dnssec-keygen.html revision f8e3e03cacd16ffb923a9603fca23a9e1a1fee07
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - Copyright (C) 2004, 2005, 2007-2009 Internet Systems Consortium, Inc. ("ISC")
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - purpose with or without fee is hereby granted, provided that the above
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - copyright notice and this permission notice appear in all copies.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews - PERFORMANCE OF THIS SOFTWARE.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<!-- $Id: dnssec-keygen.html,v 1.40 2009/09/15 01:14:41 tbox Exp $ -->
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<p><span><strong class="command">dnssec-keygen</strong></span>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews and RFC 4034. It can also generate keys for use with
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews (Transaction Key) as defined in RFC 2930.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews The <code class="option">name</code> of the key is specified on the command
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews line. For DNSSEC keys, this must match the name of the zone for
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews which the key is being generated.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Selects the cryptographic algorithm. For DNSSEC keys, the value
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt case insensitive.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews If no algorithm is specified, then RSASHA1 will be used by
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews default, unless the <code class="option">-3</code> option is specified,
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews in which case NSEC3RSASHA1 will be used instead.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki automatically set the -T KEY option.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Specifies the number of bits in the key. The choice of key
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews between 512 and 2048 bits. Diffie Hellman keys must be between
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews 128 and 4096 bits. DSA keys must be between 512 and 1024
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews bits and an exact multiple of 64. HMAC-MD5 keys must be
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews between 1 and 512 bits.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews The key size does not need to be specified if using a default
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews algorithm. The default key size is 1024 bits for zone signing
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews keys (ZSK's) and 2048 bits for key signing keys (KSK's,
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews generated with <code class="option">-f KSK</code>). However, if an
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews algorithm is explicitly specified with the <code class="option">-a</code>,
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews then there is no default key size, and the <code class="option">-b</code>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews must be used.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Specifies the owner type of the key. The value of
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews a host (KEY)),
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Use an NSEC3-capable algorithm to generate a DNSSEC key.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews If this option is used and no algorithm is explicitly
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews set on the command line, NSEC3RSASHA1 will be used by
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Compatibility mode: generates an old-style key, without
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews will include the key's creation date in the metadata stored
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews with the private key, and other dates may be set there as well
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews (publication date, activation date, etc). Keys that include
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews this data may be incompatible with older versions of BIND; the
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews <code class="option">-C</code> option suppresses them.
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews Indicates that the DNS record containing the key should have
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews the specified class. If not specified, class IN is used.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews If generating an RSAMD5/RSASHA1 key, use a large exponent.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
3b83676e079a799f97ad8b76c057e6ecb0426b1dMark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.