bin/dnssec/dnssec-keygen.html

	dnssec-keygen.html revision 3970098dcd2a7122541667b4b56cea8abce8ccf2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!--
297be3708069ef31814d6d75c0d71a50a78feb03Mark Andrews - Copyright (C) 2000, 2001  Internet Software Consortium.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews -
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Permission to use, copy, modify, and distribute this software for any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews -
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews-->
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews<HTML
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><HEAD
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><TITLE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>dnssec-keygen</TITLE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><META
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark AndrewsNAME="GENERATOR"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCONTENT="Modular DocBook HTML Stylesheet Version 1.73
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews"></HEAD
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><BODY
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark AndrewsCLASS="REFENTRY"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsBGCOLOR="#FFFFFF"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsTEXT="#000000"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsLINK="#0000FF"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsVLINK="#840084"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsALINK="#0000FF"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><H1
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsNAME="AEN1"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><SPAN
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark AndrewsCLASS="APPLICATION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>dnssec-keygen</SPAN
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></H1
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REFNAMEDIV"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsNAME="AEN9"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>Name</H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><SPAN
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="APPLICATION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>dnssec-keygen</SPAN
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews>&nbsp;--&nbsp;DNSSEC key generation tool</DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REFSYNOPSISDIV"
18fa75b694d056da4be3ebfc2185d007d4882752Automatic Updater><A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsNAME="AEN13"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>Synopsis</H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><B
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="COMMAND"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>dnssec-keygen</B
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>  {-a <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>algorithm</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>} {-b <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>keysize</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>} {-n <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>nametype</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>} [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-c <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>class</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-e</TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-f <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>flag</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-g <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>generator</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-h</TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-p <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>protocol</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-r <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>randomdev</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-s <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>strength</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-t <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>type</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] [<TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-v <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>level</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>] {name}</P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REFSECT1"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsNAME="AEN51"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>DESCRIPTION</H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>        <B
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="COMMAND"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>dnssec-keygen</B
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews> generates keys for DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    (Secure DNS), as defined in RFC 2535.  It can also generate
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    keys for use with TSIG (Transaction Signatures), as
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews    defined in RFC 2845.
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews    </P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REFSECT1"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><A
070c022f10320d27954b0b50226ca0fc556439ffAutomatic UpdaterNAME="AEN55"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></A
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>OPTIONS</H2
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DIV
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="VARIABLELIST"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DL
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-a <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>algorithm</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DD
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>         Selects the cryptographic algorithm.  The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>algorithm</TT
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews> must be one of RSAMD5 or RSA,
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews          DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews          are case insensitive.
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews      </P
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews><P
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews>         Note that for DNSSEC, DSA is a mandatory to implement algorithm,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews          and RSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      </P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DD
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>-b <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>keysize</I
18fa75b694d056da4be3ebfc2185d007d4882752Automatic Updater></TT
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews></DT
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews><DD
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews><P
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews>          Specifies the number of bits in the key.  The choice of key
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews           size depends on the algorithm used.  RSA keys must be between
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews           512 and 2048 bits.  Diffie Hellman keys must be between
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews           128 and 4096 bits.  DSA keys must be between 512 and 1024
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews           bits and an exact multiple of 64.  HMAC-MD5 keys must be
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews           between 1 and 512 bits.
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews      </P
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews></DD
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews><DT
057cafaa3df7be7a6dcca71fbaf8fb498fd83518Mark Andrews>-n <TT
18fa75b694d056da4be3ebfc2185d007d4882752Automatic UpdaterCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>nametype</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DT
18fa75b694d056da4be3ebfc2185d007d4882752Automatic Updater><DD
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>          Specifies the owner type of the key.  The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews           <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="OPTION"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>nametype</TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews> must either be ZONE (for a DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews           zone key), HOST or ENTITY (for a key associated with a host),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews           or USER (for a key associated with a user).  These values are
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews           case insensitive.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      </P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DD
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DT
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews>-c <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="REPLACEABLE"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>class</I
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DT
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews><DD
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews><P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>          Indicates that the DNS record containing the key should have
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews           the specified class.  If not specified, class IN is used.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews      </P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews></DD
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews><DT
>-e</DT
><DD
><P
>          If generating an RSA key, use a large exponent.
      </P
></DD
><DT
>-f <TT
CLASS="REPLACEABLE"
><I
>flag</I
></TT
></DT
><DD
><P
>       Set the specified flag in the flag field of the key record.
        The only recognized flag is KSK (Key Signing Key).
      </P
></DD
><DT
>-g <TT
CLASS="REPLACEABLE"
><I
>generator</I
></TT
></DT
><DD
><P
>          If generating a Diffie Hellman key, use this generator.
           Allowed values are 2 and 5.  If no generator
           is specified, a known prime from RFC 2539 will be used
           if possible; otherwise the default is 2.
      </P
></DD
><DT
>-h</DT
><DD
><P
>          Prints a short summary of the options and arguments to
           <B
CLASS="COMMAND"
>dnssec-keygen</B
>.
      </P
></DD
><DT
>-p <TT
CLASS="REPLACEABLE"
><I
>protocol</I
></TT
></DT
><DD
><P
>          Sets the protocol value for the generated key.  The protocol
           is a number between 0 and 255.  The default is 3 (DNSSEC).
