man.dnssec-keygen.html revision 2a31bd531072824ef252c18303859d6af7451b00
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - Copyright (C) 2000-2003 Internet Software Consortium.
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl - Permission to use, copy, modify, and distribute this software for any
98890889ffb2e8f6f722b00e265a211f13b5a861Corneliu-Claudiu Prodescu - purpose with or without fee is hereby granted, provided that the above
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - copyright notice and this permission notice appear in all copies.
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl - PERFORMANCE OF THIS SOFTWARE.
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<!-- $Id: man.dnssec-keygen.html,v 1.68 2008/03/31 14:42:51 fdupont Exp $ -->
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<a accesskey="p" href="man.host.html">Prev</a>�</td>
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
521e1648b2c66064c41e9ac47bcd510356ed2355Adrián Riesco<p><span><strong class="command">dnssec-keygen</strong></span>
3f9cd04710597ee787032a371f33861640ab2abeAdrián Riesco generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
c71a28752b8269572ba1de2e2230bb97a4dde6eaMartin Kühl and RFC 4034. It can also generate keys for use with
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl TSIG (Transaction Signatures), as defined in RFC 2845.
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
b92e4eba198fcbffab302375b6c3527a8492bc66Adrián Riesco Selects the cryptographic algorithm. The value of
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl DSA, DH (Diffie Hellman), or HMAC-MD5. These values
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl are case insensitive.
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
973f776b7e2729a4d87a4f2a657d037129b6d700Martin Kühl and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
93da827a79b9d7122ed9bb5636a62bae43565b21Adrián Riesco Note 2: HMAC-MD5 and DH automatically set the -k flag.
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl Specifies the number of bits in the key. The choice of key
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl 512 and 2048 bits. Diffie Hellman keys must be between
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl 128 and 4096 bits. DSA keys must be between 512 and 1024
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco bits and an exact multiple of 64. HMAC-MD5 keys must be
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco between 1 and 512 bits.
b92e4eba198fcbffab302375b6c3527a8492bc66Adrián Riesco<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
70bd0fbf318b8bb489b20fe8197469afc55dddb5Martin Kühl Specifies the owner type of the key. The value of
b92e4eba198fcbffab302375b6c3527a8492bc66Adrián Riesco <code class="option">nametype</code> must either be ZONE (for a DNSSEC
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl a host (KEY)),
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
e368ae35ce99348be3de4181acd7a6f4ce03fe0cChristian Maeder These values are case insensitive. Defaults to ZONE for DNSKEY
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl Indicates that the DNS record containing the key should have
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl the specified class. If not specified, class IN is used.
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco If generating an RSAMD5/RSASHA1 key, use a large exponent.
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl Set the specified flag in the flag field of the KEY/DNSKEY record.
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl The only recognized flag is KSK (Key Signing Key) DNSKEY.
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
c6a4f949f2a9da476c80399fb061020937255f87Adrián Riesco If generating a Diffie Hellman key, use this generator.
c6a4f949f2a9da476c80399fb061020937255f87Adrián Riesco Allowed values are 2 and 5. If no generator
c6a4f949f2a9da476c80399fb061020937255f87Adrián Riesco is specified, a known prime from RFC 2539 will be used
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl if possible; otherwise the default is 2.
70bd0fbf318b8bb489b20fe8197469afc55dddb5Martin Kühl Prints a short summary of the options and arguments to
70bd0fbf318b8bb489b20fe8197469afc55dddb5Martin Kühl <span><strong class="command">dnssec-keygen</strong></span>.
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco Generate KEY records rather than DNSKEY records.
e37cb7bdd94eb318ed94100be0083bf96f5ad58dMartin Kühl<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
70bd0fbf318b8bb489b20fe8197469afc55dddb5Martin Kühl Sets the protocol value for the generated key. The protocol
70bd0fbf318b8bb489b20fe8197469afc55dddb5Martin Kühl is a number between 0 and 255. The default is 3 (DNSSEC).
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco Other possible values for this argument are listed in
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco RFC 2535 and its successors.
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
2f6481f1527d705d769b74357c19ac085aaeefcbMartin Kühl Specifies the source of randomness. If the operating
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl system does not provide a <code class="filename">/dev/random</code>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl or equivalent device, the default source of randomness
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl is keyboard input. <code class="filename">randomdev</code>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl the name of a character device or file containing random
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl data to be used instead of the default. The special value
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl <code class="filename">keyboard</code> indicates that keyboard
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl input should be used.
e37cb7bdd94eb318ed94100be0083bf96f5ad58dMartin Kühl<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl Specifies the strength value of the key. The strength is
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl a number between 0 and 15, and currently has no defined
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl purpose in DNSSEC.
8d9ff304e4ec23e883f4ed22b95e054d80c7fd70Martin Kühl<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
6858f9c9c8b077b2b574a9f30753cf5fec8124d6Martin Kühl Indicates the use of the key. <code class="option">type</code> must be
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl is AUTHCONF. AUTH refers to the ability to authenticate
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl data, and CONF the ability to encrypt data.
83b80d9c465649188db1a116d0129907648a7dddMartin Kühl<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco Sets the debugging level.
010997ddd12186698c1ebdbcddb63a670552b3c2Adrián Riesco When <span><strong class="command">dnssec-keygen</strong></span> completes
51ef113b2ff1b5d60747eaaa18e46d7e6ec1af0eMartin Kühl successfully,
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco to the standard output. This is an identification string for
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl the key it has generated.
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco<li><p><code class="filename">nnnn</code> is the key name.
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco<li><p><code class="filename">aaa</code> is the numeric representation
6d498b6f56ed9f71cced898b6c42fb48f6e60583Adrián Riesco<li><p><code class="filename">iiiii</code> is the key identifier (or
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl<p><span><strong class="command">dnssec-keygen</strong></span>
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco creates two files, with names based
fb653dc55429d3d3a40034b38c0f39455fda0df0Adrián Riesco on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco contains the public key, and
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
fb653dc55429d3d3a40034b38c0f39455fda0df0Adrián Riesco The <code class="filename">.key</code> file contains a DNS KEY record
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco can be inserted into a zone file (directly or with a $INCLUDE
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco The <code class="filename">.private</code> file contains
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco algorithm-specific
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco fields. For obvious security reasons, this file does not have
51c15129e8118fed5c33c334f8df82619ce98e7dAdrián Riesco general read permission.
422f43a546b80525e427c1356119621f35f67849Martin Kühl Both <code class="filename">.key</code> and <code class="filename">.private</code>
422f43a546b80525e427c1356119621f35f67849Martin Kühl files are generated for symmetric encryption algorithms such as
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco HMAC-MD5, even though the public and private key are equivalent.
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl To generate a 768-bit DSA key for the domain
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco <strong class="userinput"><code>example.com</code></strong>, the following command would be
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco The command would print a string of the form:
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco the files <code class="filename">Kexample.com.+003+26160.key</code>
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco <code class="filename">Kexample.com.+003+26160.private</code>.
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
6f6549c13f912de12345850e4eb248ec358c1b43Adrián Riesco <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
18328fcbfe4296582227d42fdcf363f5a0fb8921Martin Kühl<p><span class="corpauthor">Internet Systems Consortium</span>
af800116e86bc5f3273a0976588b9575fb6e9616Martin Kühl<a accesskey="p" href="man.host.html">Prev</a>�</td>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<td width="40%" align="left" valign="top">host�</td>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
3c8734f5b76d06ed1eae114c67e77066acb6a40bMartin Kühl<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>