dnssec-keygen.html revision e76f11373900958f6f248d286079d4a525db4f4e
7bd455641455950eff7d21be652c8142b134d32fTinderbox User - Copyright (C) 2004, 2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunt - purpose with or without fee is hereby granted, provided that the above
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence - copyright notice and this permission notice appear in all copies.
bff64bf12b58a6f80e740e94f2e42a32df18113aEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
92b796c963e7ba0217debfa27a0709f94934f5d5Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley - PERFORMANCE OF THIS SOFTWARE.
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
f4ea363e3acc321b24ffe95a64a583e8041d6fd5Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff<p><span class="command"><strong>dnssec-keygen</strong></span>
a903095bf4512dae561c7f6fc7854a51bebf334aMark Andrews generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff and RFC 4034. It can also generate keys for use with
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff (Transaction Key) as defined in RFC 2930.
5b7abbef511cea0b568be0bc8d5b3120a0b9034dEvan Hunt The <code class="option">name</code> of the key is specified on the command
6b66ee9147e940572a0e873ecbd67456ccb85c39Mark Andrews line. For DNSSEC keys, this must match the name of the zone for
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff which the key is being generated.
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews<div class="variablelist"><dl class="variablelist">
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews Selects the cryptographic algorithm. For DNSSEC keys, the value
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
11dbf2fc38eea8c5d3fe7123718bf197a8bb2e6bMark Andrews ECDSAP256SHA256 or ECDSAP384SHA384.
11463c0ac24692e229ec87f307f5e7df3c0a7e10Evan Hunt be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
1c1290afabb3c8f4dd498170ac9592e5be450161Mark Andrews HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
1c1290afabb3c8f4dd498170ac9592e5be450161Mark Andrews case insensitive.
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews If no algorithm is specified, then RSASHA1 will be used by
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews default, unless the <code class="option">-3</code> option is specified,
740e7340c55e9f0cf80c6fbbf7e8d3c1bdeaa255Mark Andrews in which case NSEC3RSASHA1 will be used instead. (If
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews <code class="option">-3</code> is used and an algorithm is specified,
84f95ddb2572641022619950a211aff49e331c98Mukund Sivaraman that algorithm will be checked for compatibility with NSEC3.)
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
71697fd082b1c76562dc80fa91787af3860146bfEvan Hunt algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
800cfc8a5ce9ffacfc076003b34b5f787f82c701Mark Andrews Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
32ebb157b1d9409a186c86002827f8a1f4931f5aMark Andrews automatically set the -T KEY option.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki Specifies the number of bits in the key. The choice of key
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki size depends on the algorithm used. RSA keys must be
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki between 512 and 2048 bits. Diffie Hellman keys must be between
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki 128 and 4096 bits. DSA keys must be between 512 and 1024
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki bits and an exact multiple of 64. HMAC keys must be
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki between 1 and 512 bits. Elliptic curve algorithms don't need
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki this parameter.
8bcd80824c51c802c2927236b012cd526f569b04Mark Andrews The key size does not need to be specified if using a default
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt algorithm. The default key size is 1024 bits for zone signing
1831311ac6179951c8fcca75aa29dc2f5c0218b9Francis Dupont keys (ZSKs) and 2048 bits for key signing keys (KSKs,
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt generated with <code class="option">-f KSK</code>). However, if an
206e697f24e47b8868bd68a5b6ef42f5f62e39d5Evan Hunt algorithm is explicitly specified with the <code class="option">-a</code>,
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt then there is no default key size, and the <code class="option">-b</code>
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt must be used.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt Specifies the owner type of the key. The value of
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt <code class="option">nametype</code> must either be ZONE (for a DNSSEC
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
2a80bc01530013293016172b1dcc1d12471ccf33Mark Andrews a host (KEY)),
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt These values are case insensitive. Defaults to ZONE for DNSKEY
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt Use an NSEC3-capable algorithm to generate a DNSSEC key.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt If this option is used and no algorithm is explicitly
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt set on the command line, NSEC3RSASHA1 will be used by
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt default. Note that RSASHA256, RSASHA512, ECCGOST,
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt are NSEC3-capable.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt Compatibility mode: generates an old-style key, without
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt will include the key's creation date in the metadata stored
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt with the private key, and other dates may be set there as well
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt (publication date, activation date, etc). Keys that include
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt this data may be incompatible with older versions of BIND; the
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt <code class="option">-C</code> option suppresses them.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt Indicates that the DNS record containing the key should have
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt the specified class. If not specified, class IN is used.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt Specifies the cryptographic hardware to use, when applicable.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt to the string "pkcs11", which identifies an OpenSSL engine
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt that can drive a cryptographic accelerator or hardware service
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt module. When BIND is built with native PKCS#11 cryptography
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt (--enable-native-pkcs11), it defaults to the path of the PKCS#11
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt provider library specified via "--with-pkcs11".
