dnssec-keygen.html revision c6c78f699b55b3344fb6b17ddc854cbae4610468
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - Copyright (C) 2000-2003 Internet Software Consortium.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - Permission to use, copy, modify, and distribute this software for any
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - purpose with or without fee is hereby granted, provided that the above
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - copyright notice and this permission notice appear in all copies.
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff - PERFORMANCE OF THIS SOFTWARE.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<!-- $Id: dnssec-keygen.html,v 1.32 2008/10/15 01:11:35 tbox Exp $ -->
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<p><span><strong class="command">dnssec-keygen</strong></span>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
83f8c56f43852bf9a9c6964eae285284b23f9d8dMichael Graff and RFC 4034. It can also generate keys for use with
bf647f10f68d5a2049f25435f5e3947e99e0e042Bob Halley TSIG (Transaction Signatures), as defined in RFC 2845.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Selects the cryptographic algorithm. The value of
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff These values are case insensitive.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Note 2: HMAC-MD5 and DH automatically set the -k flag.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
2fc77eff6231b0dbce9c0a09042df04910b888f5Bob Halley Specifies the number of bits in the key. The choice of key
54a64ec428cb9f783d62a044cbec3a72724a937cMichael Graff size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
6f1422b81ed2c5142092e2ced8e3faf0e61f3ba0Michael Graff 512 and 2048 bits. Diffie Hellman keys must be between
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff 128 and 4096 bits. DSA keys must be between 512 and 1024
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff bits and an exact multiple of 64. HMAC-MD5 keys must be
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff between 1 and 512 bits.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff Specifies the owner type of the key. The value of
54a64ec428cb9f783d62a044cbec3a72724a937cMichael Graff <code class="option">nametype</code> must either be ZONE (for a DNSSEC
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
54a64ec428cb9f783d62a044cbec3a72724a937cMichael Graff a host (KEY)),
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff These values are case insensitive. Defaults to ZONE for DNSKEY
54a64ec428cb9f783d62a044cbec3a72724a937cMichael Graff<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Indicates that the DNS record containing the key should have
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff the specified class. If not specified, class IN is used.
54a64ec428cb9f783d62a044cbec3a72724a937cMichael Graff If generating an RSAMD5/RSASHA1 key, use a large exponent.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Set the specified flag in the flag field of the KEY/DNSKEY record.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff The only recognized flag is KSK (Key Signing Key) DNSKEY.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff If generating a Diffie Hellman key, use this generator.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Allowed values are 2 and 5. If no generator
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff is specified, a known prime from RFC 2539 will be used
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff if possible; otherwise the default is 2.
54a64ec428cb9f783d62a044cbec3a72724a937cMichael Graff Prints a short summary of the options and arguments to
54a64ec428cb9f783d62a044cbec3a72724a937cMichael Graff <span><strong class="command">dnssec-keygen</strong></span>.
2743e0ce08d1decc963908f024007078d4a553acMichael Graff Generate KEY records rather than DNSKEY records.
2743e0ce08d1decc963908f024007078d4a553acMichael Graff<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
2743e0ce08d1decc963908f024007078d4a553acMichael Graff Sets the protocol value for the generated key. The protocol
2743e0ce08d1decc963908f024007078d4a553acMichael Graff is a number between 0 and 255. The default is 3 (DNSSEC).
2743e0ce08d1decc963908f024007078d4a553acMichael Graff Other possible values for this argument are listed in
2743e0ce08d1decc963908f024007078d4a553acMichael Graff RFC 2535 and its successors.
2743e0ce08d1decc963908f024007078d4a553acMichael Graff<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
2743e0ce08d1decc963908f024007078d4a553acMichael Graff Specifies the source of randomness. If the operating
2743e0ce08d1decc963908f024007078d4a553acMichael Graff system does not provide a <code class="filename">/dev/random</code>
2743e0ce08d1decc963908f024007078d4a553acMichael Graff or equivalent device, the default source of randomness
2743e0ce08d1decc963908f024007078d4a553acMichael Graff is keyboard input. <code class="filename">randomdev</code>
2743e0ce08d1decc963908f024007078d4a553acMichael Graff the name of a character device or file containing random
2743e0ce08d1decc963908f024007078d4a553acMichael Graff data to be used instead of the default. The special value
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff <code class="filename">keyboard</code> indicates that keyboard
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff input should be used.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Specifies the strength value of the key. The strength is
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff a number between 0 and 15, and currently has no defined
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff purpose in DNSSEC.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
6f1422b81ed2c5142092e2ced8e3faf0e61f3ba0Michael Graff Indicates the use of the key. <code class="option">type</code> must be
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff is AUTHCONF. AUTH refers to the ability to authenticate
ab0e5066083abcbec62513a3cc041d1f1eb9098aMichael Graff data, and CONF the ability to encrypt data.
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff Sets the debugging level.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<a name="id2543824"></a><h2>GENERATED KEYS</h2>
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff When <span><strong class="command">dnssec-keygen</strong></span> completes
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff successfully,
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff to the standard output. This is an identification string for
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff the key it has generated.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<li><p><code class="filename">nnnn</code> is the key name.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<li><p><code class="filename">aaa</code> is the numeric representation
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<li><p><code class="filename">iiiii</code> is the key identifier (or
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff<p><span><strong class="command">dnssec-keygen</strong></span>
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff creates two files, with names based
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff contains the public key, and
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
b222ecd1c25197c2a04d0230504153ad6a62a666Michael Graff The <code class="filename">.key</code> file contains a DNS KEY record
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff can be inserted into a zone file (directly or with a $INCLUDE
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff The <code class="filename">.private</code> file contains
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff algorithm-specific
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff fields. For obvious security reasons, this file does not have
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff general read permission.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff Both <code class="filename">.key</code> and <code class="filename">.private</code>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff files are generated for symmetric encryption algorithms such as
6f1422b81ed2c5142092e2ced8e3faf0e61f3ba0Michael Graff HMAC-MD5, even though the public and private key are equivalent.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff To generate a 768-bit DSA key for the domain
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff <strong class="userinput"><code>example.com</code></strong>, the following command would be
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff The command would print a string of the form:
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff the files <code class="filename">Kexample.com.+003+26160.key</code>
a8dcebd0419f27234664e89b9cd48bc54cad08a7Michael Graff <code class="filename">Kexample.com.+003+26160.private</code>.
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9df93ea1bf53e09fd2d7f13c899817046dd04325Michael Graff<p><span class="corpauthor">Internet Systems Consortium</span>