man.dnssec-keygen.html revision 0ce865f8b2e652d6fe0c029e3538f4cc7e009fe1
02c335c23bf5fa225a467c19f2c063fb0dc7b8c3Timo Sirainen<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
08d6658a4e2ec8104cd1307f6baa75fdb07a24f8Mark Washenberger - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen - This Source Code Form is subject to the terms of the Mozilla Public
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen - License, v. 2.0. If a copy of the MPL was not distributed with this
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen - file, You can obtain one at http://mozilla.org/MPL/2.0/.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
1294c06fcf841b62b0e40de3388354107c7fc012Timo Sirainen<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<link rel="next" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
290ad6b6b5fd61a61a4c8f7f6a6c18ff7ac344cfTimo Sirainen<table width="100%" summary="Navigation header">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<th width="60%" align="center">Manual pages</th>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <span class="application">dnssec-keygen</span>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen — DNSSEC key generation tool
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
2f35a2fbe2c525380487464fad7cf85f16e0ddedTimo Sirainen [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
2f35a2fbe2c525380487464fad7cf85f16e0ddedTimo Sirainen [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
2f35a2fbe2c525380487464fad7cf85f16e0ddedTimo Sirainen [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
2f35a2fbe2c525380487464fad7cf85f16e0ddedTimo Sirainen [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
a75d470c9223a75801418fcdda258885c36317e0Timo Sirainen<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
026647687a080f964452e909a4fd4d97a8e122d5Timo Sirainen <p><span class="command"><strong>dnssec-keygen</strong></span>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen and RFC 4034. It can also generate keys for use with
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen (Transaction Key) as defined in RFC 2930.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen The <code class="option">name</code> of the key is specified on the command
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen line. For DNSSEC keys, this must match the name of the zone for
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen which the key is being generated.
1294c06fcf841b62b0e40de3388354107c7fc012Timo Sirainen <div class="variablelist"><dl class="variablelist">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
1294c06fcf841b62b0e40de3388354107c7fc012Timo Sirainen Selects the cryptographic algorithm. For DNSSEC keys, the value
1294c06fcf841b62b0e40de3388354107c7fc012Timo Sirainen of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
5e114f59ad9b9632bf7f3403d56bea17bd494e8eTimo Sirainen DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen ECDSAP256SHA256 or ECDSAP384SHA384.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen case insensitive.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen If no algorithm is specified, then RSASHA1 will be used by
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen default, unless the <code class="option">-3</code> option is specified,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen in which case NSEC3RSASHA1 will be used instead. (If
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen <code class="option">-3</code> is used and an algorithm is specified,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen that algorithm will be checked for compatibility with NSEC3.)
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen automatically set the -T KEY option.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen Specifies the number of bits in the key. The choice of key
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen size depends on the algorithm used. RSA keys must be
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen between 512 and 2048 bits. Diffie Hellman keys must be between
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen 128 and 4096 bits. DSA keys must be between 512 and 1024
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen bits and an exact multiple of 64. HMAC keys must be
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen between 1 and 512 bits. Elliptic curve algorithms don't need
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen this parameter.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen The key size does not need to be specified if using a default
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen algorithm. The default key size is 1024 bits for zone signing
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen keys (ZSKs) and 2048 bits for key signing keys (KSKs,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen generated with <code class="option">-f KSK</code>). However, if an
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen algorithm is explicitly specified with the <code class="option">-a</code>,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen then there is no default key size, and the <code class="option">-b</code>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen must be used.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Specifies the owner type of the key. The value of
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <code class="option">nametype</code> must either be ZONE (for a DNSSEC
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen a host (KEY)),
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen These values are case insensitive. Defaults to ZONE for DNSKEY
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Use an NSEC3-capable algorithm to generate a DNSSEC key.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen If this option is used and no algorithm is explicitly
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen set on the command line, NSEC3RSASHA1 will be used by
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen default. Note that RSASHA256, RSASHA512, ECCGOST,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen are NSEC3-capable.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Compatibility mode: generates an old-style key, without
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen will include the key's creation date in the metadata stored
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen with the private key, and other dates may be set there as well
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen (publication date, activation date, etc). Keys that include
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen this data may be incompatible with older versions of BIND; the
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <code class="option">-C</code> option suppresses them.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Indicates that the DNS record containing the key should have
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen the specified class. If not specified, class IN is used.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Specifies the cryptographic hardware to use, when applicable.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen When BIND is built with OpenSSL PKCS#11 support, this defaults
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen to the string "pkcs11", which identifies an OpenSSL engine
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen that can drive a cryptographic accelerator or hardware service
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen module. When BIND is built with native PKCS#11 cryptography
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen (--enable-native-pkcs11), it defaults to the path of the PKCS#11
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen provider library specified via "--with-pkcs11".
