dnssec-keygen.docbook revision f5d30e2864e048a42c4dc1134993ae7efdb5d6c3
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.0//EN"
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder "http://www.oasis-open.org/docbook/xml/4.0/docbookx.dtd"
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder [<!ENTITY mdash "—">]>
75a6279dbae159d018ef812185416cf6df386c10Till Mossakowski - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - Copyright (C) 2000-2003 Internet Software Consortium.
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - Permission to use, copy, modify, and distribute this software for any
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - purpose with or without fee is hereby granted, provided that the above
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - copyright notice and this permission notice appear in all copies.
679d3f541f7a9ede4079e045f7758873bb901872Till Mossakowski - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
58b671de3fe578346fef9642ffa3c5a0a0edb3cbTill Mossakowski - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder - PERFORMANCE OF THIS SOFTWARE.
c2bfb62683f150951ce995874e46164ba1b8720dMartin Kühl<!-- $Id: dnssec-keygen.docbook,v 1.12 2005/05/13 01:35:39 marka Exp $ -->
a099728a1284ade9faab7ad339430615dda61113Christian Maeder <refentryinfo>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder </refentryinfo>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <refentrytitle><application>dnssec-keygen</application></refentrytitle>
2b4130336e941b7d01c78a6da55449a4c6eca609Till Mossakowski <refname><application>dnssec-keygen</application></refname>
4c4a3329080becd4b81d56396586b740487924cbChristian Maeder <refpurpose>DNSSEC key generation tool</refpurpose>
4c4a3329080becd4b81d56396586b740487924cbChristian Maeder </refnamediv>
9c2dcd68c773575403ff4a1f1341be10b14588b0Christian Maeder <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
4c4a3329080becd4b81d56396586b740487924cbChristian Maeder <holder>Internet Software Consortium.</holder>
4c4a3329080becd4b81d56396586b740487924cbChristian Maeder <refsynopsisdiv>
4c4a3329080becd4b81d56396586b740487924cbChristian Maeder <cmdsynopsis>
4c4a3329080becd4b81d56396586b740487924cbChristian Maeder <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
4c4a3329080becd4b81d56396586b740487924cbChristian Maeder <arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder <arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
9c2dcd68c773575403ff4a1f1341be10b14588b0Christian Maeder <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder </cmdsynopsis>
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder </refsynopsisdiv>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder and RFC <TBA\>. It can also generate keys for use with
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder TSIG (Transaction Signatures), as defined in RFC 2845.
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <variablelist>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <varlistentry>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <term>-a <replaceable class="parameter">algorithm</replaceable></term>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder Selects the cryptographic algorithm. The value of
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder DSA, DH (Diffie Hellman), or HMAC-MD5. These values
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder are case insensitive.
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder Note 2: HMAC-MD5 and DH automatically set the -k flag.
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder </varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <term>-b <replaceable class="parameter">keysize</replaceable></term>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder Specifies the number of bits in the key. The choice of key
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder 512 and 2048 bits. Diffie Hellman keys must be between
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder 128 and 4096 bits. DSA keys must be between 512 and 1024
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder bits and an exact multiple of 64. HMAC-MD5 keys must be
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder between 1 and 512 bits.
50e0970dd2205660f4b25edf73d92da5624f84aeChristian Maeder </varlistentry>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder <varlistentry>
2b4130336e941b7d01c78a6da55449a4c6eca609Till Mossakowski <term>-n <replaceable class="parameter">nametype</replaceable></term>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder Specifies the owner type of the key. The value of
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder <option>nametype</option> must either be ZONE (for a DNSSEC
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder a host (KEY)),
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder These values are
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder case insensitive.
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder </varlistentry>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder <varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <term>-c <replaceable class="parameter">class</replaceable></term>
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder Indicates that the DNS record containing the key should have
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder the specified class. If not specified, class IN is used.
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder </varlistentry>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder If generating an RSAMD5/RSASHA1 key, use a large exponent.
eedd89b1c9dd45181f2dea5f4f04860d82ba3cb1Christian Maeder </varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <term>-f <replaceable class="parameter">flag</replaceable></term>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder Set the specified flag in the flag field of the KEY/DNSKEY record.
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder The only recognized flag is KSK (Key Signing Key) DNSKEY.
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder </varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <term>-g <replaceable class="parameter">generator</replaceable></term>
eedd89b1c9dd45181f2dea5f4f04860d82ba3cb1Christian Maeder If generating a Diffie Hellman key, use this generator.
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder Allowed values are 2 and 5. If no generator
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder is specified, a known prime from RFC 2539 will be used
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder if possible; otherwise the default is 2.
