doc/arm/man.dnssec-keygen.html

	man.dnssec-keygen.html revision 5a4557e8de2951a2796676b5ec4b6a90caa5be14
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<!--
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews -
1b06367c345e972a0c719a6e821db3e875f20c3bMark Andrews - Permission to use, copy, modify, and distribute this software for any
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - purpose with or without fee is hereby granted, provided that the above
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - copyright notice and this permission notice appear in all copies.
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews -
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews - PERFORMANCE OF THIS SOFTWARE.
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews-->
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews<!-- $Id: man.dnssec-keygen.html,v 1.2 2005/07/19 06:12:20 marka Exp $ -->
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews<html>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<head>
1b06367c345e972a0c719a6e821db3e875f20c3bMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
26440aaebba1acb5c8810f7faa26ad3b7553762eMark Andrews<title>dnssec-keygen</title>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.68.1">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<link rel="prev" href="man.host.html" title="host">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews</head>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<div class="navheader">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<table width="100%" summary="Navigation header">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<tr>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<td width="20%" align="left">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<a accesskey="p" href="man.host.html">Prev</a>�</td>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<th width="60%" align="center">Manual pages</th>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews</td>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews</tr>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews</table>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<hr>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews</div>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<div class="refentry" lang="en">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<div class="refnamediv">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<h2>Name</h2>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews</div>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<div class="refsynopsisdiv">
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<h2>Synopsis</h2>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews</div>
33d96fbbc8aa221508f3c780539bf44810fd2c9cMark Andrews<div class="refsect1" lang="en">
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews<a name="id2566269"></a><h2>DESCRIPTION</h2>
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews<p><span><strong class="command">dnssec-keygen</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      and RFC &lt;TBA\&gt;.  It can also generate keys for use with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      TSIG (Transaction Signatures), as defined in RFC 2845.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2566420"></a><h2>OPTIONS</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Selects the cryptographic algorithm.  The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            are case insensitive.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews            algorithm,
1b06367c345e972a0c719a6e821db3e875f20c3bMark Andrews            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Note 2: HMAC-MD5 and DH automatically set the -k flag.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the number of bits in the key.  The choice of key
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            between
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            512 and 2048 bits.  Diffie Hellman keys must be between
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            128 and 4096 bits.  DSA keys must be between 512 and 1024
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            bits and an exact multiple of 64.  HMAC-MD5 keys must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            between 1 and 512 bits.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the owner type of the key.  The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            a host (KEY)),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            These values are
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            case insensitive.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Indicates that the DNS record containing the key should have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            the specified class.  If not specified, class IN is used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-e</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            If generating an RSAMD5/RSASHA1 key, use a large exponent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Set the specified flag in the flag field of the KEY/DNSKEY record.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein                    The only recognized flag is KSK (Key Signing Key) DNSKEY.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            If generating a Diffie Hellman key, use this generator.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Allowed values are 2 and 5.  If no generator
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is specified, a known prime from RFC 2539 will be used
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            if possible; otherwise the default is 2.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-h</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Prints a short summary of the options and arguments to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <span><strong class="command">dnssec-keygen</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-k</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Generate KEY records rather than DNSKEY records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Sets the protocol value for the generated key.  The protocol
819fe493f97078521bb6b9a7b97583bef89f5abcMark Andrews            is a number between 0 and 255.  The default is 3 (DNSSEC).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Other possible values for this argument are listed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            RFC 2535 and its successors.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the source of randomness.  If the operating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            system does not provide a <code class="filename">/dev/random</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            or equivalent device, the default source of randomness
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is keyboard input.  <code class="filename">randomdev</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            specifies
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            the name of a character device or file containing random
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            data to be used instead of the default.  The special value
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="filename">keyboard</code> indicates that keyboard
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            input should be used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Specifies the strength value of the key.  The strength is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            a number between 0 and 15, and currently has no defined
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            purpose in DNSSEC.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Indicates the use of the key.  <code class="option">type</code> must be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            is AUTHCONF.  AUTH refers to the ability to authenticate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            data, and CONF the ability to encrypt data.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Sets the debugging level.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</dl></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2566695"></a><h2>GENERATED KEYS</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      When <span><strong class="command">dnssec-keygen</strong></span> completes
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      successfully,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      to the standard output.  This is an identification string for
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      the key it has generated.  These strings can be used as arguments
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      to <span><strong class="command">dnssec-makekeyset</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="itemizedlist"><ul type="disc">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<li><p><code class="filename">nnnn</code> is the key name.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </p></li>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<li><p><code class="filename">aaa</code> is the numeric representation
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          of the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          algorithm.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </p></li>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<li><p><code class="filename">iiiii</code> is the key identifier (or
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          footprint).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein        </p></li>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</ul></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span><strong class="command">dnssec-keygen</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      creates two file, with names based
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      contains the public key, and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      private
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      key.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      The <code class="filename">.key</code> file contains a DNS KEY record
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      can be inserted into a zone file (directly or with a $INCLUDE
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      statement).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      The <code class="filename">.private</code> file contains algorithm
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      specific
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      fields.  For obvious security reasons, this file does not have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      general read permission.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      Both <code class="filename">.key</code> and <code class="filename">.private</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      files are generated for symmetric encryption algorithm such as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      HMAC-MD5, even though the public and private key are equivalent.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2566808"></a><h2>EXAMPLE</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      To generate a 768-bit DSA key for the domain
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <strong class="userinput"><code>example.com</code></strong>, the following command would be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      issued:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      The command would print a string of the form:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      the files <code class="filename">Kexample.com.+003+26160.key</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      and
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <code class="filename">Kexample.com.+003+26160.private</code>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2566865"></a><h2>SEE ALSO</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <em class="citetitle">RFC 2535</em>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <em class="citetitle">RFC 2845</em>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      <em class="citetitle">RFC 2539</em>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2567032"></a><h2>AUTHOR</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="corpauthor">Internet Systems Consortium</span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein    </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="navfooter">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<hr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<table width="100%" summary="Navigation footer">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="left">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a accesskey="p" href="man.host.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="left" valign="top">host�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</table>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</body>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</html>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein