dnssec-keygen.docbook revision 3398334b3acda24b086957286288ca9852662b12
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews [<!ENTITY mdash "&#8212;">]>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews<!--
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews -
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - purpose with or without fee is hereby granted, provided that the above
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - copyright notice and this permission notice appear in all copies.
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews -
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews-->
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews<!-- $Id: dnssec-keygen.docbook,v 1.21 2008/09/25 04:02:38 tbox Exp $ -->
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews<refentry id="man.dnssec-keygen">
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refentryinfo>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <date>June 30, 2000</date>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews </refentryinfo>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refmeta>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refentrytitle><application>dnssec-keygen</application></refentrytitle>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <manvolnum>8</manvolnum>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refmiscinfo>BIND9</refmiscinfo>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews </refmeta>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refnamediv>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refname><application>dnssec-keygen</application></refname>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refpurpose>DNSSEC key generation tool</refpurpose>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews </refnamediv>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <docinfo>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <copyright>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2004</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2005</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2007</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2008</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews </copyright>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <copyright>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2000</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2001</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2002</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <year>2003</year>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <holder>Internet Software Consortium.</holder>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews </copyright>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews </docinfo>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <refsynopsisdiv>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <cmdsynopsis>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <command>dnssec-keygen</command>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-e</option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-h</option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-k</option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews <arg choice="req">name</arg>
08e36aa5a5c7697a839f83831fccf8fb3f792848Mark Andrews </cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>DESCRIPTION</title>
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
</para>
</refsect1>
<refsect1>
<title>OPTIONS</title>
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
These values are case insensitive.
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
mandatory.
</para>
<para>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-b <replaceable class="parameter">keysize</replaceable></term>
<listitem>
<para>
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
between
512 and 2048 bits. Diffie Hellman keys must be between
128 and 4096 bits. DSA keys must be between 512 and 1024
bits and an exact multiple of 64. HMAC-MD5 keys must be
between 1 and 512 bits.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-n <replaceable class="parameter">nametype</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>nametype</option> must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-e</term>
<listitem>
<para>
If generating an RSAMD5/RSASHA1 key, use a large exponent.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">flag</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
<para>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>dnssec-keygen</command>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-k</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-p <replaceable class="parameter">protocol</replaceable></term>
<listitem>
<para>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
<listitem>
<para>
Specifies the source of randomness. If the operating
system does not provide a <filename>/dev/random</filename>
or equivalent device, the default source of randomness
is keyboard input. <filename>randomdev</filename>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<filename>keyboard</filename> indicates that keyboard
input should be used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s <replaceable class="parameter">strength</replaceable></term>
<listitem>
<para>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-t <replaceable class="parameter">type</replaceable></term>
<listitem>
<para>
Indicates the use of the key. <option>type</option> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1>
<title>GENERATED KEYS</title>
<para>
When <command>dnssec-keygen</command> completes
successfully,
it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
to the standard output. This is an identification string for
the key it has generated.
</para>
<itemizedlist>
<listitem>
<para><filename>nnnn</filename> is the key name.
</para>
</listitem>
<listitem>
<para><filename>aaa</filename> is the numeric representation
of the
algorithm.
</para>
</listitem>
<listitem>
<para><filename>iiiii</filename> is the key identifier (or
footprint).
</para>
</listitem>
</itemizedlist>
<para><command>dnssec-keygen</command>
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
private
key.
</para>
<para>
The <filename>.key</filename> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</para>
<para>
The <filename>.private</filename> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</para>
<para>
Both <filename>.key</filename> and <filename>.private</filename>
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</para>
</refsect1>
<refsect1>
<title>EXAMPLE</title>
<para>
To generate a 768-bit DSA key for the domain
<userinput>example.com</userinput>, the following command would be
issued:
</para>
<para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
</para>
<para>
The command would print a string of the form:
</para>
<para><userinput>Kexample.com.+003+26160</userinput>
</para>
<para>
In this example, <command>dnssec-keygen</command> creates
the files <filename>Kexample.com.+003+26160.key</filename>
and
<filename>Kexample.com.+003+26160.private</filename>.
</para>
</refsect1>
<refsect1>
<title>SEE ALSO</title>
<para><citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2535</citetitle>,
<citetitle>RFC 2845</citetitle>,
<citetitle>RFC 2539</citetitle>.
</para>
</refsect1>
<refsect1>
<title>AUTHOR</title>
<para><corpauthor>Internet Systems Consortium</corpauthor>
</para>
</refsect1>
</refentry><!--
- Local variables:
- mode: sgml
- End:
-->