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder </varlistentry>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder <varlistentry>
e539b8cb4a47f987bc57c90ee964219ac53841ffTill Mossakowski Prints a short summary of the options and arguments to
e539b8cb4a47f987bc57c90ee964219ac53841ffTill Mossakowski </varlistentry>
e539b8cb4a47f987bc57c90ee964219ac53841ffTill Mossakowski <varlistentry>
e539b8cb4a47f987bc57c90ee964219ac53841ffTill Mossakowski Generate KEY records rather than DNSKEY records.
e539b8cb4a47f987bc57c90ee964219ac53841ffTill Mossakowski </varlistentry>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder <varlistentry>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder <term>-p <replaceable class="parameter">protocol</replaceable></term>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder Sets the protocol value for the generated key. The protocol
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder is a number between 0 and 255. The default is 3 (DNSSEC).
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder Other possible values for this argument are listed in
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder RFC 2535 and its successors.
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder </varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <term>-r <replaceable class="parameter">randomdev</replaceable></term>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder Specifies the source of randomness. If the operating
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder system does not provide a <filename>/dev/random</filename>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder or equivalent device, the default source of randomness
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder is keyboard input. <filename>randomdev</filename>
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder the name of a character device or file containing random
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder data to be used instead of the default. The special value
e64828dfc78811941a0535fd48903df92dbef194Christian Maeder <filename>keyboard</filename> indicates that keyboard
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder input should be used.
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder </varlistentry>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <varlistentry>
2b4130336e941b7d01c78a6da55449a4c6eca609Till Mossakowski <term>-s <replaceable class="parameter">strength</replaceable></term>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder Specifies the strength value of the key. The strength is
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder a number between 0 and 15, and currently has no defined
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder purpose in DNSSEC.
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder </varlistentry>
2b4130336e941b7d01c78a6da55449a4c6eca609Till Mossakowski <varlistentry>
2b4130336e941b7d01c78a6da55449a4c6eca609Till Mossakowski <term>-t <replaceable class="parameter">type</replaceable></term>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder Indicates the use of the key. <option>type</option> must be
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder is AUTHCONF. AUTH refers to the ability to authenticate
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder data, and CONF the ability to encrypt data.
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder </varlistentry>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder <varlistentry>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder <term>-v <replaceable class="parameter">level</replaceable></term>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder Sets the debugging level.
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder </varlistentry>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder </variablelist>
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder When <command>dnssec-keygen</command> completes
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder successfully,
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder to the standard output. This is an identification string for
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder the key it has generated. These strings can be used as arguments
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder <itemizedlist>
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder <para><filename>nnnn</filename> is the key name.
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder <para><filename>aaa</filename> is the numeric representation
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <para><filename>iiiii</filename> is the key identifier (or
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder </itemizedlist>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder creates two file, with names based
e64828dfc78811941a0535fd48903df92dbef194Christian Maeder on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
e64828dfc78811941a0535fd48903df92dbef194Christian Maeder contains the public key, and
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder <filename>Knnnn.+aaa+iiiii.private</filename> contains the
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder The <filename>.key</filename> file contains a DNS KEY record
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder can be inserted into a zone file (directly or with a $INCLUDE
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder The <filename>.private</filename> file contains algorithm
dbc8d3892d2e742bda322d92203b4b09ce10077fChristian Maeder fields. For obvious security reasons, this file does not have
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder general read permission.
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder Both <filename>.key</filename> and <filename>.private</filename>
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder files are generated for symmetric encryption algorithm such as
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder HMAC-MD5, even though the public and private key are equivalent.
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder To generate a 768-bit DSA key for the domain
1f086d5155f47fdad9a0de4e46bbebb2c4b33d30Christian Maeder <userinput>example.com</userinput>, the following command would be
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder The command would print a string of the form:
9a8df25c8ffc941b06423e610b918dad1701c055Christian Maeder <para><userinput>Kexample.com.+003+26160</userinput>
9a8df25c8ffc941b06423e610b918dad1701c055Christian Maeder In this example, <command>dnssec-keygen</command> creates
9a8df25c8ffc941b06423e610b918dad1701c055Christian Maeder the files <filename>Kexample.com.+003+26160.key</filename>
d9421dd5845d7a90df666035b8f31923e6419b04Christian Maeder <filename>Kexample.com.+003+26160.private</filename>
d7ef0a855b45046ca24270745b843bc797b79fe7Christian Maeder <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
9a8df25c8ffc941b06423e610b918dad1701c055Christian Maeder </citerefentry>,
29506de26a0a51d10beb4aabff106fa7234e76b8Christian Maeder <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder <para><corpauthor>Internet Systems Consortium</corpauthor>
6cb09495133887e0d5e021fa3cf44f288881eb68Christian Maeder - Local variables: