dnssec-keygen.html revision e21a2904f02a03fa06b6db04d348f65fe9c67b2b
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen - Permission to use, copy, modify, and distribute this software for any
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - purpose with or without fee is hereby granted, provided that the above
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen - copyright notice and this permission notice appear in all copies.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
70905e51a5148bd5613cb04720807177474a2496Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen - PERFORMANCE OF THIS SOFTWARE.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<!-- $Id: dnssec-keygen.html,v 1.26 2006/12/12 01:45:20 marka Exp $ -->
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen and RFC <TBA\>. It can also generate keys for use with
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen TSIG (Transaction Signatures), as defined in RFC 2845.
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen Selects the cryptographic algorithm. The value of
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen DSA, DH (Diffie Hellman), or HMAC-MD5. These values
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen are case insensitive.
8eb94c5190ba09bb6f6f068eec7bf96750f08d1dTimo Sirainen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen Note 2: HMAC-MD5 and DH automatically set the -k flag.
22b4f005dac7b5095dde684674818857d559715cTimo Sirainen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
22b4f005dac7b5095dde684674818857d559715cTimo Sirainen Specifies the number of bits in the key. The choice of key
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen 512 and 2048 bits. Diffie Hellman keys must be between
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen 128 and 4096 bits. DSA keys must be between 512 and 1024
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen bits and an exact multiple of 64. HMAC-MD5 keys must be
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen between 1 and 512 bits.
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
6e34c07891fa5de55eb7beedf97eda7b91c65026Timo Sirainen Specifies the owner type of the key. The value of
6e34c07891fa5de55eb7beedf97eda7b91c65026Timo Sirainen <code class="option">nametype</code> must either be ZONE (for a DNSSEC
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
6e34c07891fa5de55eb7beedf97eda7b91c65026Timo Sirainen a host (KEY)),
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen These values are
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen case insensitive.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen Indicates that the DNS record containing the key should have
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen the specified class. If not specified, class IN is used.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen If generating an RSAMD5/RSASHA1 key, use a large exponent.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
7242e1ce7803b83bc82e239ef111b47c1c72dd4bAndrey Panin Set the specified flag in the flag field of the KEY/DNSKEY record.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen The only recognized flag is KSK (Key Signing Key) DNSKEY.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen If generating a Diffie Hellman key, use this generator.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen Allowed values are 2 and 5. If no generator
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen is specified, a known prime from RFC 2539 will be used
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen if possible; otherwise the default is 2.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen Prints a short summary of the options and arguments to
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen <span><strong class="command">dnssec-keygen</strong></span>.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen Generate KEY records rather than DNSKEY records.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen Sets the protocol value for the generated key. The protocol
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen is a number between 0 and 255. The default is 3 (DNSSEC).
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen Other possible values for this argument are listed in
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen RFC 2535 and its successors.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen Specifies the source of randomness. If the operating
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen system does not provide a <code class="filename">/dev/random</code>
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen or equivalent device, the default source of randomness
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen is keyboard input. <code class="filename">randomdev</code>
25ee72451d16374ed27fdbf829f4ec756c778352Timo Sirainen the name of a character device or file containing random
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen data to be used instead of the default. The special value
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen <code class="filename">keyboard</code> indicates that keyboard
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen input should be used.
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen Specifies the strength value of the key. The strength is
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen a number between 0 and 15, and currently has no defined
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen purpose in DNSSEC.
25ee72451d16374ed27fdbf829f4ec756c778352Timo Sirainen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen Indicates the use of the key. <code class="option">type</code> must be
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen is AUTHCONF. AUTH refers to the ability to authenticate
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen data, and CONF the ability to encrypt data.
35136dd2baf8dc30e4e754294ed81ff48e8c1e64Timo Sirainen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
35136dd2baf8dc30e4e754294ed81ff48e8c1e64Timo Sirainen Sets the debugging level.
35136dd2baf8dc30e4e754294ed81ff48e8c1e64Timo Sirainen<a name="id2544007"></a><h2>GENERATED KEYS</h2>
35136dd2baf8dc30e4e754294ed81ff48e8c1e64Timo Sirainen When <span><strong class="command">dnssec-keygen</strong></span> completes
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen successfully,
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen to the standard output. This is an identification string for
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen the key it has generated.
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen<li><p><code class="filename">nnnn</code> is the key name.
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen<li><p><code class="filename">aaa</code> is the numeric representation
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen<li><p><code class="filename">iiiii</code> is the key identifier (or
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen creates two file, with names based
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen contains the public key, and
ba8566b02903a4b00a39a611d19f421739a09456Timo Sirainen <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen The <code class="filename">.key</code> file contains a DNS KEY record
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen can be inserted into a zone file (directly or with a $INCLUDE
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen The <code class="filename">.private</code> file contains algorithm
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen fields. For obvious security reasons, this file does not have
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen general read permission.
9426f0585f821606cbf332282a57eea24376a765Timo Sirainen Both <code class="filename">.key</code> and <code class="filename">.private</code>
9426f0585f821606cbf332282a57eea24376a765Timo Sirainen files are generated for symmetric encryption algorithm such as
9426f0585f821606cbf332282a57eea24376a765Timo Sirainen HMAC-MD5, even though the public and private key are equivalent.
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen To generate a 768-bit DSA key for the domain
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen <strong class="userinput"><code>example.com</code></strong>, the following command would be
7242e1ce7803b83bc82e239ef111b47c1c72dd4bAndrey Panin<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen The command would print a string of the form:
8eb94c5190ba09bb6f6f068eec7bf96750f08d1dTimo Sirainen<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
e9503210d3521a6833ed62dc332fc42ffb0e7a13Timo Sirainen the files <code class="filename">Kexample.com.+003+26160.key</code>
952f450ce320c226e9dbb50b980dc8c0f9679bf4Timo Sirainen <code class="filename">Kexample.com.+003+26160.private</code>
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
a64adf62fa33f2463a86f990217b0c9078531a40Timo Sirainen <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
97c339398f1aba6f315b55a9b6ee6b020e33bea4Timo Sirainen<p><span class="corpauthor">Internet Systems Consortium</span>