dnssec-keygen.html revision 8a66318e41ed14c5a88130e8c362610e8faa2121
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - Copyright (C) 2001-2003 Internet Software Consortium.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - Permission to use, copy, modify, and distribute this software for any
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - purpose with or without fee is hereby granted, provided that the above
c58f1213e628a545081c70e26c6b67a841cff880vboxsync - copyright notice and this permission notice appear in all copies.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync - PERFORMANCE OF THIS SOFTWARE.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync<!-- $Id: dnssec-keygen.html,v 1.9 2004/03/05 08:32:16 marka Exp $ -->
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-keygen</TITLE
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncNAME="GENERATOR"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCONTENT="Modular DocBook HTML Stylesheet Version 1.73
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REFENTRY"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncBGCOLOR="#FFFFFF"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncTEXT="#000000"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncLINK="#0000FF"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncVLINK="#840084"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncALINK="#0000FF"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="APPLICATION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-keygen</SPAN
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REFNAMEDIV"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="APPLICATION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-keygen</SPAN
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> -- DNSSEC key generation tool</DIV
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REFSYNOPSISDIV"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncNAME="AEN13"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>Synopsis</H2
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="COMMAND"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-keygen</B
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>algorithm</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
10d739d22a5d5a13803f7e34de34de010099270cvboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>nametype</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
ad27e1d5e48ca41245120c331cc88b50464813cevboxsync>generator</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>protocol</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>randomdev</I
be196d173cf52fa33016912e4745dbe1170ac53avboxsyncCLASS="OPTION"
be196d173cf52fa33016912e4745dbe1170ac53avboxsyncCLASS="REPLACEABLE"
be196d173cf52fa33016912e4745dbe1170ac53avboxsync>strength</I
be196d173cf52fa33016912e4745dbe1170ac53avboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>] {name}</P
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REFSECT1"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncNAME="AEN51"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>DESCRIPTION</H2
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="COMMAND"
be196d173cf52fa33016912e4745dbe1170ac53avboxsync>dnssec-keygen</B
be196d173cf52fa33016912e4745dbe1170ac53avboxsync> generates keys for DNSSEC
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync (Secure DNS), as defined in RFC 2535. It can also generate
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync keys for use with TSIG (Transaction Signatures), as
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync defined in RFC 2845.
be196d173cf52fa33016912e4745dbe1170ac53avboxsyncCLASS="REFSECT1"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncNAME="AEN55"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>OPTIONS</H2
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="VARIABLELIST"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>algorithm</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Selects the cryptographic algorithm. The value of
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
cecfddc5f644039b889734369f7087dcdeb42e85vboxsync>algorithm</TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> must be one of RSAMD5 or RSA,
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync DSA, DH (Diffie Hellman), or HMAC-MD5. These values
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync are case insensitive.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Note that for DNSSEC, DSA is a mandatory to implement algorithm,
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
88acfa6629a7976c0583c1712d2b5b22a87a5121vboxsync> Specifies the number of bits in the key. The choice of key
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync size depends on the algorithm used. RSA keys must be between
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync 512 and 2048 bits. Diffie Hellman keys must be between
88acfa6629a7976c0583c1712d2b5b22a87a5121vboxsync 128 and 4096 bits. DSA keys must be between 512 and 1024
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync bits and an exact multiple of 64. HMAC-MD5 keys must be
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync between 1 and 512 bits.
be196d173cf52fa33016912e4745dbe1170ac53avboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>nametype</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Specifies the owner type of the key. The value of
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>nametype</TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> must either be ZONE (for a DNSSEC
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync zone key), HOST or ENTITY (for a key associated with a host),
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync or USER (for a key associated with a user). These values are
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync case insensitive.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Indicates that the DNS record containing the key should have
be196d173cf52fa33016912e4745dbe1170ac53avboxsync the specified class. If not specified, class IN is used.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> If generating an RSA key, use a large exponent.
be196d173cf52fa33016912e4745dbe1170ac53avboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Set the specified flag in the flag field of the key record.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync The only recognized flag is KSK (Key Signing Key).
