man.dnssec-keygen.html revision 09d72af3e9961c210d7baa6179165b6cd81e8dd0
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - purpose with or without fee is hereby granted, provided that the above
8c225507766814e78e168b17a24b8a47ca7f8c37Tinderbox User - copyright notice and this permission notice appear in all copies.
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
1c57c3f79db0bf0358bbe6d7b5ad650c0c852f4bTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User - PERFORMANCE OF THIS SOFTWARE.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<table width="100%" summary="Navigation header">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User<p><span><strong class="command">dnssec-keygen</strong></span>
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User and RFC 4034. It can also generate keys for use with
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User (Transaction Key) as defined in RFC 2930.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User The <code class="option">name</code> of the key is specified on the command
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User line. For DNSSEC keys, this must match the name of the zone for
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User which the key is being generated.
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User Selects the cryptographic algorithm. For DNSSEC keys, the value
33c9436ef1a43d3c0fc3d9be9b4b0509daa83223Tinderbox User of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ECDSAP256SHA256 or ECDSAP384SHA384.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
0da02c26a6631c25f075a8e4ac6de9e58f49a0c2Tinderbox User HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User case insensitive.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User If no algorithm is specified, then RSASHA1 will be used by
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User default, unless the <code class="option">-3</code> option is specified,
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User in which case NSEC3RSASHA1 will be used instead. (If
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User <code class="option">-3</code> is used and an algorithm is specified,
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User that algorithm will be checked for compatibility with NSEC3.)
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User automatically set the -T KEY option.
8a48b6b9b6fa8486f24b22d1972b2b6ebb36a4a4Tinderbox User<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Specifies the number of bits in the key. The choice of key
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User size depends on the algorithm used. RSA keys must be
a1ff871f78b7d907d6fc3a382beea2a640fe8423Tinderbox User between 512 and 2048 bits. Diffie Hellman keys must be between
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User 128 and 4096 bits. DSA keys must be between 512 and 1024
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User bits and an exact multiple of 64. HMAC keys must be
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User between 1 and 512 bits. Elliptic curve algorithms don't need
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User this parameter.
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User The key size does not need to be specified if using a default
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User algorithm. The default key size is 1024 bits for zone signing
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User keys (ZSKs) and 2048 bits for key signing keys (KSKs,
363b21045b718d06d414784c96193dc9a233e8c5Tinderbox User generated with <code class="option">-f KSK</code>). However, if an
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt algorithm is explicitly specified with the <code class="option">-a</code>,
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User then there is no default key size, and the <code class="option">-b</code>
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User must be used.
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User Specifies the owner type of the key. The value of
550d3276d0490c4918f089ccb1528a3eb0951b0aTinderbox User <code class="option">nametype</code> must either be ZONE (for a DNSSEC
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User a host (KEY)),
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User These values are case insensitive. Defaults to ZONE for DNSKEY
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User Use an NSEC3-capable algorithm to generate a DNSSEC key.
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User If this option is used and no algorithm is explicitly
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User set on the command line, NSEC3RSASHA1 will be used by
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User default. Note that RSASHA256, RSASHA512, ECCGOST,
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User are NSEC3-capable.
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User Compatibility mode: generates an old-style key, without
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User will include the key's creation date in the metadata stored
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User with the private key, and other dates may be set there as well
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User (publication date, activation date, etc). Keys that include
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User this data may be incompatible with older versions of BIND; the
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User <code class="option">-C</code> option suppresses them.
d605cf32834fd19b7d16848655cdb5e458f34aa5Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
d605cf32834fd19b7d16848655cdb5e458f34aa5Tinderbox User Indicates that the DNS record containing the key should have
d605cf32834fd19b7d16848655cdb5e458f34aa5Tinderbox User the specified class. If not specified, class IN is used.
d605cf32834fd19b7d16848655cdb5e458f34aa5Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
51da15c88648a9e47d0cddff4b2b782665e99401Tinderbox User Specifies the cryptographic hardware to use, when applicable.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to the string "pkcs11", which identifies an OpenSSL engine
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User that can drive a cryptographic accelerator or hardware service
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User module. When BIND is built with native PKCS#11 cryptography
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User provider library specified via "--with-pkcs11".
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User Set the specified flag in the flag field of the KEY/DNSKEY record.
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User The only recognized flags are KSK (Key Signing Key) and REVOKE.
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User Generate a key, but do not publish it or sign with it. This
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User option is incompatible with -P and -A.
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User If generating a Diffie Hellman key, use this generator.
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User Allowed values are 2 and 5. If no generator
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User is specified, a known prime from RFC 2539 will be used
b1331a6b3dbc156a418049b8562a3f6105f2b227Tinderbox User if possible; otherwise the default is 2.
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User Prints a short summary of the options and arguments to
d253648fe3331622cebea02d60aaecca3082d78dTinderbox User <span><strong class="command">dnssec-keygen</strong></span>.
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Sets the directory in which the key files are to be written.
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Deprecated in favor of -T KEY.
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Sets the default TTL to use for this key when it is converted
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User into a DNSKEY RR. If the key is imported into a zone,
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User this is the TTL that will be used for it, unless there was
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User already a DNSKEY RRset in place, in which case the existing TTL
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User would take precedence. If this value is not set and there
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User is no existing DNSKEY RRset, the TTL will default to the
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User SOA TTL. Setting the default TTL to <code class="literal">0</code>
3ca1a32241189d1e02e59f6b56399eb9b40f2aafTinderbox User or <code class="literal">none</code> is the same as leaving it unset.
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
dfae459e8c4f794f8a239e74aa9d5e11cce6ea5bTinderbox User Sets the protocol value for the generated key. The protocol
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User is a number between 0 and 255. The default is 3 (DNSSEC).
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User Other possible values for this argument are listed in
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User RFC 2535 and its successors.
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User Quiet mode: Suppresses unnecessary output, including
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User progress indication. Without this option, when
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User <span><strong class="command">dnssec-keygen</strong></span> is run interactively
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User to generate an RSA or DSA key pair, it will print a string
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User of symbols to <code class="filename">stderr</code> indicating the
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User progress of the key generation. A '.' indicates that a
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User random number has been found which passed an initial
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User sieve test; '+' means a number has passed a single
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User round of the Miller-Rabin primality test; a space
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User means that the number has passed all the tests and is
f14ce68ee54a5a4587fbde4ffacb117946df2d73Tinderbox User a satisfactory key.
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User Specifies the source of randomness. If the operating
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User system does not provide a <code class="filename">/dev/random</code>
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User or equivalent device, the default source of randomness
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User is keyboard input. <code class="filename">randomdev</code>
0d6a6642b2be93cffa651c54a9b8810dd2d31392Tinderbox User the name of a character device or file containing random
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User data to be used instead of the default. The special value
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User <code class="filename">keyboard</code> indicates that keyboard
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User input should be used.
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User Create a new key which is an explicit successor to an
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User existing key. The name, algorithm, size, and type of the
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User key will be set to match the existing key. The activation
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User date of the new key will be set to the inactivation date of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User the existing one. The publication date will be set to the
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User activation date minus the prepublication interval, which
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User defaults to 30 days.
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
164ade1482251e1da962b42e5bf0d3aa02a11e03Tinderbox User Specifies the strength value of the key. The strength is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User a number between 0 and 15, and currently has no defined
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User purpose in DNSSEC.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User Specifies the resource record type to use for the key.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User <code class="option">rrtype</code> must be either DNSKEY or KEY. The
abe69df9a7de5cda07a2b8e19e8b7c981bcd7a9dTinderbox User default is DNSKEY when using a DNSSEC algorithm, but it can be
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User overridden to KEY for use with SIG(0).
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User Using any TSIG algorithm (HMAC-* or DH) forces this option
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User Indicates the use of the key. <code class="option">type</code> must be
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User is AUTHCONF. AUTH refers to the ability to authenticate
111d5ef471ecec90671f480afd8f93e550a80917Tinderbox User data, and CONF the ability to encrypt data.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User Sets the debugging level.
a0fb6a0980359165a4459723f52d5d7b5725f9c6Tinderbox User Prints version information.
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User<a name="id2677762"></a><h2>TIMING OPTIONS</h2>
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User If the argument begins with a '+' or '-', it is interpreted as
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User an offset from the present time. For convenience, if such an offset
8c7245514646663b25d8b186186ebede41903fa3Tinderbox User is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User then the offset is computed in years (defined as 365 24-hour days,
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User ignoring leap years), months (defined as 30 24-hour days), weeks,
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User days, hours, or minutes, respectively. Without a suffix, the offset
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User is computed in seconds. To explicitly prevent a date from being
421ba11f3f07cbcb12c288ef7f4e7bad13fcc28fTinderbox User set, use 'none' or 'never'.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User Sets the date on which a key is to be published to the zone.
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User After that date, the key will be included in the zone but will
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User not be used to sign it. If not set, and if the -G option has
3b15473cedf41d48904f5b07bdc5e87afff6b58cTinderbox User not been used, the default is "now".
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User Sets the date on which the key is to be activated. After that
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User date, the key will be included in the zone and used to sign
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User it. If not set, and if the -G option has not been used, the
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User default is "now". If set, if and -P is not set, then
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User the publication date will be set to the activation date
99b30e26a6beb9092557cc9e5370b517309bff6eTinderbox User minus the prepublication interval.
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User Sets the date on which the key is to be revoked. After that
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User date, the key will be flagged as revoked. It will be included
c48fdfda7a8ae8973aadfeb88cbeaab013024a6cTinderbox User in the zone and will be used to sign it.
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User Sets the date on which the key is to be retired. After that
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User date, the key will still be included in the zone, but it
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User will not be used to sign it.
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User Sets the date on which the key is to be deleted. After that
9efd8fc7e811d3c0c160adeb5552c2df7e49df67Tinderbox User date, the key will no longer be included in the zone. (It
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User may remain in the key repository, however.)
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User Sets the prepublication interval for a key. If set, then
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User the publication and activation dates must be separated by at least
666b453b37f9ccfe3c7984fb0b31b70a3ceb918fTinderbox User this much time. If the activation date is specified but the
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User publication date isn't, then the publication date will default
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User to this much time before the activation date; conversely, if
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User the publication date is specified but activation date isn't,
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User then activation will be set to this much time after publication.
266afc085a8a74f4b13cb150234a4db21f65278bTinderbox User If the key is being created as an explicit successor to another
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User key, then the default prepublication interval is 30 days;
bea02a4cc08d57b9f36979906f291ac78a99060aTinderbox User otherwise it is zero.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User As with date offsets, if the argument is followed by one of
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User interval is measured in years, months, weeks, days, hours,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt or minutes, respectively. Without a suffix, the interval is
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User measured in seconds.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="id2678020"></a><h2>GENERATED KEYS</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When <span><strong class="command">dnssec-keygen</strong></span> completes
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User successfully,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to the standard output. This is an identification string for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the key it has generated.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<li><p><code class="filename">nnnn</code> is the key name.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<li><p><code class="filename">aaa</code> is the numeric representation