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt Set the specified flag in the flag field of the KEY/DNSKEY record.
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt The only recognized flags are KSK (Key Signing Key) and REVOKE.
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews Generate a key, but do not publish it or sign with it. This
323a9f3430abf186f8f84d795549391a8ed7f274Francis Dupont option is incompatible with -P and -A.
03e200df5dc283f24a6a349f0b31d3eab26da893Mark Andrews<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence If generating a Diffie Hellman key, use this generator.
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence Allowed values are 2 and 5. If no generator
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence is specified, a known prime from RFC 2539 will be used
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence if possible; otherwise the default is 2.
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson Prints a short summary of the options and arguments to
91306d962f9d147d94b82fb14edb28f8d907cae7Andreas Gustafsson <span class="command"><strong>dnssec-keygen</strong></span>.
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence Sets the directory in which the key files are to be written.
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence Deprecated in favor of -T KEY.
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Sets the default TTL to use for this key when it is converted
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley into a DNSKEY RR. If the key is imported into a zone,
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley this is the TTL that will be used for it, unless there was
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff already a DNSKEY RRset in place, in which case the existing TTL
ce8c568e0d6106bb87069453505e09bc66754b40Andreas Gustafsson would take precedence. If this value is not set and there
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley is no existing DNSKEY RRset, the TTL will default to the
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley SOA TTL. Setting the default TTL to <code class="literal">0</code>
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley or <code class="literal">none</code> is the same as leaving it unset.
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Sets the protocol value for the generated key. The protocol
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley is a number between 0 and 255. The default is 3 (DNSSEC).
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley Other possible values for this argument are listed in
3b77946b751f39bd4db5a7d1fe48a81e6b1e7a28Bob Halley RFC 2535 and its successors.
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff Quiet mode: Suppresses unnecessary output, including
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff progress indication. Without this option, when
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson to generate an RSA or DSA key pair, it will print a string
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 of symbols to <code class="filename">stderr</code> indicating the
a27fe4c990f96bd792f2a07ca4d38c78d5b9df2cTatuya JINMEI 神明達哉 progress of the key generation. A '.' indicates that a
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson random number has been found which passed an initial
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson sieve test; '+' means a number has passed a single
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson round of the Miller-Rabin primality test; a space
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson means that the number has passed all the tests and is
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews a satisfactory key.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Specifies the source of randomness. If the operating
b5f6271f4daf1e54501af2cb7dd278d7e8003d65Mark Andrews system does not provide a <code class="filename">/dev/random</code>
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews or equivalent device, the default source of randomness
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews is keyboard input. <code class="filename">randomdev</code>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt the name of a character device or file containing random
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt data to be used instead of the default. The special value
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt <code class="filename">keyboard</code> indicates that keyboard
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt input should be used.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews Create a new key which is an explicit successor to an
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews existing key. The name, algorithm, size, and type of the
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews key will be set to match the existing key. The activation
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews date of the new key will be set to the inactivation date of
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews the existing one. The publication date will be set to the
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews activation date minus the prepublication interval, which
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt defaults to 30 days.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Specifies the strength value of the key. The strength is
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews a number between 0 and 15, and currently has no defined
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt purpose in DNSSEC.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Specifies the resource record type to use for the key.
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews <code class="option">rrtype</code> must be either DNSKEY or KEY. The
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews default is DNSKEY when using a DNSSEC algorithm, but it can be
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews overridden to KEY for use with SIG(0).
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews Using any TSIG algorithm (HMAC-* or DH) forces this option
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Indicates the use of the key. <code class="option">type</code> must be
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt is AUTHCONF. AUTH refers to the ability to authenticate
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt data, and CONF the ability to encrypt data.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Sets the debugging level.
