dnssec-keygen.docbook revision f5d30e2864e048a42c4dc1134993ae7efdb5d6c3
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
c78c39caab4cf8b5daefc9c65878f7f5ed3eb7a0Tinderbox User [<!ENTITY mdash "&#8212;">]>
f536382c59dd492a14667b753816d920f9981f1cTinderbox User<!--
ab496cc3df1648e9ad992a87c35c2c0870fdc69dTinderbox User - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
7c1468ed500356839a4a222517364e6ce18cb1a2Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User -
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews - Permission to use, copy, modify, and distribute this software for any
287a6a8f9040dc43560cd69cddf83bfc0f53b76fTinderbox User - purpose with or without fee is hereby granted, provided that the above
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - copyright notice and this permission notice appear in all copies.
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User -
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews-->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id: dnssec-keygen.docbook,v 1.12 2005/05/13 01:35:39 marka Exp $ -->
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews<refentry>
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews <refentryinfo>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <date>June 30, 2000</date>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </refentryinfo>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <refmeta>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refentrytitle><application>dnssec-keygen</application></refentrytitle>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <manvolnum>8</manvolnum>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refmiscinfo>BIND9</refmiscinfo>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </refmeta>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refnamediv>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <refname><application>dnssec-keygen</application></refname>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refpurpose>DNSSEC key generation tool</refpurpose>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </refnamediv>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <docinfo>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <copyright>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <year>2004</year>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <year>2005</year>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews </copyright>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <copyright>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <year>2000</year>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User <year>2001</year>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <year>2002</year>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <year>2003</year>
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User <holder>Internet Software Consortium.</holder>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater </copyright>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt </docinfo>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User <refsynopsisdiv>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt <cmdsynopsis>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <command>dnssec-keygen</command>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater <arg><option>-e</option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-h</option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-k</option></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <arg choice="req">name</arg>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </cmdsynopsis>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews </refsynopsisdiv>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refsect1>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <title>DESCRIPTION</title>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para><command>dnssec-keygen</command>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt and RFC &lt;TBA\&gt;. It can also generate keys for use with
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt TSIG (Transaction Signatures), as defined in RFC 2845.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </para>
95637507c3d47481fbf0a8a8c750a57f944f677fMark Andrews </refsect1>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <refsect1>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <title>OPTIONS</title>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <variablelist>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <varlistentry>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt <term>-a <replaceable class="parameter">algorithm</replaceable></term>
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User <listitem>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Selects the cryptographic algorithm. The value of
ee11dfc481f2ef6a032a715454f6290961a722d2Tinderbox User <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
ee11dfc481f2ef6a032a715454f6290961a722d2Tinderbox User DSA, DH (Diffie Hellman), or HMAC-MD5. These values
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews are case insensitive.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <para>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User algorithm,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <para>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User Note 2: HMAC-MD5 and DH automatically set the -k flag.
77932ac533c711eca5cd86de4e7eca8d91102b43Tinderbox User </para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </varlistentry>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <term>-b <replaceable class="parameter">keysize</replaceable></term>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <listitem>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Specifies the number of bits in the key. The choice of key
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews between
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User 512 and 2048 bits. Diffie Hellman keys must be between
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews 128 and 4096 bits. DSA keys must be between 512 and 1024
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User bits and an exact multiple of 64. HMAC-MD5 keys must be
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson between 1 and 512 bits.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </para>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <varlistentry>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <term>-n <replaceable class="parameter">nametype</replaceable></term>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <listitem>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Specifies the owner type of the key. The value of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <option>nametype</option> must either be ZONE (for a DNSSEC
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews a host (KEY)),
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User These values are
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User case insensitive.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </para>
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User </listitem>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </varlistentry>
37d8e0a4455876fe1e4cca511076cc2c5ab9eedeTinderbox User
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-c <replaceable class="parameter">class</replaceable></term>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User <listitem>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the specified class. If not specified, class IN is used.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </para>
5747235bf35e7398984fd6b4632743396895ea7aTinderbox User </listitem>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </varlistentry>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <varlistentry>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <term>-e</term>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <listitem>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <para>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User If generating an RSAMD5/RSASHA1 key, use a large exponent.