           Other possible values for this argument are listed in
           RFC 2535 and its successors.
      </P
></DD
><DT
>-r <TT
CLASS="REPLACEABLE"
><I
>randomdev</I
></TT
></DT
><DD
><P
>          Specifies the source of randomness.  If the operating
           system does not provide a <TT
CLASS="FILENAME"
>/dev/random</TT
>
           or equivalent device, the default source of randomness
           is keyboard input.  <TT
CLASS="FILENAME"
>randomdev</TT
> specifies
           the name of a character device or file containing random
           data to be used instead of the default.  The special value
           <TT
CLASS="FILENAME"
>keyboard</TT
> indicates that keyboard
           input should be used.
      </P
></DD
><DT
>-s <TT
CLASS="REPLACEABLE"
><I
>strength</I
></TT
></DT
><DD
><P
>          Specifies the strength value of the key.  The strength is
           a number between 0 and 15, and currently has no defined
           purpose in DNSSEC.
      </P
></DD
><DT
>-t <TT
CLASS="REPLACEABLE"
><I
>type</I
></TT
></DT
><DD
><P
>          Indicates the use of the key.  <TT
CLASS="OPTION"
>type</TT
> must be
           one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
           is AUTHCONF.  AUTH refers to the ability to authenticate
           data, and CONF the ability to encrypt data.
      </P
></DD
><DT
>-v <TT
CLASS="REPLACEABLE"
><I
>level</I
></TT
></DT
><DD
><P
>          Sets the debugging level.
      </P
></DD
></DL
></DIV
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN129"
></A
><H2
>GENERATED KEYS</H2
><P
>        When <B
CLASS="COMMAND"
>dnssec-keygen</B
> completes successfully,
    it prints a string of the form <TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii</TT
>
    to the standard output.  This is an identification string for
    the key it has generated.  These strings can be used as arguments
    to <B
CLASS="COMMAND"
>dnssec-makekeyset</B
>.
    </P
><P
></P
><UL
><LI
><P
>          <TT
CLASS="FILENAME"
>nnnn</TT
> is the key name.
        </P
></LI
><LI
><P
>          <TT
CLASS="FILENAME"
>aaa</TT
> is the numeric representation of the
          algorithm.
        </P
></LI
><LI
><P
>          <TT
CLASS="FILENAME"
>iiiii</TT
> is the key identifier (or footprint).
        </P
></LI
></UL
><P
>        <B
CLASS="COMMAND"
>dnssec-keygen</B
> creates two file, with names based
    on the printed string.  <TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii.key</TT
>
    contains the public key, and
    <TT
CLASS="FILENAME"
>Knnnn.+aaa+iiiii.private</TT
> contains the private
    key.
    </P
><P
>        The <TT
CLASS="FILENAME"
>.key</TT
> file contains a DNS KEY record that
    can be inserted into a zone file (directly or with a $INCLUDE
    statement).
    </P
><P
>        The <TT
CLASS="FILENAME"
>.private</TT
> file contains algorithm specific
    fields.  For obvious security reasons, this file does not have
    general read permission.
    </P
><P
>        Both <TT
CLASS="FILENAME"
>.key</TT
> and <TT
CLASS="FILENAME"
>.private</TT
>
    files are generated for symmetric encryption algorithm such as
    HMAC-MD5, even though the public and private key are equivalent.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN156"
></A
><H2
>EXAMPLE</H2
><P
>        To generate a 768-bit DSA key for the domain
    <TT
CLASS="USERINPUT"
><B
>example.com</B
></TT
>, the following command would be
    issued:
    </P
><P
>        <TT
CLASS="USERINPUT"
><B
>dnssec-keygen -a DSA -b 768 -n ZONE example.com</B
></TT
>
    </P
><P
>        The command would print a string of the form:
    </P
><P
>        <TT
CLASS="USERINPUT"
><B
>Kexample.com.+003+26160</B
></TT
>
    </P
><P
>        In this example, <B
CLASS="COMMAND"
>dnssec-keygen</B
> creates
    the files <TT
CLASS="FILENAME"
>Kexample.com.+003+26160.key</TT
> and
    <TT
CLASS="FILENAME"
>Kexample.com.+003+26160.private</TT
>
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN169"
></A
><H2
>SEE ALSO</H2
><P
>      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-makekeyset</SPAN
>(8)</SPAN
>,
      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signkey</SPAN
>(8)</SPAN
>,
      <SPAN
CLASS="CITEREFENTRY"
><SPAN
CLASS="REFENTRYTITLE"
>dnssec-signzone</SPAN
>(8)</SPAN
>,
      <I
CLASS="CITETITLE"
>BIND 9 Administrator Reference Manual</I
>,
      <I
CLASS="CITETITLE"
>RFC 2535</I
>,
      <I
CLASS="CITETITLE"
>RFC 2845</I
>,
      <I
CLASS="CITETITLE"
>RFC 2539</I
>.
    </P
></DIV
><DIV
CLASS="REFSECT1"
><A
NAME="AEN185"
></A
><H2
>AUTHOR</H2
><P
>        Internet Software Consortium
    </P
></DIV
></BODY
></HTML
>