man.dnssec-keygen.html revision 64affc54f96a2c71cbd10ed71e246ce0746259aa
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen - Copyright (C) 2000-2003 Internet Software Consortium.
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - Permission to use, copy, modify, and/or distribute this software for any
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - purpose with or without fee is hereby granted, provided that the above
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - copyright notice and this permission notice appear in all copies.
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen - PERFORMANCE OF THIS SOFTWARE.
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<!-- $Id: man.dnssec-keygen.html,v 1.144 2009/11/03 21:58:30 tbox Exp $ -->
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
e5e0e89fd171e5d78721aac368322d3ca26ca883Kris<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<th width="60%" align="center">Manual pages</th>
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<p><span><strong class="command">dnssec-keygen</strong></span>
307c164a7b61c5bfd08eaf25236383f070801bb1scislac generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen and RFC 4034. It can also generate keys for use with
307c164a7b61c5bfd08eaf25236383f070801bb1scislac TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
307c164a7b61c5bfd08eaf25236383f070801bb1scislac (Transaction Key) as defined in RFC 2930.
307c164a7b61c5bfd08eaf25236383f070801bb1scislac The <code class="option">name</code> of the key is specified on the command
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen line. For DNSSEC keys, this must match the name of the zone for
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen which the key is being generated.
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould Selects the cryptographic algorithm. For DNSSEC keys, the value
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen case insensitive.
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen If no algorithm is specified, then RSASHA1 will be used by
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen default, unless the <code class="option">-3</code> option is specified,
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen in which case NSEC3RSASHA1 will be used instead. (If
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen <code class="option">-3</code> is used and an algorithm is specified,
b632ab726ddcf5acea122f867fef25decfb6dbe9johanengelen that algorithm will be checked for compatibility with NSEC3.)
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen automatically set the -T KEY option.
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen Specifies the number of bits in the key. The choice of key
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen size depends on the algorithm used. RSA keys must be
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen between 512 and 2048 bits. Diffie Hellman keys must be between
a69e3ca5fcc8acacf862c577620d75f472d58cecjohanengelen 128 and 4096 bits. DSA keys must be between 512 and 1024
a69e3ca5fcc8acacf862c577620d75f472d58cecjohanengelen bits and an exact multiple of 64. HMAC keys must be
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen between 1 and 512 bits.
b1f68f459a210575936c2450f578f79189fc3817Johan Engelen The key size does not need to be specified if using a default
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen algorithm. The default key size is 1024 bits for zone signing
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen keys (ZSK's) and 2048 bits for key signing keys (KSK's,
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen generated with <code class="option">-f KSK</code>). However, if an
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen algorithm is explicitly specified with the <code class="option">-a</code>,
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould then there is no default key size, and the <code class="option">-b</code>
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould must be used.
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould Specifies the owner type of the key. The value of
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould <code class="option">nametype</code> must either be ZONE (for a DNSSEC
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould a host (KEY)),
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
6c3e745a94ef6b25a4ef9f018d350a7535aa45afTed Gould These values are case insensitive. Defaults to ZONE for DNSKEY
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen Use an NSEC3-capable algorithm to generate a DNSSEC key.
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen If this option is used and no algorithm is explicitly
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen set on the command line, NSEC3RSASHA1 will be used by
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen default. Note that RSASHA256 and RSASHA512 algorithms
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen are NSEC3-capable.
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen Compatibility mode: generates an old-style key, without
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
0a75b58e47d3de42550c4f7960e253ea3befc09ajohanengelen will include the key's creation date in the metadata stored