dnssec-keygen.docbook revision 6098d364b690cb9dabf96e9664c4689c8559bd2e
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt [<!ENTITY mdash "—">]>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Copyright (C) 2000-2003 Internet Software Consortium.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Permission to use, copy, modify, and/or distribute this software for any
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - purpose with or without fee is hereby granted, provided that the above
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - copyright notice and this permission notice appear in all copies.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - PERFORMANCE OF THIS SOFTWARE.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<!-- $Id: dnssec-keygen.docbook,v 1.20 2008/09/24 02:46:21 marka Exp $ -->
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <refentryinfo>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews </refentryinfo>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <refentrytitle><application>dnssec-keygen</application></refentrytitle>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <refnamediv>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <refname><application>dnssec-keygen</application></refname>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <refpurpose>DNSSEC key generation tool</refpurpose>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </refnamediv>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews </copyright>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </copyright>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <refsynopsisdiv>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <cmdsynopsis>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews </cmdsynopsis>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </refsynopsisdiv>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt and RFC 4034. It can also generate keys for use with
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt TSIG (Transaction Signatures), as defined in RFC 2845.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <variablelist>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-a <replaceable class="parameter">algorithm</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Selects the cryptographic algorithm. The value of
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt These values are case insensitive.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Note 2: HMAC-MD5 and DH automatically set the -k flag.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-b <replaceable class="parameter">keysize</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Specifies the number of bits in the key. The choice of key
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt 512 and 2048 bits. Diffie Hellman keys must be between
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt 128 and 4096 bits. DSA keys must be between 512 and 1024
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt bits and an exact multiple of 64. HMAC-MD5 keys must be
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt between 1 and 512 bits.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-n <replaceable class="parameter">nametype</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Specifies the owner type of the key. The value of
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <option>nametype</option> must either be ZONE (for a DNSSEC
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt a host (KEY)),
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt These values are case insensitive. Defaults to ZONE for DNSKEY
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-c <replaceable class="parameter">class</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Indicates that the DNS record containing the key should have
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the specified class. If not specified, class IN is used.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt If generating an RSAMD5/RSASHA1 key, use a large exponent.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-f <replaceable class="parameter">flag</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Set the specified flag in the flag field of the KEY/DNSKEY record.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The only recognized flag is KSK (Key Signing Key) DNSKEY.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-g <replaceable class="parameter">generator</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt If generating a Diffie Hellman key, use this generator.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Allowed values are 2 and 5. If no generator
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt is specified, a known prime from RFC 2539 will be used
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt if possible; otherwise the default is 2.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Prints a short summary of the options and arguments to
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Generate KEY records rather than DNSKEY records.
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt </varlistentry>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt <varlistentry>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt <term>-p <replaceable class="parameter">protocol</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Sets the protocol value for the generated key. The protocol
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt is a number between 0 and 255. The default is 3 (DNSSEC).
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Other possible values for this argument are listed in
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt RFC 2535 and its successors.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt <term>-r <replaceable class="parameter">randomdev</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Specifies the source of randomness. If the operating
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt system does not provide a <filename>/dev/random</filename>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt or equivalent device, the default source of randomness
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt the name of a character device or file containing random
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt data to be used instead of the default. The special value
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <filename>keyboard</filename> indicates that keyboard
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt input should be used.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-s <replaceable class="parameter">strength</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Specifies the strength value of the key. The strength is
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt a number between 0 and 15, and currently has no defined
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt purpose in DNSSEC.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt <varlistentry>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt <term>-t <replaceable class="parameter">type</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Indicates the use of the key. <option>type</option> must be
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt is AUTHCONF. AUTH refers to the ability to authenticate
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt data, and CONF the ability to encrypt data.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <term>-v <replaceable class="parameter">level</replaceable></term>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Sets the debugging level.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </varlistentry>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </variablelist>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt successfully,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt to the standard output. This is an identification string for
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the key it has generated.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <itemizedlist>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <para><filename>aaa</filename> is the numeric representation
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <para><filename>iiiii</filename> is the key identifier (or
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </itemizedlist>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt creates two files, with names based
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt contains the public key, and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <filename>Knnnn.+aaa+iiiii.private</filename> contains the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The <filename>.key</filename> file contains a DNS KEY record
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt can be inserted into a zone file (directly or with a $INCLUDE
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt algorithm-specific
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt fields. For obvious security reasons, this file does not have
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt general read permission.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Both <filename>.key</filename> and <filename>.private</filename>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt files are generated for symmetric encryption algorithms such as
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt HMAC-MD5, even though the public and private key are equivalent.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt To generate a 768-bit DSA key for the domain
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <userinput>example.com</userinput>, the following command would be
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt The command would print a string of the form:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <para><userinput>Kexample.com.+003+26160</userinput>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt In this example, <command>dnssec-keygen</command> creates
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the files <filename>Kexample.com.+003+26160.key</filename>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <filename>Kexample.com.+003+26160.private</filename>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt </citerefentry>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <para><corpauthor>Internet Systems Consortium</corpauthor>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Local variables:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - mode: sgml