470af54b4ec7ab38ad10a5bd22a0a20664838c99Evan Hunt Prints version information.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt If the argument begins with a '+' or '-', it is interpreted as
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt an offset from the present time. For convenience, if such an offset
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt then the offset is computed in years (defined as 365 24-hour days,
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt ignoring leap years), months (defined as 30 24-hour days), weeks,
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt days, hours, or minutes, respectively. Without a suffix, the offset
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt is computed in seconds. To explicitly prevent a date from being
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt set, use 'none' or 'never'.
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews<div class="variablelist"><dl class="variablelist">
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Sets the date on which a key is to be published to the zone.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt After that date, the key will be included in the zone but will
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews not be used to sign it. If not set, and if the -G option has
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt not been used, the default is "now".
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews Sets the date on which CDS and CDNSKEY records that match this
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews key are to be published to the zone.
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
21e5f9c5cdb3052f282e3dbdc2dc47f29cfe1187Mark Andrews Sets the date on which the key is to be activated. After that
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt date, the key will be included in the zone and used to sign
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt it. If not set, and if the -G option has not been used, the
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt default is "now". If set, if and -P is not set, then
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt the publication date will be set to the activation date
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt minus the prepublication interval.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt Sets the date on which the key is to be revoked. After that
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt date, the key will be flagged as revoked. It will be included
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt in the zone and will be used to sign it.
523f3d630243211ddfda852f5224f7eff681d3a5Evan Hunt<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Sets the date on which the key is to be retired. After that
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews date, the key will still be included in the zone, but it
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews will not be used to sign it.
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt Sets the date on which the key is to be deleted. After that
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews date, the key will no longer be included in the zone. (It
d7729155dff87d3c7a2b9103bf6e5164ea4d7dd7Mark Andrews may remain in the key repository, however.)
831f59eb43b56642b00f82e07722836d2f9593abEvan Hunt<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
1cefb9df3fa34d08734f29005cfafa6be5cf3e93Mark Andrews Sets the date on which the CDS and CDNSKEY records that match this
66dddd906ada6035d65bbbad2ecbcd74037759a8Mark Andrews key are to be deleted.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Sets the prepublication interval for a key. If set, then
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence the publication and activation dates must be separated by at least
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence this much time. If the activation date is specified but the
b587e1d83f007ce68a9ae93097c461d8eb7aa373Mark Andrews publication date isn't, then the publication date will default
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence to this much time before the activation date; conversely, if
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence the publication date is specified but activation date isn't,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence then activation will be set to this much time after publication.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence If the key is being created as an explicit successor to another
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence key, then the default prepublication interval is 30 days;
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence otherwise it is zero.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence As with date offsets, if the argument is followed by one of
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence interval is measured in years, months, weeks, days, hours,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence or minutes, respectively. Without a suffix, the interval is
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence measured in seconds.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews When <span class="command"><strong>dnssec-keygen</strong></span> completes
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews successfully,
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews to the standard output. This is an identification string for
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews the key it has generated.
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
f6096b958c8b58c4709860d7c4dcdde5deeacb7aEvan Hunt<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence<p><span class="command"><strong>dnssec-keygen</strong></span>
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence creates two files, with names based
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence contains the public key, and
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews can be inserted into a zone file (directly or with a $INCLUDE
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews The <code class="filename">.private</code> file contains
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews algorithm-specific
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews fields. For obvious security reasons, this file does not have
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence general read permission.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Both <code class="filename">.key</code> and <code class="filename">.private</code>
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence files are generated for symmetric cryptography algorithms such as
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence HMAC-MD5, even though the public and private key are equivalent.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff To generate a 768-bit DSA key for the domain
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff <strong class="userinput"><code>example.com</code></strong>, the following command would be
1ce985ab3c6670662d555c108b35fed84a6a1001David Lawrence<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews The command would print a string of the form:
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence the files <code class="filename">Kexample.com.+003+26160.key</code>
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence <code class="filename">Kexample.com.+003+26160.private</code>.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence <em class="citetitle">BIND 9 Administrator Reference Manual</em>,