dnssec-keygen.html revision 8ec3c085233cedb22b05da36e2773c8f357a7e45
ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh - Copyright (C) 2000-2003 Internet Software Consortium.
ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh - Permission to use, copy, modify, and/or distribute this software for any
ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh - purpose with or without fee is hereby granted, provided that the above
ff1234e45aca1b8171d711ecb87f58b9d9100a99ianh - copyright notice and this permission notice appear in all copies.
b999f6ba2a266bf9a92687f31bb7e76021ac5891ianh - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe - PERFORMANCE OF THIS SOFTWARE.
2ceedfca3a2fdfdb5ff60ca17f030ce91f6331cbwrowe<!-- $Id: dnssec-keygen.html,v 1.41 2009/10/06 01:14:41 tbox Exp $ -->
b999f6ba2a266bf9a92687f31bb7e76021ac5891ianh<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1f3a44f2fd7f9fee00b80c7ddcf1028ea145f91drbb<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
b9b69856aec9ea58ea1b1e5aff669e8eaf2ebce4rbb<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
b9b69856aec9ea58ea1b1e5aff669e8eaf2ebce4rbb<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
1f3a44f2fd7f9fee00b80c7ddcf1028ea145f91drbb<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck<p><span><strong class="command">dnssec-keygen</strong></span>
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck and RFC 4034. It can also generate keys for use with
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck (Transaction Key) as defined in RFC 2930.
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck The <code class="option">name</code> of the key is specified on the command
53c2eb831bfe47860e3f5ec9190b15cb92f15181chuck line. For DNSSEC keys, this must match the name of the zone for
c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski which the key is being generated.
c1635d9f723f28fed4b95e5d9693e554a79e8d77orlikowski<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
4f7dd0949d92462a8adc31eee8aff266eea55204chuck Selects the cryptographic algorithm. For DNSSEC keys, the value
4f7dd0949d92462a8adc31eee8aff266eea55204chuck of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
4f7dd0949d92462a8adc31eee8aff266eea55204chuck DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
75b3ed55173b29dbdf9e2fb6ec5462bfceee21aechuck be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
75b3ed55173b29dbdf9e2fb6ec5462bfceee21aechuck HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
75b3ed55173b29dbdf9e2fb6ec5462bfceee21aechuck case insensitive.
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck If no algorithm is specified, then RSASHA1 will be used by
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck default, unless the <code class="option">-3</code> option is specified,
68bcde9c52e9e749482df2800dbdff09559115e0chuck in which case NSEC3RSASHA1 will be used instead.
68bcde9c52e9e749482df2800dbdff09559115e0chuck Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
68bcde9c52e9e749482df2800dbdff09559115e0chuck algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
68bcde9c52e9e749482df2800dbdff09559115e0chuck Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
68bcde9c52e9e749482df2800dbdff09559115e0chuck automatically set the -T KEY option.
68bcde9c52e9e749482df2800dbdff09559115e0chuck<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Specifies the number of bits in the key. The choice of key
68bcde9c52e9e749482df2800dbdff09559115e0chuck size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
68bcde9c52e9e749482df2800dbdff09559115e0chuck between 512 and 2048 bits. Diffie Hellman keys must be between
68bcde9c52e9e749482df2800dbdff09559115e0chuck 128 and 4096 bits. DSA keys must be between 512 and 1024
68bcde9c52e9e749482df2800dbdff09559115e0chuck bits and an exact multiple of 64. HMAC-MD5 keys must be
68bcde9c52e9e749482df2800dbdff09559115e0chuck between 1 and 512 bits.
68bcde9c52e9e749482df2800dbdff09559115e0chuck The key size does not need to be specified if using a default
68bcde9c52e9e749482df2800dbdff09559115e0chuck algorithm. The default key size is 1024 bits for zone signing
68bcde9c52e9e749482df2800dbdff09559115e0chuck keys (ZSK's) and 2048 bits for key signing keys (KSK's,
68bcde9c52e9e749482df2800dbdff09559115e0chuck generated with <code class="option">-f KSK</code>). However, if an
68bcde9c52e9e749482df2800dbdff09559115e0chuck algorithm is explicitly specified with the <code class="option">-a</code>,
68bcde9c52e9e749482df2800dbdff09559115e0chuck then there is no default key size, and the <code class="option">-b</code>
68bcde9c52e9e749482df2800dbdff09559115e0chuck must be used.
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Specifies the owner type of the key. The value of
68bcde9c52e9e749482df2800dbdff09559115e0chuck <code class="option">nametype</code> must either be ZONE (for a DNSSEC
68bcde9c52e9e749482df2800dbdff09559115e0chuck zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
68bcde9c52e9e749482df2800dbdff09559115e0chuck a host (KEY)),
68bcde9c52e9e749482df2800dbdff09559115e0chuck USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
68bcde9c52e9e749482df2800dbdff09559115e0chuck These values are case insensitive. Defaults to ZONE for DNSKEY
68bcde9c52e9e749482df2800dbdff09559115e0chuck generation.
68bcde9c52e9e749482df2800dbdff09559115e0chuck Use an NSEC3-capable algorithm to generate a DNSSEC key.
68bcde9c52e9e749482df2800dbdff09559115e0chuck If this option is used and no algorithm is explicitly
68bcde9c52e9e749482df2800dbdff09559115e0chuck set on the command line, NSEC3RSASHA1 will be used by
68bcde9c52e9e749482df2800dbdff09559115e0chuck Compatibility mode: generates an old-style key, without
68bcde9c52e9e749482df2800dbdff09559115e0chuck any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
68bcde9c52e9e749482df2800dbdff09559115e0chuck will include the key's creation date in the metadata stored
68bcde9c52e9e749482df2800dbdff09559115e0chuck with the private key, and other dates may be set there as well
68bcde9c52e9e749482df2800dbdff09559115e0chuck (publication date, activation date, etc). Keys that include
68bcde9c52e9e749482df2800dbdff09559115e0chuck this data may be incompatible with older versions of BIND; the
68bcde9c52e9e749482df2800dbdff09559115e0chuck <code class="option">-C</code> option suppresses them.
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Indicates that the DNS record containing the key should have
68bcde9c52e9e749482df2800dbdff09559115e0chuck the specified class. If not specified, class IN is used.
68bcde9c52e9e749482df2800dbdff09559115e0chuck<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Uses a crypto hardware (OpenSSL engine) for random number
68bcde9c52e9e749482df2800dbdff09559115e0chuck and, when supported, key generation. When compiled with PKCS#11
68bcde9c52e9e749482df2800dbdff09559115e0chuck support it defaults to pcks11, the empty name resets it to
68bcde9c52e9e749482df2800dbdff09559115e0chuck If generating an RSAMD5/RSASHA1 key, use a large exponent.
68bcde9c52e9e749482df2800dbdff09559115e0chuck<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Set the specified flag in the flag field of the KEY/DNSKEY record.
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck The only recognized flags are KSK (Key Signing Key) and REVOKE.
68bcde9c52e9e749482df2800dbdff09559115e0chuck Generate a key, but do not publish it or sign with it. This
68bcde9c52e9e749482df2800dbdff09559115e0chuck option is incompatible with -P and -A.
68bcde9c52e9e749482df2800dbdff09559115e0chuck<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck If generating a Diffie Hellman key, use this generator.
68bcde9c52e9e749482df2800dbdff09559115e0chuck Allowed values are 2 and 5. If no generator
68bcde9c52e9e749482df2800dbdff09559115e0chuck is specified, a known prime from RFC 2539 will be used
68bcde9c52e9e749482df2800dbdff09559115e0chuck if possible; otherwise the default is 2.
68bcde9c52e9e749482df2800dbdff09559115e0chuck Prints a short summary of the options and arguments to
68bcde9c52e9e749482df2800dbdff09559115e0chuck <span><strong class="command">dnssec-keygen</strong></span>.
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Sets the directory in which the key files are to be written.
68bcde9c52e9e749482df2800dbdff09559115e0chuck Deprecated in favor of -T KEY.
68bcde9c52e9e749482df2800dbdff09559115e0chuck<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Sets the protocol value for the generated key. The protocol
68bcde9c52e9e749482df2800dbdff09559115e0chuck is a number between 0 and 255. The default is 3 (DNSSEC).
68bcde9c52e9e749482df2800dbdff09559115e0chuck Other possible values for this argument are listed in
68bcde9c52e9e749482df2800dbdff09559115e0chuck RFC 2535 and its successors.
68bcde9c52e9e749482df2800dbdff09559115e0chuck<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Specifies the source of randomness. If the operating
68bcde9c52e9e749482df2800dbdff09559115e0chuck system does not provide a <code class="filename">/dev/random</code>
68bcde9c52e9e749482df2800dbdff09559115e0chuck or equivalent device, the default source of randomness
68bcde9c52e9e749482df2800dbdff09559115e0chuck is keyboard input. <code class="filename">randomdev</code>
68bcde9c52e9e749482df2800dbdff09559115e0chuck the name of a character device or file containing random
68bcde9c52e9e749482df2800dbdff09559115e0chuck data to be used instead of the default. The special value
68bcde9c52e9e749482df2800dbdff09559115e0chuck <code class="filename">keyboard</code> indicates that keyboard
68bcde9c52e9e749482df2800dbdff09559115e0chuck input should be used.
68bcde9c52e9e749482df2800dbdff09559115e0chuck<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
68bcde9c52e9e749482df2800dbdff09559115e0chuck Specifies the strength value of the key. The strength is
68bcde9c52e9e749482df2800dbdff09559115e0chuck a number between 0 and 15, and currently has no defined
68bcde9c52e9e749482df2800dbdff09559115e0chuck purpose in DNSSEC.
0c233c76f21b358f4a0d81e0f956339ca727c14cchuck<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
4f7dd0949d92462a8adc31eee8aff266eea55204chuck Specifies the resource record type to use for the key.
4f7dd0949d92462a8adc31eee8aff266eea55204chuck <code class="option">rrtype</code> must be either DNSKEY or KEY. The
68bcde9c52e9e749482df2800dbdff09559115e0chuck default is DNSKEY when using a DNSSEC algorithm, but it can be
4f7dd0949d92462a8adc31eee8aff266eea55204chuck overridden to KEY for use with SIG(0).
68bcde9c52e9e749482df2800dbdff09559115e0chuck Using any TSIG algorithm (HMAC-* or DH) forces this option