man.dnssec-keygen.html revision c6c78f699b55b3344fb6b17ddc854cbae4610468
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - Copyright (C) 2000-2003 Internet Software Consortium.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - Permission to use, copy, modify, and distribute this software for any
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - purpose with or without fee is hereby granted, provided that the above
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - copyright notice and this permission notice appear in all copies.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson - PERFORMANCE OF THIS SOFTWARE.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<!-- $Id: man.dnssec-keygen.html,v 1.90 2008/10/15 01:11:35 tbox Exp $ -->
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<table width="100%" summary="Navigation header">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<th width="60%" align="center">Manual pages</th>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<a name="id2603462"></a><h2>DESCRIPTION</h2>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<p><span><strong class="command">dnssec-keygen</strong></span>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson and RFC 4034. It can also generate keys for use with
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson TSIG (Transaction Signatures), as defined in RFC 2845.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Selects the cryptographic algorithm. The value of
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson These values are case insensitive.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Note 2: HMAC-MD5 and DH automatically set the -k flag.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Specifies the number of bits in the key. The choice of key
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson 512 and 2048 bits. Diffie Hellman keys must be between
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson 128 and 4096 bits. DSA keys must be between 512 and 1024
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson bits and an exact multiple of 64. HMAC-MD5 keys must be
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson between 1 and 512 bits.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Specifies the owner type of the key. The value of
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson <code class="option">nametype</code> must either be ZONE (for a DNSSEC
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson a host (KEY)),
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson These values are case insensitive. Defaults to ZONE for DNSKEY
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Indicates that the DNS record containing the key should have
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson the specified class. If not specified, class IN is used.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson If generating an RSAMD5/RSASHA1 key, use a large exponent.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Set the specified flag in the flag field of the KEY/DNSKEY record.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson The only recognized flag is KSK (Key Signing Key) DNSKEY.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson If generating a Diffie Hellman key, use this generator.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Allowed values are 2 and 5. If no generator
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson is specified, a known prime from RFC 2539 will be used
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson if possible; otherwise the default is 2.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Prints a short summary of the options and arguments to
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson <span><strong class="command">dnssec-keygen</strong></span>.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Generate KEY records rather than DNSKEY records.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Sets the protocol value for the generated key. The protocol
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson is a number between 0 and 255. The default is 3 (DNSSEC).
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Other possible values for this argument are listed in
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson RFC 2535 and its successors.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Specifies the source of randomness. If the operating
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson system does not provide a <code class="filename">/dev/random</code>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson or equivalent device, the default source of randomness
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson is keyboard input. <code class="filename">randomdev</code>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson the name of a character device or file containing random
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson data to be used instead of the default. The special value
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson <code class="filename">keyboard</code> indicates that keyboard
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson input should be used.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Specifies the strength value of the key. The strength is
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson a number between 0 and 15, and currently has no defined
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson purpose in DNSSEC.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Indicates the use of the key. <code class="option">type</code> must be
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson is AUTHCONF. AUTH refers to the ability to authenticate
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson data, and CONF the ability to encrypt data.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Sets the debugging level.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<a name="id2603956"></a><h2>GENERATED KEYS</h2>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson When <span><strong class="command">dnssec-keygen</strong></span> completes
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson to the standard output. This is an identification string for
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson the key it has generated.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<div class="itemizedlist"><ul type="disc">
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<li><p><code class="filename">nnnn</code> is the key name.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<li><p><code class="filename">aaa</code> is the numeric representation
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<li><p><code class="filename">iiiii</code> is the key identifier (or
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<p><span><strong class="command">dnssec-keygen</strong></span>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson creates two files, with names based
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson contains the public key, and
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson The <code class="filename">.key</code> file contains a DNS KEY record
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson can be inserted into a zone file (directly or with a $INCLUDE
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson The <code class="filename">.private</code> file contains
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson algorithm-specific
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson fields. For obvious security reasons, this file does not have
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson general read permission.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson Both <code class="filename">.key</code> and <code class="filename">.private</code>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson files are generated for symmetric encryption algorithms such as
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson HMAC-MD5, even though the public and private key are equivalent.
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson To generate a 768-bit DSA key for the domain
8f79820c6930ee5ef6b4a54f36d2559400bdf47dAndreas Gustafsson <strong class="userinput"><code>example.com</code></strong>, the following command would be
8f79820c6930ee5ef6b4a54f36d2559400bdf47dAndreas Gustafsson<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson The command would print a string of the form:
f951f076f3d321c52b824a866caff28ce4f8e06cAndreas Gustafsson<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>