5747235bf35e7398984fd6b4632743396895ea7aTinderbox User </para>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </listitem>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </varlistentry>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <varlistentry>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <term>-f <replaceable class="parameter">flag</replaceable></term>
e20788e1216ed720aefa84f3295f7899d9f28c22Mark Andrews <listitem>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User <para>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews The only recognized flag is KSK (Key Signing Key) DNSKEY.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </para>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </varlistentry>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <term>-g <replaceable class="parameter">generator</replaceable></term>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <para>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater If generating a Diffie Hellman key, use this generator.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Allowed values are 2 and 5. If no generator
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is specified, a known prime from RFC 2539 will be used
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User if possible; otherwise the default is 2.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </para>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </listitem>
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User </varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <term>-h</term>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <para>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater Prints a short summary of the options and arguments to
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <command>dnssec-keygen</command>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </para>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </listitem>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <varlistentry>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <term>-k</term>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <para>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Generate KEY records rather than DNSKEY records.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </para>
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater </listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <term>-p <replaceable class="parameter">protocol</replaceable></term>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <listitem>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater <para>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Sets the protocol value for the generated key. The protocol
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Other possible values for this argument are listed in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews RFC 2535 and its successors.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </para>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson </listitem>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <varlistentry>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <term>-r <replaceable class="parameter">randomdev</replaceable></term>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <listitem>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User <para>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Specifies the source of randomness. If the operating
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews system does not provide a <filename>/dev/random</filename>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User or equivalent device, the default source of randomness
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is keyboard input. <filename>randomdev</filename>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User specifies
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews the name of a character device or file containing random
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews data to be used instead of the default. The special value
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews <filename>keyboard</filename> indicates that keyboard
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User input should be used.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User </para>
bac4435d473c9a0281507524f084480c34aa942aTinderbox User </listitem>
933799f3641f4f78445d015008bad0038900a82aTinderbox User </varlistentry>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews <varlistentry>
7ca715ad1587a68a531ea1cdea07515d7232567eTinderbox User <term>-s <replaceable class="parameter">strength</replaceable></term>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <listitem>
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater <para>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Specifies the strength value of the key. The strength is
bac4435d473c9a0281507524f084480c34aa942aTinderbox User a number between 0 and 15, and currently has no defined
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews purpose in DNSSEC.
933799f3641f4f78445d015008bad0038900a82aTinderbox User </para>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews </listitem>
933799f3641f4f78445d015008bad0038900a82aTinderbox User </varlistentry>
4151211e6649332f7b5a55870cbe37128bcc7b29Tinderbox User
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews <varlistentry>
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater <term>-t <replaceable class="parameter">type</replaceable></term>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <listitem>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <para>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Indicates the use of the key. <option>type</option> must be
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is AUTHCONF. AUTH refers to the ability to authenticate
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews data, and CONF the ability to encrypt data.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater </para>
3ec8f7777ea2b04fc1ebb63077f0916f63b1011aTinderbox User </listitem>
d7d105151a78d35afb4233d2a6dbd47b7ec0d9a5Tinderbox User </varlistentry>
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User
933799f3641f4f78445d015008bad0038900a82aTinderbox User <varlistentry>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <term>-v <replaceable class="parameter">level</replaceable></term>
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater <listitem>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <para>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater Sets the debugging level.
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater </para>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </listitem>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </varlistentry>
bac4435d473c9a0281507524f084480c34aa942aTinderbox User
39ae0eafed076ef769fef5c18b22a8051df5c93aTinderbox User </variablelist>
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews </refsect1>
c2abd6efeb9affa70aabb63da2acb23e135cf7f2Mark Andrews
e21f41f6504b3381be86cbe7f457f9ee1fff947bTinderbox User <refsect1>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <title>GENERATED KEYS</title>
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews <para>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When <command>dnssec-keygen</command> completes
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater successfully,
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User to the standard output. This is an identification string for
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater the key it has generated. These strings can be used as arguments
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews to <command>dnssec-makekeyset</command>.
b02be031b9ff37b042adc8e68e36b8bbc1f672b7Tinderbox User </para>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User <itemizedlist>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <listitem>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <para><filename>nnnn</filename> is the key name.
e08cdffb3ae4ad409f37e3e5a218fe4b7e0e3904Tinderbox User </para>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </listitem>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <listitem>
bac4435d473c9a0281507524f084480c34aa942aTinderbox User <para><filename>aaa</filename> is the numeric representation
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews of the
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews algorithm.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews </para>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater </listitem>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User <listitem>
933799f3641f4f78445d015008bad0038900a82aTinderbox User <para><filename>iiiii</filename> is the key identifier (or
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater footprint).
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews </para>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews </listitem>
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User </itemizedlist>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <para><command>dnssec-keygen</command>
757ff043760e4743dda1a10e7d58349275934902Tinderbox User creates two file, with names based
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
6025cbbe8408f4b09d53d5ec1e95cb6da97e0a8dTinderbox User contains the public key, and
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews <filename>Knnnn.+aaa+iiiii.private</filename> contains the
757ff043760e4743dda1a10e7d58349275934902Tinderbox User private
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater key.
ae454ec746d1d4db8d04e107d4d25ff13158c37fMark Andrews </para>
1bcc3273a80c256f11d9098a00ba2c041939e233Mark Andrews <para>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The <filename>.key</filename> file contains a DNS KEY record
1bcc3273a80c256f11d9098a00ba2c041939e233Mark Andrews that
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews can be inserted into a zone file (directly or with a $INCLUDE
1bcc3273a80c256f11d9098a00ba2c041939e233Mark Andrews statement).
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews </para>
757ff043760e4743dda1a10e7d58349275934902Tinderbox User <para>
bac4435d473c9a0281507524f084480c34aa942aTinderbox User The <filename>.private</filename> file contains algorithm
4fe0411487e8e4401477684c0a2bac041ca7c2d5Tinderbox User specific
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User fields. For obvious security reasons, this file does not have
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User general read permission.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews </para>
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews <para>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User Both <filename>.key</filename> and <filename>.private</filename>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User files are generated for symmetric encryption algorithm such as
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews HMAC-MD5, even though the public and private key are equivalent.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User </para>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson </refsect1>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <refsect1>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <title>EXAMPLE</title>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para>
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User To generate a 768-bit DSA key for the domain
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <userinput>example.com</userinput>, the following command would be
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews issued:
dcad2ea9d36f03b1e5dbec881478dfa4aaed1bc0Tinderbox User </para>
dcad2ea9d36f03b1e5dbec881478dfa4aaed1bc0Tinderbox User <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
dcad2ea9d36f03b1e5dbec881478dfa4aaed1bc0Tinderbox User </para>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <para>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews The command would print a string of the form:
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews </para>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <para><userinput>Kexample.com.+003+26160</userinput>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </para>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <para>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews In this example, <command>dnssec-keygen</command> creates
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews the files <filename>Kexample.com.+003+26160.key</filename>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews and
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <filename>Kexample.com.+003+26160.private</filename>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User </para>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews </refsect1>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <refsect1>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <title>SEE ALSO</title>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <para><citerefentry>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </citerefentry>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <citetitle>RFC 2535</citetitle>,
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <citetitle>RFC 2845</citetitle>,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <citetitle>RFC 2539</citetitle>.
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews </para>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </refsect1>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <refsect1>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews <title>AUTHOR</title>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <para><corpauthor>Internet Systems Consortium</corpauthor>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews </para>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater </refsect1>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews</refentry><!--
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - Local variables:
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews - mode: sgml
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - End:
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews-->
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews