man.dnssec-keygen.html revision 8ec3c085233cedb22b05da36e2773c8f357a7e45
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- $Id: man.dnssec-keygen.html,v 1.133 2009/10/06 01:14:41 tbox Exp $ -->
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<table width="100%" summary="Navigation header">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
26d8ffe715e74d1e67d268551449b780fec1b95fAutomatic Updater<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
ca4e44ebe8f3b29a426fe047c4192262ca660c6fAutomatic Updater<th width="60%" align="center">Manual pages</th>
784a904bd06c7492361ed09a882d10c636b1291bAutomatic Updater<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<p><span><strong class="command">dnssec-keygen</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and RFC 4034. It can also generate keys for use with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (Transaction Key) as defined in RFC 2930.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The <code class="option">name</code> of the key is specified on the command
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt line. For DNSSEC keys, this must match the name of the zone for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt which the key is being generated.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Selects the cryptographic algorithm. For DNSSEC keys, the value
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt case insensitive.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt If no algorithm is specified, then RSASHA1 will be used by
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt default, unless the <code class="option">-3</code> option is specified,
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt in which case NSEC3RSASHA1 will be used instead.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont automatically set the -T KEY option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the number of bits in the key. The choice of key
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews between 512 and 2048 bits. Diffie Hellman keys must be between
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews 128 and 4096 bits. DSA keys must be between 512 and 1024
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont bits and an exact multiple of 64. HMAC-MD5 keys must be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont between 1 and 512 bits.
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews The key size does not need to be specified if using a default
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews algorithm. The default key size is 1024 bits for zone signing
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont keys (ZSK's) and 2048 bits for key signing keys (KSK's,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews generated with <code class="option">-f KSK</code>). However, if an
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews algorithm is explicitly specified with the <code class="option">-a</code>,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews then there is no default key size, and the <code class="option">-b</code>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews must be used.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the owner type of the key. The value of
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews a host (KEY)),
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Use an NSEC3-capable algorithm to generate a DNSSEC key.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews If this option is used and no algorithm is explicitly
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews set on the command line, NSEC3RSASHA1 will be used by
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Compatibility mode: generates an old-style key, without
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt will include the key's creation date in the metadata stored
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt with the private key, and other dates may be set there as well
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont (publication date, activation date, etc). Keys that include
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews this data may be incompatible with older versions of BIND; the
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <code class="option">-C</code> option suppresses them.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Indicates that the DNS record containing the key should have
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews the specified class. If not specified, class IN is used.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Uses a crypto hardware (OpenSSL engine) for random number
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews and, when supported, key generation. When compiled with PKCS#11
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews support it defaults to pcks11, the empty name resets it to
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews If generating an RSAMD5/RSASHA1 key, use a large exponent.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Generate a key, but do not publish it or sign with it. This
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews option is incompatible with -P and -A.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews If generating a Diffie Hellman key, use this generator.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Allowed values are 2 and 5. If no generator
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is specified, a known prime from RFC 2539 will be used
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews if possible; otherwise the default is 2.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Prints a short summary of the options and arguments to
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the directory in which the key files are to be written.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Deprecated in favor of -T KEY.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the protocol value for the generated key. The protocol
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Other possible values for this argument are listed in
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews RFC 2535 and its successors.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Specifies the source of randomness. If the operating
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews system does not provide a <code class="filename">/dev/random</code>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews or equivalent device, the default source of randomness
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is keyboard input. <code class="filename">randomdev</code>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont the name of a character device or file containing random
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont data to be used instead of the default. The special value
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews <code class="filename">keyboard</code> indicates that keyboard
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews input should be used.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Specifies the strength value of the key. The strength is
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont a number between 0 and 15, and currently has no defined
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont purpose in DNSSEC.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the resource record type to use for the key.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">rrtype</code> must be either DNSKEY or KEY. The
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont default is DNSKEY when using a DNSSEC algorithm, but it can be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews overridden to KEY for use with SIG(0).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Using any TSIG algorithm (HMAC-* or DH) forces this option
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Indicates the use of the key. <code class="option">type</code> must be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews data, and CONF the ability to encrypt data.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the debugging level.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt an offset from the present time. For convenience, if such an offset
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont then the offset is computed in years (defined as 365 24-hour days,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews is computed in seconds.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the date on which a key is to be published to the zone.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont After that date, the key will be included in the zone but will
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt not be used to sign it. If not set, and if the -G option has
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews not been used, the default is "now".
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the key is to be activated. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will be included and the zone and used to sign
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt it. If not set, and if the -G option has not been used, the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt default is "now".
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the key is to be revoked. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will be flagged as revoked. It will be included
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews in the zone and will be used to sign it.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt Sets the date on which the key is to be retired. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will still be included in the zone, but it
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews will not be used to sign it.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews Sets the date on which the key is to be deleted. After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews date, the key will no longer be included in the zone. (It
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews may remain in the key repository, however.)
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews When <span><strong class="command">dnssec-keygen</strong></span> completes
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews successfully,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews to the standard output. This is an identification string for
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews the key it has generated.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<li><p><code class="filename">nnnn</code> is the key name.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">aaa</code> is the numeric representation
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<li><p><code class="filename">iiiii</code> is the key identifier (or
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt<p><span><strong class="command">dnssec-keygen</strong></span>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt creates two files, with names based
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt contains the public key, and
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <code class="filename">.key</code> file contains a DNS KEY record
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews can be inserted into a zone file (directly or with a $INCLUDE
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews The <code class="filename">.private</code> file contains
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews algorithm-specific
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews fields. For obvious security reasons, this file does not have
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews general read permission.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Both <code class="filename">.key</code> and <code class="filename">.private</code>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews files are generated for symmetric encryption algorithms such as
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews HMAC-MD5, even though the public and private key are equivalent.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont To generate a 768-bit DSA key for the domain
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman <strong class="userinput"><code>example.com</code></strong>, the following command would be
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews The command would print a string of the form:
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews the files <code class="filename">Kexample.com.+003+26160.key</code>
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt <code class="filename">Kexample.com.+003+26160.private</code>.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont<p><span class="corpauthor">Internet Systems Consortium</span>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont<table width="100%" summary="Navigation footer">
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<span class="application">dnssec-keyfromlabel</span>�</td>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>