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
10d739d22a5d5a13803f7e34de34de010099270cvboxsync>generator</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> If generating a Diffie Hellman key, use this generator.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync Allowed values are 2 and 5. If no generator
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync is specified, a known prime from RFC 2539 will be used
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync if possible; otherwise the default is 2.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Prints a short summary of the options and arguments to
10d739d22a5d5a13803f7e34de34de010099270cvboxsyncCLASS="COMMAND"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-keygen</B
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>protocol</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Sets the protocol value for the generated key. The protocol
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync is a number between 0 and 255. The default is 3 (DNSSEC).
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync Other possible values for this argument are listed in
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync RFC 2535 and its successors.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>randomdev</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Specifies the source of randomness. If the operating
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync system does not provide a <TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync or equivalent device, the default source of randomness
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync is keyboard input. <TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>randomdev</TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync the name of a character device or file containing random
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync data to be used instead of the default. The special value
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>keyboard</TT
be196d173cf52fa33016912e4745dbe1170ac53avboxsync> indicates that keyboard
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync input should be used.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>strength</I
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Specifies the strength value of the key. The strength is
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync a number between 0 and 15, and currently has no defined
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync purpose in DNSSEC.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Indicates the use of the key. <TT
0aa150e34ed49f14aaa37368c2e6999ec89e5f43vboxsyncCLASS="OPTION"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
b64d5de6949f62d8b70658f77d9f28f58b0d4668vboxsync is AUTHCONF. AUTH refers to the ability to authenticate
b64d5de6949f62d8b70658f77d9f28f58b0d4668vboxsync data, and CONF the ability to encrypt data.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="REPLACEABLE"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> Sets the debugging level.
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsyncCLASS="REFSECT1"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncNAME="AEN129"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>GENERATED KEYS</H2
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="COMMAND"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-keygen</B
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> completes successfully,
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync it prints a string of the form <TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>Knnnn.+aaa+iiiii</TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync to the standard output. This is an identification string for
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync the key it has generated. These strings can be used as arguments
10d739d22a5d5a13803f7e34de34de010099270cvboxsyncCLASS="COMMAND"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-makekeyset</B
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> is the key name.
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> is the numeric representation of the
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> is the key identifier (or footprint).
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="COMMAND"
f2ffcc39cf4469a87fea28faf36a3918493bf7c1vboxsync>dnssec-keygen</B
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> creates two file, with names based
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync on the printed string. <TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync contains the public key, and
e41b10cedab46ca3ff69b2db87291a74ec1ddd61vboxsyncCLASS="FILENAME"
f2ffcc39cf4469a87fea28faf36a3918493bf7c1vboxsync> contains the private
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsyncCLASS="FILENAME"
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsync> file contains a DNS KEY record that
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsync can be inserted into a zone file (directly or with a $INCLUDE
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync statement).
f2ffcc39cf4469a87fea28faf36a3918493bf7c1vboxsyncCLASS="FILENAME"
b7c1d1e088392fc0698ab8732e2c24f54d92dcbdvboxsync>.private</TT
b7c1d1e088392fc0698ab8732e2c24f54d92dcbdvboxsync> file contains algorithm specific
b7c1d1e088392fc0698ab8732e2c24f54d92dcbdvboxsync fields. For obvious security reasons, this file does not have
b7c1d1e088392fc0698ab8732e2c24f54d92dcbdvboxsync general read permission.
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsyncCLASS="FILENAME"
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsyncCLASS="FILENAME"
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsync>.private</TT
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsync files are generated for symmetric encryption algorithm such as
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsync HMAC-MD5, even though the public and private key are equivalent.
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsyncCLASS="REFSECT1"
b79e4344bf4eb8033fd06d560cd864192728bd0bvboxsyncNAME="AEN156"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>EXAMPLE</H2
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> To generate a 768-bit DSA key for the domain
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="USERINPUT"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>, the following command would be
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="USERINPUT"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> The command would print a string of the form:
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="USERINPUT"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync> In this example, <B
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="COMMAND"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync>dnssec-keygen</B
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsync the files <TT
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"
922f46b2f42ccb05e3c9cba34bbd1d2c19e04120vboxsyncCLASS="FILENAME"