dnssec-keygen.html revision 2895f101b5585a19015ac2c2c1e1812ac467fa12
940c94bc9a29165987cb9d3f71c4a4ec76e7a1fcPavel Reichl - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek - Copyright (C) 2000-2003 Internet Software Consortium.
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek - Permission to use, copy, modify, and/or distribute this software for any
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek - purpose with or without fee is hereby granted, provided that the above
eaaeaa7e00c3d4bfa792cc4d3c6770dc1e28ef0cSumit Bose - copyright notice and this permission notice appear in all copies.
a5bb518446d5ce565d7ba819590a009cabb0b0b4Jakub Hrozek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
eaaeaa7e00c3d4bfa792cc4d3c6770dc1e28ef0cSumit Bose - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek - PERFORMANCE OF THIS SOFTWARE.
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech<!-- $Id: dnssec-keygen.html,v 1.39 2009/09/03 01:14:41 tbox Exp $ -->
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-U <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek<p><span><strong class="command">dnssec-keygen</strong></span>
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek and RFC 4034. It can also generate keys for use with
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina (Transaction Key) as defined in RFC 2930.
7a2ca8d776df685bddbb64370181fb32d776f676Pavel Březina The <code class="option">name</code> of the key is specified on the command
a79acee185654d110c0e35ba351368d664e4e53dPavel Březina line. For DNSSEC keys, this must match the name of the zone for
12d771585a84a7523a5b7d9cf502d4bcddecb9b9Pavel Březina which the key is being generated.
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina Selects the cryptographic algorithm. For DNSSEC keys, the value
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
488518dde58724daa13b9216a0f1af6e0ba5401fPavel Březina HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
3be2628d8aba6aeb99ac1484da990f1fad8169ecPavel Březina case insensitive.
6b159f14f69134bba8510a6b50ab62493a23a73fPavel Březina If no algorithm is specified, then RSASHA1 will be used by
53c31b83e4d06ea4c2813eec2f1e647a613b4a2bPavel Březina default, unless the <code class="option">-3</code> option is specified,
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina in which case NSEC3RSASHA1 will be used instead.
c109f063b4469818fd335b8b509f0458e7b33b0aJakub Hrozek Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
c109f063b4469818fd335b8b509f0458e7b33b0aJakub Hrozek algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech automatically set the -T KEY option.
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech Specifies the number of bits in the key. The choice of key
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech between 512 and 2048 bits. Diffie Hellman keys must be between
83a79d93035c2d75a1941f3b54426119174044a0Pavel Březina 128 and 4096 bits. DSA keys must be between 512 and 1024
83a79d93035c2d75a1941f3b54426119174044a0Pavel Březina bits and an exact multiple of 64. HMAC-MD5 keys must be
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech between 1 and 512 bits.
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina The key size does not need to be specified if using a default
4169fb26ea2ff93c19ecdad6e09382732ea5deebPavel Březina algorithm. The default key size is 1024 bits for zone signing
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech keys (ZSK's) and 2048 bits for key signing keys (KSK's,
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek generated with <code class="option">-f KSK</code>). However, if an
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek algorithm is explicitly specified with the <code class="option">-a</code>,
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek then there is no default key size, and the <code class="option">-b</code>
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek must be used.
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek Specifies the owner type of the key. The value of
5192d5db927d718e2bb1b6551753a836b2a3291aLukas Slebodnik <code class="option">nametype</code> must either be ZONE (for a DNSSEC
5192d5db927d718e2bb1b6551753a836b2a3291aLukas Slebodnik zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
5192d5db927d718e2bb1b6551753a836b2a3291aLukas Slebodnik a host (KEY)),
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek These values are case insensitive. Defaults to ZONE for DNSKEY
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek Use an NSEC3-capable algorithm to generate a DNSSEC key.
