dnssec-keygen.html revision 5a4557e8de2951a2796676b5ec4b6a90caa5be14
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
c78c39caab4cf8b5daefc9c65878f7f5ed3eb7a0Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
ab496cc3df1648e9ad992a87c35c2c0870fdc69dTinderbox User - Permission to use, copy, modify, and distribute this software for any
7c1468ed500356839a4a222517364e6ce18cb1a2Tinderbox User - purpose with or without fee is hereby granted, provided that the above
c57668a2fbbe558c1bd21652813616f2f517c469Tinderbox User - copyright notice and this permission notice appear in all copies.
1f4c645185bd8fc70048e0a69eee46193a284e5cTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
950d203b64f512b85fcc093ee1e9e3e531a1aea3Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<!-- $Id: dnssec-keygen.html,v 1.21 2005/07/19 06:12:15 marka Exp $ -->
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e676a596869d8a80a644c99a848afb53d1c5975eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p><span><strong class="command">dnssec-keygen</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User and RFC <TBA\>. It can also generate keys for use with
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews TSIG (Transaction Signatures), as defined in RFC 2845.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater Selects the cryptographic algorithm. The value of
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater DSA, DH (Diffie Hellman), or HMAC-MD5. These values
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt are case insensitive.
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Note 2: HMAC-MD5 and DH automatically set the -k flag.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the number of bits in the key. The choice of key
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews 512 and 2048 bits. Diffie Hellman keys must be between
16f6050f29b6b0422cee858e609f65e474e70ef2Tinderbox User 128 and 4096 bits. DSA keys must be between 512 and 1024
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews bits and an exact multiple of 64. HMAC-MD5 keys must be
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater between 1 and 512 bits.
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the owner type of the key. The value of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User a host (KEY)),
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt These values are
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User case insensitive.
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt Indicates that the DNS record containing the key should have
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt the specified class. If not specified, class IN is used.
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User If generating an RSAMD5/RSASHA1 key, use a large exponent.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
ee11dfc481f2ef6a032a715454f6290961a722d2Tinderbox User Set the specified flag in the flag field of the KEY/DNSKEY record.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews The only recognized flag is KSK (Key Signing Key) DNSKEY.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
0e573cdd111e060e5f6c18249b5ccacbe8abe278Tinderbox User If generating a Diffie Hellman key, use this generator.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Allowed values are 2 and 5. If no generator
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User is specified, a known prime from RFC 2539 will be used
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews if possible; otherwise the default is 2.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Prints a short summary of the options and arguments to
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <span><strong class="command">dnssec-keygen</strong></span>.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Generate KEY records rather than DNSKEY records.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Sets the protocol value for the generated key. The protocol
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Other possible values for this argument are listed in
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson RFC 2535 and its successors.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the source of randomness. If the operating
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User system does not provide a <code class="filename">/dev/random</code>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson or equivalent device, the default source of randomness
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User is keyboard input. <code class="filename">randomdev</code>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User the name of a character device or file containing random
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews data to be used instead of the default. The special value
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews <code class="filename">keyboard</code> indicates that keyboard
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews input should be used.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Specifies the strength value of the key. The strength is
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User a number between 0 and 15, and currently has no defined
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User purpose in DNSSEC.
fd972434c29fc1169d66594e4cc7697d33036c2bTinderbox User<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User Indicates the use of the key. <code class="option">type</code> must be
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is AUTHCONF. AUTH refers to the ability to authenticate
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews data, and CONF the ability to encrypt data.
5747235bf35e7398984fd6b4632743396895ea7aTinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Sets the debugging level.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User<a name="id2515201"></a><h2>GENERATED KEYS</h2>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews When <span><strong class="command">dnssec-keygen</strong></span> completes
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews successfully,
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
dedefc0bdbb4e6e39eeb98aa2fc6883efec2ddb0Mark Andrews to the standard output. This is an identification string for
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the key it has generated. These strings can be used as arguments
e20788e1216ed720aefa84f3295f7899d9f28c22Mark Andrews to <span><strong class="command">dnssec-makekeyset</strong></span>.
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<li><p><code class="filename">nnnn</code> is the key name.
e40c4e4c17d4df338e2a7db0f84d8dbb3858964cTinderbox User<li><p><code class="filename">aaa</code> is the numeric representation
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<li><p><code class="filename">iiiii</code> is the key identifier (or
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p><span><strong class="command">dnssec-keygen</strong></span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews creates two file, with names based
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews contains the public key, and
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater can be inserted into a zone file (directly or with a $INCLUDE
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The <code class="filename">.private</code> file contains algorithm
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson fields. For obvious security reasons, this file does not have
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User general read permission.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Both <code class="filename">.key</code> and <code class="filename">.private</code>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User files are generated for symmetric encryption algorithm such as
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater HMAC-MD5, even though the public and private key are equivalent.
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater To generate a 768-bit DSA key for the domain
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <strong class="userinput"><code>example.com</code></strong>, the following command would be
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User The command would print a string of the form:
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User the files <code class="filename">Kexample.com.+003+26160.key</code>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User <code class="filename">Kexample.com.+003+26160.private</code>
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>