dnssec-keygen.html revision 75c0816e8295e180f4bc7f10db3d0d880383bc1c
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Permission to use, copy, modify, and distribute this software for any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<!-- $Id: dnssec-keygen.html,v 1.19 2005/05/13 03:14:05 marka Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<a name="id2456836"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-keygen</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and RFC <TBA\>. It can also generate keys for use with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein TSIG (Transaction Signatures), as defined in RFC 2845.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Selects the cryptographic algorithm. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DSA, DH (Diffie Hellman), or HMAC-MD5. These values
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein are case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 2: HMAC-MD5 and DH automatically set the -k flag.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the number of bits in the key. The choice of key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 512 and 2048 bits. Diffie Hellman keys must be between
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 128 and 4096 bits. DSA keys must be between 512 and 1024
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein bits and an exact multiple of 64. HMAC-MD5 keys must be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein between 1 and 512 bits.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the owner type of the key. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">nametype</code> must either be ZONE (for a DNSSEC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a host (KEY)),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These values are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Indicates that the DNS record containing the key should have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the specified class. If not specified, class IN is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If generating an RSAMD5/RSASHA1 key, use a large exponent.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Set the specified flag in the flag field of the KEY/DNSKEY record.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The only recognized flag is KSK (Key Signing Key) DNSKEY.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If generating a Diffie Hellman key, use this generator.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Allowed values are 2 and 5. If no generator
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is specified, a known prime from RFC 2539 will be used
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein if possible; otherwise the default is 2.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dnssec-keygen</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate KEY records rather than DNSKEY records.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the protocol value for the generated key. The protocol
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is a number between 0 and 255. The default is 3 (DNSSEC).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Other possible values for this argument are listed in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RFC 2535 and its successors.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the source of randomness. If the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein system does not provide a <code class="filename">/dev/random</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or equivalent device, the default source of randomness
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is keyboard input. <code class="filename">randomdev</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the name of a character device or file containing random
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein data to be used instead of the default. The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyboard</code> indicates that keyboard
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein input should be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the strength value of the key. The strength is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a number between 0 and 15, and currently has no defined
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein purpose in DNSSEC.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Indicates the use of the key. <code class="option">type</code> must be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is AUTHCONF. AUTH refers to the ability to authenticate
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein data, and CONF the ability to encrypt data.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the debugging level.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When <span><strong class="command">dnssec-keygen</strong></span> completes
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein successfully,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the standard output. This is an identification string for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the key it has generated. These strings can be used as arguments
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to <span><strong class="command">dnssec-makekeyset</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p><code class="filename">nnnn</code> is the key name.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p><code class="filename">aaa</code> is the numeric representation
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p><code class="filename">iiiii</code> is the key identifier (or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-keygen</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein creates two file, with names based
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein contains the public key, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="filename">.key</code> file contains a DNS KEY record
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be inserted into a zone file (directly or with a $INCLUDE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="filename">.private</code> file contains algorithm
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein fields. For obvious security reasons, this file does not have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein general read permission.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Both <code class="filename">.key</code> and <code class="filename">.private</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein files are generated for symmetric encryption algorithm such as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein HMAC-MD5, even though the public and private key are equivalent.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To generate a 768-bit DSA key for the domain
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <strong class="userinput"><code>example.com</code></strong>, the following command would be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The command would print a string of the form:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the files <code class="filename">Kexample.com.+003+26160.key</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">Kexample.com.+003+26160.private</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="corpauthor">Internet Systems Consortium</span>