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek If this option is used and no algorithm is explicitly
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek set on the command line, NSEC3RSASHA1 will be used by
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek Compatibility mode: generates an old-style key, without
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek will include the key's creation date in the metadata stored
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek with the private key, and other dates may be set there as well
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek (publication date, activation date, etc). Keys that include
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek this data may be incompatible with older versions of BIND; the
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek <code class="option">-C</code> option suppresses them.
428db8a58c0c149d5efccc6d788f70916c1d34d7Jakub Hrozek<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek Indicates that the DNS record containing the key should have
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek the specified class. If not specified, class IN is used.
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek If generating an RSAMD5/RSASHA1 key, use a large exponent.
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek Set the specified flag in the flag field of the KEY/DNSKEY record.
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek The only recognized flags are KSK (Key Signing Key) and REVOKE.
edcd5d552d6174a5a0cf2f3532e240ae3a8b5605Lukas Slebodnik<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
edcd5d552d6174a5a0cf2f3532e240ae3a8b5605Lukas Slebodnik If generating a Diffie Hellman key, use this generator.
edcd5d552d6174a5a0cf2f3532e240ae3a8b5605Lukas Slebodnik Allowed values are 2 and 5. If no generator
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek is specified, a known prime from RFC 2539 will be used
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek if possible; otherwise the default is 2.
29c5542feb4c45865ea61be97e0e84a1d1f04918Jakub Hrozek Prints a short summary of the options and arguments to
2689efa614826d45cab60ea1186d44b8bdd243adJakub Hrozek <span><strong class="command">dnssec-keygen</strong></span>.
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Sets the directory in which the key files are to be written.
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Deprecated in favor of -T KEY.
edcd5d552d6174a5a0cf2f3532e240ae3a8b5605Lukas Slebodnik<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Sets the protocol value for the generated key. The protocol
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek is a number between 0 and 255. The default is 3 (DNSSEC).
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Other possible values for this argument are listed in
29c5542feb4c45865ea61be97e0e84a1d1f04918Jakub Hrozek RFC 2535 and its successors.
29c5542feb4c45865ea61be97e0e84a1d1f04918Jakub Hrozek<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Specifies the source of randomness. If the operating
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek system does not provide a <code class="filename">/dev/random</code>
c109f063b4469818fd335b8b509f0458e7b33b0aJakub Hrozek or equivalent device, the default source of randomness
c109f063b4469818fd335b8b509f0458e7b33b0aJakub Hrozek is keyboard input. <code class="filename">randomdev</code>
e7ccfb139388c947ec2dee16cfe3005f5643b90dPetr Cech the name of a character device or file containing random
56c9f8731173eae841a05f31bb03d311076a8485Petr Cech data to be used instead of the default. The special value
83a79d93035c2d75a1941f3b54426119174044a0Pavel Březina <code class="filename">keyboard</code> indicates that keyboard
83a79d93035c2d75a1941f3b54426119174044a0Pavel Březina input should be used.
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
c109f063b4469818fd335b8b509f0458e7b33b0aJakub Hrozek Specifies the strength value of the key. The strength is
c109f063b4469818fd335b8b509f0458e7b33b0aJakub Hrozek a number between 0 and 15, and currently has no defined
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek purpose in DNSSEC.
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Specifies the resource record type to use for the key.
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek <code class="option">rrtype</code> must be either DNSKEY or KEY. The
6499d0b915209b670f8e337c4fe76a8be9fa6576Simo Sorce default is DNSKEY when using a DNSSEC algorithm, but it can be
e5911e72198df96ec7cfe486ff66363c2297a5f7Simo Sorce overridden to KEY for use with SIG(0).
5eda23c28c582b43b2a0a165b1750f3875c0fa84Jakub Hrozek Using any TSIG algorithm (HMAC-* or DH) forces this option
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech Indicates the use of the key. <code class="option">type</code> must be
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech is AUTHCONF. AUTH refers to the ability to authenticate
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech data, and CONF the ability to encrypt data.
d9e88bddc99bae0542b2179c9b94c968855b0fd0Petr Cech<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
e5911e72198df96ec7cfe486ff66363c2297a5f7Simo Sorce Sets the debugging level.