d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
46bb3884a0738664862e3a36b7848aa374aebd45Tinderbox User - Copyright (C) 2000-2005, 2007-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="application">dnssec-keygen</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User — DNSSEC key generation tool
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><span class="command"><strong>dnssec-keygen</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews and RFC 4034. It can also generate keys for use with
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater (Transaction Key) as defined in RFC 2930.
ad671240d635376dd8681550eebee799d2e3d1fdAutomatic Updater The <code class="option">name</code> of the key is specified on the command
ad671240d635376dd8681550eebee799d2e3d1fdAutomatic Updater line. For DNSSEC keys, this must match the name of the zone for
ad671240d635376dd8681550eebee799d2e3d1fdAutomatic Updater which the key is being generated.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Selects the cryptographic algorithm. For DNSSEC keys, the value
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User case insensitive.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User If no algorithm is specified, then RSASHA1 will be used by
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User default, unless the <code class="option">-3</code> option is specified,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User in which case NSEC3RSASHA1 will be used instead. (If
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">-3</code> is used and an algorithm is specified,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User that algorithm will be checked for compatibility with NSEC3.)
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User automatically set the -T KEY option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Specifies the number of bits in the key. The choice of key
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User size depends on the algorithm used. RSA keys must be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User between 512 and 2048 bits. Diffie Hellman keys must be between
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User 128 and 4096 bits. DSA keys must be between 512 and 1024
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User bits and an exact multiple of 64. HMAC keys must be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User between 1 and 512 bits. Elliptic curve algorithms don't need
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User this parameter.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User The key size does not need to be specified if using a default
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User algorithm. The default key size is 1024 bits for zone signing
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User keys (ZSKs) and 2048 bits for key signing keys (KSKs,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User generated with <code class="option">-f KSK</code>). However, if an
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User algorithm is explicitly specified with the <code class="option">-a</code>,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User then there is no default key size, and the <code class="option">-b</code>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User must be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Specifies the owner type of the key. The value of
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">nametype</code> must either be ZONE (for a DNSSEC
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User a host (KEY)),
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User These values are case insensitive. Defaults to ZONE for DNSKEY
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Use an NSEC3-capable algorithm to generate a DNSSEC key.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User If this option is used and no algorithm is explicitly
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User set on the command line, NSEC3RSASHA1 will be used by
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User default. Note that RSASHA256, RSASHA512, ECCGOST,
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User algorithms are NSEC3-capable.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Compatibility mode: generates an old-style key, without
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater will include the key's creation date in the metadata stored
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater with the private key, and other dates may be set there as well
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater (publication date, activation date, etc). Keys that include
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater this data may be incompatible with older versions of BIND; the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="option">-C</code> option suppresses them.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Indicates that the DNS record containing the key should have
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User the specified class. If not specified, class IN is used.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Specifies the cryptographic hardware to use, when applicable.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User that can drive a cryptographic accelerator or hardware service
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User module. When BIND is built with native PKCS#11 cryptography
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User provider library specified via "--with-pkcs11".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Set the specified flag in the flag field of the KEY/DNSKEY record.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User The only recognized flags are KSK (Key Signing Key) and REVOKE.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Generate a key, but do not publish it or sign with it. This
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User option is incompatible with -P and -A.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User If generating a Diffie Hellman key, use this generator.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Allowed values are 2 and 5. If no generator
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User is specified, a known prime from RFC 2539 will be used
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User if possible; otherwise the default is 2.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Prints a short summary of the options and arguments to
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <span class="command"><strong>dnssec-keygen</strong></span>.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the directory in which the key files are to be written.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Deprecated in favor of -T KEY.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the default TTL to use for this key when it is converted
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User into a DNSKEY RR. If the key is imported into a zone,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User this is the TTL that will be used for it, unless there was
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User already a DNSKEY RRset in place, in which case the existing TTL
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User would take precedence. If this value is not set and there
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User is no existing DNSKEY RRset, the TTL will default to the
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User SOA TTL. Setting the default TTL to <code class="literal">0</code>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User or <code class="literal">none</code> is the same as leaving it unset.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the protocol value for the generated key. The protocol
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User is a number between 0 and 255. The default is 3 (DNSSEC).
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Other possible values for this argument are listed in
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User RFC 2535 and its successors.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Quiet mode: Suppresses unnecessary output, including
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User progress indication. Without this option, when
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User to generate an RSA or DSA key pair, it will print a string
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User of symbols to <code class="filename">stderr</code> indicating the
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User progress of the key generation. A '.' indicates that a
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User random number has been found which passed an initial
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User sieve test; '+' means a number has passed a single
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User round of the Miller-Rabin primality test; a space
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User means that the number has passed all the tests and is
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User a satisfactory key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Specifies the source of randomness. If the operating
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User system does not provide a <code class="filename">/dev/random</code>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User or equivalent device, the default source of randomness
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User is keyboard input. <code class="filename">randomdev</code>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User the name of a character device or file containing random
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User data to be used instead of the default. The special value
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="filename">keyboard</code> indicates that keyboard
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User input should be used.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Create a new key which is an explicit successor to an
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User existing key. The name, algorithm, size, and type of the
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User key will be set to match the existing key. The activation
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User date of the new key will be set to the inactivation date of
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User the existing one. The publication date will be set to the
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User activation date minus the prepublication interval, which
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User defaults to 30 days.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Specifies the strength value of the key. The strength is
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User a number between 0 and 15, and currently has no defined
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User purpose in DNSSEC.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Specifies the resource record type to use for the key.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">rrtype</code> must be either DNSKEY or KEY. The
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User default is DNSKEY when using a DNSSEC algorithm, but it can be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User overridden to KEY for use with SIG(0).
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Using any TSIG algorithm (HMAC-* or DH) forces this option
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Indicates the use of the key. <code class="option">type</code> must be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User is AUTHCONF. AUTH refers to the ability to authenticate
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User data, and CONF the ability to encrypt data.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the debugging level.
6f1205897504b8f50b1785975482c995888dd630Tinderbox User Prints version information.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater an offset from the present time. For convenience, if such an offset
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater then the offset is computed in years (defined as 365 24-hour days,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User is computed in seconds. To explicitly prevent a date from being
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User set, use 'none' or 'never'.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which a key is to be published to the zone.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User After that date, the key will be included in the zone but will
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User not be used to sign it. If not set, and if the -G option has
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User not been used, the default is "now".
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which CDS and CDNSKEY records that match this
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User key are to be published to the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the key is to be activated. After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User date, the key will be included in the zone and used to sign
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User it. If not set, and if the -G option has not been used, the
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User default is "now". If set, if and -P is not set, then
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User the publication date will be set to the activation date
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User minus the prepublication interval.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the key is to be revoked. After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User date, the key will be flagged as revoked. It will be included
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User in the zone and will be used to sign it.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the key is to be retired. After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User date, the key will still be included in the zone, but it
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User will not be used to sign it.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the key is to be deleted. After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User date, the key will no longer be included in the zone. (It
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User may remain in the key repository, however.)
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the CDS and CDNSKEY records that match this
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User key are to be deleted.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater Sets the prepublication interval for a key. If set, then
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication and activation dates must be separated by at least
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater this much time. If the activation date is specified but the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater publication date isn't, then the publication date will default
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater to this much time before the activation date; conversely, if
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication date is specified but activation date isn't,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater then activation will be set to this much time after publication.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater If the key is being created as an explicit successor to another
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User key, then the default prepublication interval is 30 days;
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater otherwise it is zero.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater As with date offsets, if the argument is followed by one of
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater interval is measured in years, months, weeks, days, hours,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater or minutes, respectively. Without a suffix, the interval is
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater measured in seconds.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User When <span class="command"><strong>dnssec-keygen</strong></span> completes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein successfully,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the standard output. This is an identification string for
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews the key it has generated.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><code class="filename">nnnn</code> is the key name.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><code class="filename">aaa</code> is the numeric representation
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><code class="filename">iiiii</code> is the key identifier (or
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><span class="command"><strong>dnssec-keygen</strong></span>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews creates two files, with names based
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein contains the public key, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="filename">.key</code> file contains a DNS KEY record
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be inserted into a zone file (directly or with a $INCLUDE
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews The <code class="filename">.private</code> file contains
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews algorithm-specific
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein fields. For obvious security reasons, this file does not have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein general read permission.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Both <code class="filename">.key</code> and <code class="filename">.private</code>
e76f11373900958f6f248d286079d4a525db4f4eTinderbox User files are generated for symmetric cryptography algorithms such as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein HMAC-MD5, even though the public and private key are equivalent.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To generate a 768-bit DSA key for the domain
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <strong class="userinput"><code>example.com</code></strong>, the following command would be
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The command would print a string of the form:
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the files <code class="filename">Kexample.com.+003+26160.key</code>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews <code class="filename">Kexample.com.+003+26160.private</code>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-signzone</span>(8)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,