2N/A<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook V4.1//EN">

2N/A

2N/A<refentry>

2N/A <refentryinfo>

2N/A <date>June 30, 2000</date>

2N/A </refentryinfo>

2N/A

2N/A <refmeta>

2N/A <refentrytitle><application>dnssec-keygen</application></refentrytitle>

2N/A <manvolnum>8</manvolnum>

2N/A <refmiscinfo>BIND9</refmiscinfo>

2N/A </refmeta>

2N/A

2N/A <refnamediv>

2N/A <refname><application>dnssec-keygen</application></refname>

2N/A <refpurpose>DNSSEC key generation tool</refpurpose>

2N/A </refnamediv>

2N/A

2N/A <refsynopsisdiv>

2N/A <cmdsynopsis>

2N/A <command>dnssec-keygen</command>

2N/A <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>

2N/A <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>

32N/A <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>

32N/A <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>

2N/A <arg><option>-e</option></arg>

2N/A <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>

26N/A <arg><option>-h</option></arg>

38N/A <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>

38N/A <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>

38N/A <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>

29N/A <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>

29N/A <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>

29N/A <arg choice="req">name</arg>

29N/A </cmdsynopsis>

26N/A </refsynopsisdiv>

26N/A

29N/A <refsect1>

26N/A <title>DESCRIPTION</title>

2N/A <para>

38N/A <command>dnssec-keygen</command> generates keys for DNSSEC

2N/A (Secure DNS), as defined in RFC 2535. It can also generate

6N/A keys for use with TSIG (Transaction Signatures), as

2N/A defined in RFC 2845.

31N/A </para>

2N/A </refsect1>

2N/A

34N/A <refsect1>

34N/A <title>OPTIONS</title>

34N/A

34N/A <variablelist>

2N/A <varlistentry>

34N/A <term>-a <replaceable class="parameter">algorithm</replaceable></term>

34N/A <listitem>

34N/A <para>

12N/A Selects the cryptographic algorithm. The value of

2N/A <option>algorithm</option> must be one of RSAMD5 or RSA,

16N/A DSA, DH (Diffie Hellman), or HMAC-MD5. These values

16N/A are case insensitive.

16N/A </para>

34N/A <para>

34N/A Note that for DNSSEC, DSA is a mandatory to implement algorithm,

16N/A and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.

6N/A </para>

12N/A </listitem>

12N/A </varlistentry>

12N/A

12N/A <varlistentry>

12N/A <term>-b <replaceable class="parameter">keysize</replaceable></term>

12N/A <listitem>

12N/A <para>

12N/A Specifies the number of bits in the key. The choice of key

12N/A size depends on the algorithm used. RSA keys must be between

12N/A 512 and 2048 bits. Diffie Hellman keys must be between

12N/A 128 and 4096 bits. DSA keys must be between 512 and 1024

12N/A bits and an exact multiple of 64. HMAC-MD5 keys must be

12N/A between 1 and 512 bits.

12N/A </para>

12N/A </listitem>

12N/A </varlistentry>

12N/A

12N/A <varlistentry>

2N/A <term>-n <replaceable class="parameter">nametype</replaceable></term>

2N/A <listitem>

2N/A <para>

2N/A Specifies the owner type of the key. The value of

2N/A <option>nametype</option> must either be ZONE (for a DNSSEC

2N/A zone key), HOST or ENTITY (for a key associated with a host),

2N/A or USER (for a key associated with a user). These values are

2N/A case insensitive.

2N/A </para>

2N/A </listitem>

2N/A </varlistentry>

2N/A

2N/A <varlistentry>

2N/A <term>-c <replaceable class="parameter">class</replaceable></term>

2N/A <listitem>

2N/A <para>

2N/A Indicates that the DNS record containing the key should have

2N/A the specified class. If not specified, class IN is used.

2N/A </para>

16N/A </listitem>

16N/A </varlistentry>

2N/A

2N/A <varlistentry>

2N/A <term>-e</term>

2N/A <listitem>

2N/A <para>

2N/A If generating an RSA key, use a large exponent.

2N/A </para>

2N/A </listitem>

2N/A </varlistentry>

2N/A

2N/A <varlistentry>

2N/A <term>-g <replaceable class="parameter">generator</replaceable></term>

2N/A <listitem>

2N/A <para>

2N/A If generating a Diffie Hellman key, use this generator.

2N/A Allowed values are 2 and 5. If no generator

2N/A is specified, a known prime from RFC 2539 will be used

2N/A if possible; otherwise the default is 2.

7N/A </para>

16N/A </listitem>

</varlistentry>

<varlistentry>

<term>-h</term>

<listitem>

<para>

Prints a short summary of the options and arguments to

<command>dnssec-keygen</command>.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-p <replaceable class="parameter">protocol</replaceable></term>

<listitem>

<para>

Sets the protocol value for the generated key. The protocol

is a number between 0 and 255. The default is 2 (email) for

keys of type USER and 3 (DNSSEC) for all other key types.

Other possible values for this argument are listed in

RFC 2535 and its successors.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-r <replaceable class="parameter">randomdev</replaceable></term>

<listitem>

<para>

Specifies the source of randomness. If the operating

system does not provide a <filename>/dev/random</filename>

or equivalent device, the default source of randomness

is keyboard input. <filename>randomdev</filename> specifies

the name of a character device or file containing random

data to be used instead of the default. The special value

<filename>keyboard</filename> indicates that keyboard

input should be used.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-s <replaceable class="parameter">strength</replaceable></term>

<listitem>

<para>

Specifies the strength value of the key. The strength is

a number between 0 and 15, and currently has no defined

purpose in DNSSEC.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-t <replaceable class="parameter">type</replaceable></term>

<listitem>

<para>

Indicates the use of the key. <option>type</option> must be

one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default

is AUTHCONF. AUTH refers to the ability to authenticate

data, and CONF the ability to encrypt data.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-v <replaceable class="parameter">level</replaceable></term>

<listitem>

<para>

Sets the debugging level.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect1>

<refsect1>

<title>GENERATED KEYS</title>

<para>

When <command>dnssec-keygen</command> completes successfully,

it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>

to the standard output. This is an identification string for

the key it has generated. These strings can be used as arguments

to <command>dnssec-makekeyset</command>.

</para>

<para>

<filename>nnnn</filename> is the key name.

</para>

<para>

<filename>aaa</filename> is the numeric representation of the algorithm.

</para>

<para>

<filename>iiiii</filename> is the key identifier (or footprint).

</para>

<para>

<command>dnssec-keygen</command> creates two file, with names based

on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>

contains the public key, and

<filename>Knnnn.+aaa+iiiii.private</filename> contains the private

key.

</para>

<para>

The <filename>.key</filename> file contains a DNS KEY record that

can be inserted into a zone file (directly or with a $INCLUDE

statement).

</para>

<para>

The <filename>.private</filename> file contains algorithm specific

fields. For obvious security reasons, this file does not have

general read permission.

</para>

<para>

Both <filename>.key</filename> and <filename>.private</filename>

files are generated for symmetric encryption algorithm such as

HMAC-MD5, even though the public and private key are equivalent.

</para>

</refsect1>

<refsect1>

<title>EXAMPLE</title>

<para>

To generate a 768-bit DSA key for the domain

<userinput>example.com</userinput>, the following command would be

issued:

</para>

<para>

<userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>

</para>

<para>

The command would print a string of the form:

</para>

<para>

<userinput>Kexample.com.+003+26160</userinput>

</para>

<para>

In this example, <command>dnssec-keygen</command> creates

the files <filename>Kexample.com.+003+26160.key</filename> and

<filename>Kexample.com.+003+26160.private</filename>

</para>

</refsect1>

<refsect1>

<title>SEE ALSO</title>

<para>

<citerefentry>

<refentrytitle>dnssec-makekeyset</refentrytitle>

<manvolnum>8</manvolnum>

</citerefentry>,

<citerefentry>

<refentrytitle>dnssec-signkey</refentrytitle>

<manvolnum>8</manvolnum>

</citerefentry>,

<citerefentry>

<refentrytitle>dnssec-signzone</refentrytitle>

<manvolnum>8</manvolnum>

</citerefentry>,

<citetitle>BIND 9 Administrator Reference Manual</citetitle>,

<citetitle>RFC 2535</citetitle>,

<citetitle>RFC 2845</citetitle>,

<citetitle>RFC 2539</citetitle>.

</para>

</refsect1>

<refsect1>

<title>AUTHOR</title>

<para>

<corpauthor>Internet Software Consortium</corpauthor>

</para>

</refsect1>

</refentry>