocol
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is a number between 0 and 255.  The default is 3 (DNSSEC).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Other possible values for this argument are listed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            RFC 2535 and its successors.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-r <replaceable class="parameter">randomdev</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the source of randomness.  If the operating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            system does not provide a <filename>/dev/random</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            or equivalent device, the default source of randomness
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is keyboard input.  <filename>randomdev</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            specifies
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            the name of a character device or file containing random
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            data to be used instead of the default.  The special value
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <filename>keyboard</filename> indicates that keyboard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            input should be used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-s <replaceable class="parameter">strength</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the strength value of the key.  The strength is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            a number between 0 and 15, and currently has no defined
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            purpose in DNSSEC.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-t <replaceable class="parameter">type</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Indicates the use of the key.  <option>type</option> must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is AUTHCONF.  AUTH refers to the ability to authenticate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            data, and CONF the ability to encrypt data.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington        <term>-v <replaceable class="parameter">level</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Sets the debugging level.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </listitem>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </variablelist>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>GENERATED KEYS</title>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      When <command>dnssec-keygen</command> completes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      successfully,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      to the standard output.  This is an identification string for
79399226b7bd15afb3e97fa9a5ea678359968997Mark Andrews      the key it has generated.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington    <itemizedlist>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington      <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <para><filename>nnnn</filename> is the key name.
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington        </para>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington      </listitem>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington      <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <para><filename>aaa</filename> is the numeric representation
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          of the
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington          algorithm.
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington        </para>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington      </listitem>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington      <listitem>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <para><filename>iiiii</filename> is the key identifier (or
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          footprint).
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington        </para>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington      </listitem>
8ffa8320abcc17ae593af566cb946a58fe293860Brian Wellington    </itemizedlist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><command>dnssec-keygen</command>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      creates two files, with names based
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      contains the public key, and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      private
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      key.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      The <filename>.key</filename> file contains a DNS KEY record
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      can be inserted into a zone file (directly or with a $INCLUDE
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      statement).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      The <filename>.private</filename> file contains
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      algorithm-specific
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      fields.  For obvious security reasons, this file does not have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      general read permission.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      Both <filename>.key</filename> and <filename>.private</filename>
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      files are generated for symmetric encryption algorithms such as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      HMAC-MD5, even though the public and private key are equivalent.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>EXAMPLE</title>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      To generate a 768-bit DSA key for the domain
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <userinput>example.com</userinput>, the following command would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      issued:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      The command would print a string of the form:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><userinput>Kexample.com.+003+26160</userinput>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <para>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      In this example, <command>dnssec-keygen</command> creates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      the files <filename>Kexample.com.+003+26160.key</filename>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      and
561a29af8c54a216e7d30b5b4f6e0d21661654ecMark Andrews      <filename>Kexample.com.+003+26160.private</filename>.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>SEE ALSO</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      </citerefentry>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
733531b6d5c705dad87e85a2bcc557f68f902bb3Jeremy Reed      <citetitle>RFC 2539</citetitle>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington      <citetitle>RFC 2845</citetitle>,
733531b6d5c705dad87e85a2bcc557f68f902bb3Jeremy Reed      <citetitle>RFC 4033</citetitle>.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  <refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    <title>AUTHOR</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    <para><corpauthor>Internet Systems Consortium</corpauthor>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington    </para>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington  </refsect1>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</refentry><!--
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Local variables:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - mode: sgml
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - End:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington-->