man.dnssec-keygen.html revision c6c78f699b55b3344fb6b17ddc854cbae4610468
c92c50783e4e93699f2a42643b8f200b9b719c87Automatic Updater - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and distribute this software for any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User<!-- $Id: man.dnssec-keygen.html,v 1.90 2008/10/15 01:11:35 tbox Exp $ -->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<th width="60%" align="center">Manual pages</th>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span><strong class="command">dnssec-keygen</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews and RFC 4034. It can also generate keys for use with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews TSIG (Transaction Signatures), as defined in RFC 2845.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Selects the cryptographic algorithm. The value of
c247e3f281613fabe1af362e9f3157e35ebbe52cMark Andrews <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Note 2: HMAC-MD5 and DH automatically set the -k flag.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User Specifies the number of bits in the key. The choice of key
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 512 and 2048 bits. Diffie Hellman keys must be between
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 128 and 4096 bits. DSA keys must be between 512 and 1024
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews bits and an exact multiple of 64. HMAC-MD5 keys must be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews between 1 and 512 bits.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the owner type of the key. The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a host (KEY)),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Indicates that the DNS record containing the key should have
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the specified class. If not specified, class IN is used.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If generating an RSAMD5/RSASHA1 key, use a large exponent.
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The only recognized flag is KSK (Key Signing Key) DNSKEY.
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If generating a Diffie Hellman key, use this generator.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Allowed values are 2 and 5. If no generator
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is specified, a known prime from RFC 2539 will be used
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews if possible; otherwise the default is 2.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints a short summary of the options and arguments to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate KEY records rather than DNSKEY records.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the protocol value for the generated key. The protocol
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Other possible values for this argument are listed in
c247e3f281613fabe1af362e9f3157e35ebbe52cMark Andrews RFC 2535 and its successors.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the source of randomness. If the operating
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews system does not provide a <code class="filename">/dev/random</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews or equivalent device, the default source of randomness
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is keyboard input. <code class="filename">randomdev</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the name of a character device or file containing random
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews data to be used instead of the default. The special value
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">keyboard</code> indicates that keyboard
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews input should be used.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the strength value of the key. The strength is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a number between 0 and 15, and currently has no defined
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews purpose in DNSSEC.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Indicates the use of the key. <code class="option">type</code> must be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews data, and CONF the ability to encrypt data.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the debugging level.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When <span><strong class="command">dnssec-keygen</strong></span> completes
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews successfully,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to the standard output. This is an identification string for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the key it has generated.
ea94d370123a5892f6c47a97f21d1b28d44bb168Tinderbox User<li><p><code class="filename">nnnn</code> is the key name.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li><p><code class="filename">aaa</code> is the numeric representation
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li><p><code class="filename">iiiii</code> is the key identifier (or
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<p><span><strong class="command">dnssec-keygen</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews creates two files, with names based
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews contains the public key, and
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews can be inserted into a zone file (directly or with a $INCLUDE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The <code class="filename">.private</code> file contains