dnssec-keygen.html revision 90153b6536f7a5078e1c157c980110dbcd7fe205
ab4ab2edaac480f68b476dc19e015c54cd4f1978Lubos Kosco<!--
ab4ab2edaac480f68b476dc19e015c54cd4f1978Lubos Kosco - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
b227f89b8c13b15a9372ce56713c024f7f73be35Lubos Kosco - Copyright (C) 2000-2003 Internet Software Consortium.
ab4ab2edaac480f68b476dc19e015c54cd4f1978Lubos Kosco -
9661674ed58ba62a40e43d1a4b38d5e77c3c6545Knut Anders Hatlen - Permission to use, copy, modify, and distribute this software for any
9661674ed58ba62a40e43d1a4b38d5e77c3c6545Knut Anders Hatlen - purpose with or without fee is hereby granted, provided that the above
9661674ed58ba62a40e43d1a4b38d5e77c3c6545Knut Anders Hatlen - copyright notice and this permission notice appear in all copies.
551b849ce88d596dc52dda2f78229a932b339c78Lubos Kosco -
551b849ce88d596dc52dda2f78229a932b339c78Lubos Kosco - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9661674ed58ba62a40e43d1a4b38d5e77c3c6545Knut Anders Hatlen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
477c09a2656e6a2c1075425ad81e61d594164fa9Lubos Kosco - PERFORMANCE OF THIS SOFTWARE.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye-->
bcae302a5f4b516d2f3c05f657df054e1a0efde7Knut Anders Hatlen<!-- $Id: dnssec-keygen.html,v 1.22 2005/08/30 04:18:55 marka Exp $ -->
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<html>
98774b0b90e4da0f3f2c5e4856bcbbf366ed0fe0Knut Anders Hatlen<head>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<title>dnssec-keygen</title>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye</head>
afb218f076cae538126a5f931299a82a114a075aKnut Anders Hatlen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<div class="refnamediv">
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<h2>Name</h2>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye</div>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<div class="refsynopsisdiv">
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<h2>Synopsis</h2>
c0550b01024b910b8c1468811c0ea663b10b1372Trond Norbye<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye</div>
ab4ab2edaac480f68b476dc19e015c54cd4f1978Lubos Kosco<div class="refsect1" lang="en">
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<a name="id2514717"></a><h2>DESCRIPTION</h2>
9661674ed58ba62a40e43d1a4b38d5e77c3c6545Knut Anders Hatlen<p><span><strong class="command">dnssec-keygen</strong></span>
bbb39d08c0e5b73c89ba813a7c1789842c60f961Lubos Kosco generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
2ba599c0d79caf59996d8b54a0490bb968442134Knut Anders Hatlen and RFC &lt;TBA\&gt;. It can also generate keys for use with
67b14513c549ae0027ba7590e736b3dd3281db7cLubos Kosco TSIG (Transaction Signatures), as defined in RFC 2845.
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco </p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco</div>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco<div class="refsect1" lang="en">
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco<a name="id2514729"></a><h2>OPTIONS</h2>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco<div class="variablelist"><dl>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco<dd>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco<p>
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco Selects the cryptographic algorithm. The value of
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco DSA, DH (Diffie Hellman), or HMAC-MD5. These values
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco are case insensitive.
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco </p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco<p>
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco algorithm,
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye Note 2: HMAC-MD5 and DH automatically set the -k flag.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p>
9661674ed58ba62a40e43d1a4b38d5e77c3c6545Knut Anders Hatlen</dd>
bbb39d08c0e5b73c89ba813a7c1789842c60f961Lubos Kosco<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
2ba599c0d79caf59996d8b54a0490bb968442134Knut Anders Hatlen<dd><p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye Specifies the number of bits in the key. The choice of key
ca37bb3c4127b35d333203398bd983ee730d9da5Jan S Berg size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco between
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco 512 and 2048 bits. Diffie Hellman keys must be between
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco 128 and 4096 bits. DSA keys must be between 512 and 1024
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco bits and an exact multiple of 64. HMAC-MD5 keys must be
ca37bb3c4127b35d333203398bd983ee730d9da5Jan S Berg between 1 and 512 bits.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p></dd>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
ab4ab2edaac480f68b476dc19e015c54cd4f1978Lubos Kosco Specifies the owner type of the key. The value of
ab4ab2edaac480f68b476dc19e015c54cd4f1978Lubos Kosco <code class="option">nametype</code> must either be ZONE (for a DNSSEC
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
f9fd2b96d1c5ea62664f74da0e34a04b6511a8ffLubos Kosco a host (KEY)),
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye These values are
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye case insensitive.
4bb936310d8f131aa850821e9254ac14242c7f95Knut Anders Hatlen </p></dd>
4bb936310d8f131aa850821e9254ac14242c7f95Knut Anders Hatlen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye Indicates that the DNS record containing the key should have
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye the specified class. If not specified, class IN is used.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p></dd>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dt><span class="term">-e</span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye If generating an RSAMD5/RSASHA1 key, use a large exponent.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p></dd>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye Set the specified flag in the flag field of the KEY/DNSKEY record.
87396bac3204b6788c817e19222626eefde8f3f0Knut Anders Hatlen The only recognized flag is KSK (Key Signing Key) DNSKEY.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p></dd>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye If generating a Diffie Hellman key, use this generator.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye Allowed values are 2 and 5. If no generator
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye is specified, a known prime from RFC 2539 will be used
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye if possible; otherwise the default is 2.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p></dd>
6d7c6f82e644c205bc679ee5b1fa2929ec949963Lubos Kosco<dt><span class="term">-h</span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye Prints a short summary of the options and arguments to
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye <span><strong class="command">dnssec-keygen</strong></span>.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p></dd>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dt><span class="term">-k</span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye Generate KEY records rather than DNSKEY records.
b310c0aeaec52a0246021104b8f52cbb31b68480Lubos Kosco </p></dd>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
25fddb6fbc2130e3847315ff2b0b6819ff3feccaLubos Kosco Sets the protocol value for the generated key. The protocol
67b14513c549ae0027ba7590e736b3dd3281db7cLubos Kosco is a number between 0 and 255. The default is 3 (DNSSEC).
67b14513c549ae0027ba7590e736b3dd3281db7cLubos Kosco Other possible values for this argument are listed in
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye RFC 2535 and its successors.
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye </p></dd>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
a1318a82916028f363b3c5b52e7fd7256b632497Trond Norbye<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2515201"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keygen</strong></span>
creates two file, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains algorithm
specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2515283"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
</p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
<p>
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2515326"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2535</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 2539</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2515357"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>