dnssec-keygen.docbook revision ec5347e2c775f027573ce5648b910361aa926c01
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
c78c39caab4cf8b5daefc9c65878f7f5ed3eb7a0Tinderbox User [<!ENTITY mdash "—">]>
ab496cc3df1648e9ad992a87c35c2c0870fdc69dTinderbox User - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
7c1468ed500356839a4a222517364e6ce18cb1a2Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
287a6a8f9040dc43560cd69cddf83bfc0f53b76fTinderbox User - purpose with or without fee is hereby granted, provided that the above
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - copyright notice and this permission notice appear in all copies.
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id: dnssec-keygen.docbook,v 1.19 2007/06/18 23:47:17 tbox Exp $ -->
d5637bdbb931ff79fced3d4858d83212ea58ed15Tinderbox User <refentryinfo>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </refentryinfo>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refentrytitle><application>dnssec-keygen</application></refentrytitle>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refnamediv>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <refname><application>dnssec-keygen</application></refname>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refpurpose>DNSSEC key generation tool</refpurpose>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </refnamediv>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt </copyright>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <holder>Internet Software Consortium.</holder>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt </copyright>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <refsynopsisdiv>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <cmdsynopsis>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews </cmdsynopsis>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </refsynopsisdiv>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
294e9d4c34462d29a3e766c88f452b46aeb3702fTinderbox User and RFC 4034. It can also generate keys for use with
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User TSIG (Transaction Signatures), as defined in RFC 2845.
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <variablelist>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <varlistentry>
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User <term>-a <replaceable class="parameter">algorithm</replaceable></term>
ee11dfc481f2ef6a032a715454f6290961a722d2Tinderbox User Selects the cryptographic algorithm. The value of
ee11dfc481f2ef6a032a715454f6290961a722d2Tinderbox User <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews DSA, DH (Diffie Hellman), or HMAC-MD5. These values
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User are case insensitive.
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User Note 2: HMAC-MD5 and DH automatically set the -k flag.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson </varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <term>-b <replaceable class="parameter">keysize</replaceable></term>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews Specifies the number of bits in the key. The choice of key
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews 512 and 2048 bits. Diffie Hellman keys must be between
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User 128 and 4096 bits. DSA keys must be between 512 and 1024
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson bits and an exact multiple of 64. HMAC-MD5 keys must be
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User between 1 and 512 bits.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </varlistentry>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <term>-n <replaceable class="parameter">nametype</replaceable></term>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the owner type of the key. The value of
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews <option>nametype</option> must either be ZONE (for a DNSSEC
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews a host (KEY)),
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
a450977e98155f6e828fe6f8d52cf24674231831Mark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User <term>-c <replaceable class="parameter">class</replaceable></term>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Indicates that the DNS record containing the key should have
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User the specified class. If not specified, class IN is used.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </varlistentry>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <varlistentry>
5747235bf35e7398984fd6b4632743396895ea7aTinderbox User If generating an RSAMD5/RSASHA1 key, use a large exponent.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </varlistentry>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <varlistentry>
e20788e1216ed720aefa84f3295f7899d9f28c22Mark Andrews <term>-f <replaceable class="parameter">flag</replaceable></term>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User The only recognized flag is KSK (Key Signing Key) DNSKEY.
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater </varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <term>-g <replaceable class="parameter">generator</replaceable></term>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User If generating a Diffie Hellman key, use this generator.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Allowed values are 2 and 5. If no generator
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User is specified, a known prime from RFC 2539 will be used
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews if possible; otherwise the default is 2.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Prints a short summary of the options and arguments to
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Generate KEY records rather than DNSKEY records.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <term>-p <replaceable class="parameter">protocol</replaceable></term>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Sets the protocol value for the generated key. The protocol
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User is a number between 0 and 255. The default is 3 (DNSSEC).
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Other possible values for this argument are listed in
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User RFC 2535 and its successors.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <term>-r <replaceable class="parameter">randomdev</replaceable></term>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the source of randomness. If the operating
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User system does not provide a <filename>/dev/random</filename>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews or equivalent device, the default source of randomness
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User is keyboard input. <filename>randomdev</filename>
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews the name of a character device or file containing random
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews data to be used instead of the default. The special value
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <filename>keyboard</filename> indicates that keyboard
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User input should be used.
f0c5e918974bf778af6cd1e25309ad13e30a79a6Tinderbox User </varlistentry>
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User <varlistentry>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <term>-s <replaceable class="parameter">strength</replaceable></term>
bac4435d473c9a0281507524f084480c34aa942aTinderbox User Specifies the strength value of the key. The strength is
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews a number between 0 and 15, and currently has no defined
933799f3641f4f78445d015008bad0038900a82aTinderbox User purpose in DNSSEC.
4151211e6649332f7b5a55870cbe37128bcc7b29Tinderbox User </varlistentry>
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term>-t <replaceable class="parameter">type</replaceable></term>
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User Indicates the use of the key. <option>type</option> must be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
ba8b771c371967dd1254c7fa82ebe4158ee04b24Tinderbox User is AUTHCONF. AUTH refers to the ability to authenticate
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater data, and CONF the ability to encrypt data.
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User </varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <varlistentry>
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater <term>-v <replaceable class="parameter">level</replaceable></term>
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater Sets the debugging level.
bac4435d473c9a0281507524f084480c34aa942aTinderbox User </varlistentry>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews </variablelist>
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater When <command>dnssec-keygen</command> completes
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User successfully,
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater to the standard output. This is an identification string for
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the key it has generated.
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User <itemizedlist>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <para><filename>nnnn</filename> is the key name.
bac4435d473c9a0281507524f084480c34aa942aTinderbox User <para><filename>aaa</filename> is the numeric representation
933799f3641f4f78445d015008bad0038900a82aTinderbox User <para><filename>iiiii</filename> is the key identifier (or
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User </itemizedlist>
757ff043760e4743dda1a10e7d58349275934902Tinderbox User creates two files, with names based
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
f520803b46dc189fdaf84adc87ef327d3587b435Mark Andrews contains the public key, and
a03cb08d0c4f1ca5fbc121d2f02bdffa7eb52286Mark Andrews <filename>Knnnn.+aaa+iiiii.private</filename> contains the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The <filename>.key</filename> file contains a DNS KEY record
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews can be inserted into a zone file (directly or with a $INCLUDE
bac4435d473c9a0281507524f084480c34aa942aTinderbox User The <filename>.private</filename> file contains
f520803b46dc189fdaf84adc87ef327d3587b435Mark Andrews algorithm-specific
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User fields. For obvious security reasons, this file does not have
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User general read permission.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User Both <filename>.key</filename> and <filename>.private</filename>
e64202536ea72d8f371dd0df9fc763f8d70bf886Tinderbox User files are generated for symmetric encryption algorithms such as
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews HMAC-MD5, even though the public and private key are equivalent.
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User To generate a 768-bit DSA key for the domain
ebdf202f2198158ab4d30f22c370a9c63760d071Tinderbox User <userinput>example.com</userinput>, the following command would be
caaff35375fba833f156f952aeca689e5bc7cddfFrancis Dupont <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont The command would print a string of the form:
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <para><userinput>Kexample.com.+003+26160</userinput>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews In this example, <command>dnssec-keygen</command> creates
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews the files <filename>Kexample.com.+003+26160.key</filename>
3759f10fc543747668b1ca4b4671f35b0dea8445Francis Dupont <filename>Kexample.com.+003+26160.private</filename>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </citerefentry>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para><corpauthor>Internet Systems Consortium</corpauthor>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - Local variables:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews - mode: sgml