dnssec-keygen.html revision 75c0816e8295e180f4bc7f10db3d0d880383bc1c
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - Copyright (C) 2000-2003 Internet Software Consortium.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - Permission to use, copy, modify, and distribute this software for any
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - purpose with or without fee is hereby granted, provided that the above
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - copyright notice and this permission notice appear in all copies.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter - PERFORMANCE OF THIS SOFTWARE.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<!-- $Id: dnssec-keygen.html,v 1.19 2005/05/13 03:14:05 marka Exp $ -->
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<a name="id2456836"></a><div class="titlepage"></div>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><span><strong class="command">dnssec-keygen</strong></span>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter and RFC <TBA\>. It can also generate keys for use with
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter TSIG (Transaction Signatures), as defined in RFC 2845.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Selects the cryptographic algorithm. The value of
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter DSA, DH (Diffie Hellman), or HMAC-MD5. These values
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter are case insensitive.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Note 2: HMAC-MD5 and DH automatically set the -k flag.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Specifies the number of bits in the key. The choice of key
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter 512 and 2048 bits. Diffie Hellman keys must be between
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter 128 and 4096 bits. DSA keys must be between 512 and 1024
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter bits and an exact multiple of 64. HMAC-MD5 keys must be
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter between 1 and 512 bits.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Specifies the owner type of the key. The value of
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <code class="option">nametype</code> must either be ZONE (for a DNSSEC
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter a host (KEY)),
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter These values are
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter case insensitive.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Indicates that the DNS record containing the key should have
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter the specified class. If not specified, class IN is used.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter If generating an RSAMD5/RSASHA1 key, use a large exponent.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Set the specified flag in the flag field of the KEY/DNSKEY record.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter The only recognized flag is KSK (Key Signing Key) DNSKEY.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter If generating a Diffie Hellman key, use this generator.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Allowed values are 2 and 5. If no generator
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter is specified, a known prime from RFC 2539 will be used
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter if possible; otherwise the default is 2.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Prints a short summary of the options and arguments to
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <span><strong class="command">dnssec-keygen</strong></span>.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Generate KEY records rather than DNSKEY records.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Sets the protocol value for the generated key. The protocol
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter is a number between 0 and 255. The default is 3 (DNSSEC).
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Other possible values for this argument are listed in
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter RFC 2535 and its successors.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Specifies the source of randomness. If the operating
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter system does not provide a <code class="filename">/dev/random</code>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter or equivalent device, the default source of randomness
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter is keyboard input. <code class="filename">randomdev</code>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter the name of a character device or file containing random
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter data to be used instead of the default. The special value
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <code class="filename">keyboard</code> indicates that keyboard
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter input should be used.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Specifies the strength value of the key. The strength is
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter a number between 0 and 15, and currently has no defined
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter purpose in DNSSEC.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Indicates the use of the key. <code class="option">type</code> must be
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter is AUTHCONF. AUTH refers to the ability to authenticate
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter data, and CONF the ability to encrypt data.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Sets the debugging level.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter When <span><strong class="command">dnssec-keygen</strong></span> completes
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter successfully,
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter to the standard output. This is an identification string for
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter the key it has generated. These strings can be used as arguments
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter to <span><strong class="command">dnssec-makekeyset</strong></span>.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<li><p><code class="filename">nnnn</code> is the key name.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<li><p><code class="filename">aaa</code> is the numeric representation
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<li><p><code class="filename">iiiii</code> is the key identifier (or
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><span><strong class="command">dnssec-keygen</strong></span>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter creates two file, with names based
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter contains the public key, and
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter The <code class="filename">.key</code> file contains a DNS KEY record
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter can be inserted into a zone file (directly or with a $INCLUDE
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter The <code class="filename">.private</code> file contains algorithm
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter fields. For obvious security reasons, this file does not have
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter general read permission.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Both <code class="filename">.key</code> and <code class="filename">.private</code>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter files are generated for symmetric encryption algorithm such as
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter HMAC-MD5, even though the public and private key are equivalent.
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter To generate a 768-bit DSA key for the domain
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <strong class="userinput"><code>example.com</code></strong>, the following command would be
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter The command would print a string of the form:
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter the files <code class="filename">Kexample.com.+003+26160.key</code>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <code class="filename">Kexample.com.+003+26160.private</code>
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><span class="corpauthor">Internet Systems Consortium</span>