man.dnssec-keygen.html revision c92c50783e4e93699f2a42643b8f200b9b719c87
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews<!-- $Id: man.dnssec-keygen.html,v 1.207 2012/01/07 01:14:54 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews<th width="60%" align="center">Manual pages</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-keygen</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and RFC 4034. It can also generate keys for use with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (Transaction Key) as defined in RFC 2930.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">name</code> of the key is specified on the command
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein line. For DNSSEC keys, this must match the name of the zone for
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein which the key is being generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Selects the cryptographic algorithm. For DNSSEC keys, the value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no algorithm is specified, then RSASHA1 will be used by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default, unless the <code class="option">-3</code> option is specified,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in which case NSEC3RSASHA1 will be used instead. (If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-3</code> is used and an algorithm is specified,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein that algorithm will be checked for compatibility with NSEC3.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein automatically set the -T KEY option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the number of bits in the key. The choice of key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein size depends on the algorithm used. RSA keys must be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein between 512 and 2048 bits. Diffie Hellman keys must be between
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein 128 and 4096 bits. DSA keys must be between 512 and 1024
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein bits and an exact multiple of 64. HMAC keys must be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein between 1 and 512 bits.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The key size does not need to be specified if using a default
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein algorithm. The default key size is 1024 bits for zone signing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein keys (ZSK's) and 2048 bits for key signing keys (KSK's,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein generated with <code class="option">-f KSK</code>). However, if an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein algorithm is explicitly specified with the <code class="option">-a</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein then there is no default key size, and the <code class="option">-b</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein must be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the owner type of the key. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">nametype</code> must either be ZONE (for a DNSSEC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a host (KEY)),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These values are case insensitive. Defaults to ZONE for DNSKEY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use an NSEC3-capable algorithm to generate a DNSSEC key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If this option is used and no algorithm is explicitly
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews set on the command line, NSEC3RSASHA1 will be used by
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews are NSEC3-capable.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews Compatibility mode: generates an old-style key, without
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews will include the key's creation date in the metadata stored
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews with the private key, and other dates may be set there as well
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews (publication date, activation date, etc). Keys that include
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this data may be incompatible with older versions of BIND; the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-C</code> option suppresses them.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Indicates that the DNS record containing the key should have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the specified class. If not specified, class IN is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Uses a crypto hardware (OpenSSL engine) for random number
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and, when supported, key generation. When compiled with PKCS#11
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein support it defaults to pkcs11; the empty name resets it to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If generating an RSAMD5/RSASHA1 key, use a large exponent.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Set the specified flag in the flag field of the KEY/DNSKEY record.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The only recognized flags are KSK (Key Signing Key) and REVOKE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a key, but do not publish it or sign with it. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option is incompatible with -P and -A.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews If generating a Diffie Hellman key, use this generator.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews Allowed values are 2 and 5. If no generator
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews is specified, a known prime from RFC 2539 will be used
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews if possible; otherwise the default is 2.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints a short summary of the options and arguments to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dnssec-keygen</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the directory in which the key files are to be written.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Deprecated in favor of -T KEY.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the default TTL to use for this key when it is converted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein into a DNSKEY RR. If the key is imported into a zone,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this is the TTL that will be used for it, unless there was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein already a DNSKEY RRset in place, in which case the existing TTL
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein would take precedence. Setting the default TTL to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="literal">0</code> or <code class="literal">none</code> removes it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the protocol value for the generated key. The protocol
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is a number between 0 and 255. The default is 3 (DNSSEC).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Other possible values for this argument are listed in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RFC 2535 and its successors.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Quiet mode: Suppresses unnecessary output, including
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein progress indication. Without this option, when
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">dnssec-keygen</strong></span> is run interactively
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to generate an RSA or DSA key pair, it will print a string
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of symbols to <code class="filename">stderr</code> indicating the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein progress of the key generation. A '.' indicates that a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein random number has been found which passed an initial
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein sieve test; '+' means a number has passed a single
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein round of the Miller-Rabin primality test; a space
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein means that the number has passed all the tests and is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a satisfactory key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews Specifies the source of randomness. If the operating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein system does not provide a <code class="filename">/dev/random</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein or equivalent device, the default source of randomness
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is keyboard input. <code class="filename">randomdev</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the name of a character device or file containing random
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein data to be used instead of the default. The special value
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">keyboard</code> indicates that keyboard
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein input should be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Create a new key which is an explicit successor to an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein existing key. The name, algorithm, size, and type of the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key will be set to match the existing key. The activation
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date of the new key will be set to the inactivation date of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the existing one. The publication date will be set to the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein activation date minus the prepublication interval, which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein defaults to 30 days.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the strength value of the key. The strength is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a number between 0 and 15, and currently has no defined
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein purpose in DNSSEC.
94fc951a9b5679def2a05387a5c251f5cb8eb9c9Mark Andrews<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the resource record type to use for the key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">rrtype</code> must be either DNSKEY or KEY. The
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default is DNSKEY when using a DNSSEC algorithm, but it can be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein overridden to KEY for use with SIG(0).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Using any TSIG algorithm (HMAC-* or DH) forces this option