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Set the specified flag in the flag field of the KEY/DNSKEY record.
fdfb2153df1841889c73a39f8cbb99f462781bd4Timo Sirainen The only recognized flags are KSK (Key Signing Key) and REVOKE.
fdfb2153df1841889c73a39f8cbb99f462781bd4Timo Sirainen Generate a key, but do not publish it or sign with it. This
a74bc46dde2a422052458587b4336757d6b62227Timo Sirainen option is incompatible with -P and -A.
a74bc46dde2a422052458587b4336757d6b62227Timo Sirainen<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
a74bc46dde2a422052458587b4336757d6b62227Timo Sirainen If generating a Diffie Hellman key, use this generator.
a74bc46dde2a422052458587b4336757d6b62227Timo Sirainen Allowed values are 2 and 5. If no generator
a74bc46dde2a422052458587b4336757d6b62227Timo Sirainen is specified, a known prime from RFC 2539 will be used
a74bc46dde2a422052458587b4336757d6b62227Timo Sirainen if possible; otherwise the default is 2.
fdfb2153df1841889c73a39f8cbb99f462781bd4Timo Sirainen Prints a short summary of the options and arguments to
fdfb2153df1841889c73a39f8cbb99f462781bd4Timo Sirainen <span class="command"><strong>dnssec-keygen</strong></span>.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Sets the directory in which the key files are to be written.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Deprecated in favor of -T KEY.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Sets the default TTL to use for this key when it is converted
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen into a DNSKEY RR. If the key is imported into a zone,
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen this is the TTL that will be used for it, unless there was
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen already a DNSKEY RRset in place, in which case the existing TTL
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen would take precedence. If this value is not set and there
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen is no existing DNSKEY RRset, the TTL will default to the
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen SOA TTL. Setting the default TTL to <code class="literal">0</code>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen or <code class="literal">none</code> is the same as leaving it unset.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Sets the protocol value for the generated key. The protocol
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen is a number between 0 and 255. The default is 3 (DNSSEC).
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Other possible values for this argument are listed in
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen RFC 2535 and its successors.
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen Quiet mode: Suppresses unnecessary output, including
ee6df9526e9716b3f1734d85b566e00fc41208bcTimo Sirainen progress indication. Without this option, when
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen to generate an RSA or DSA key pair, it will print a string
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen of symbols to <code class="filename">stderr</code> indicating the
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen progress of the key generation. A '.' indicates that a
fdfb2153df1841889c73a39f8cbb99f462781bd4Timo Sirainen random number has been found which passed an initial
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen sieve test; '+' means a number has passed a single
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen round of the Miller-Rabin primality test; a space
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen means that the number has passed all the tests and is
51821162b1df9a8a9398b8b64ceca410b9cc3092Timo Sirainen a satisfactory key.
51821162b1df9a8a9398b8b64ceca410b9cc3092Timo Sirainen<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
51821162b1df9a8a9398b8b64ceca410b9cc3092Timo Sirainen Specifies the source of randomness. If the operating
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen system does not provide a <code class="filename">/dev/random</code>
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen or equivalent device, the default source of randomness
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen is keyboard input. <code class="filename">randomdev</code>
0f5dc4da3982053036be65190e44bf28a67b1ca2Timo Sirainen the name of a character device or file containing random
51821162b1df9a8a9398b8b64ceca410b9cc3092Timo Sirainen data to be used instead of the default. The special value
51821162b1df9a8a9398b8b64ceca410b9cc3092Timo Sirainen <code class="filename">keyboard</code> indicates that keyboard
51821162b1df9a8a9398b8b64ceca410b9cc3092Timo Sirainen input should be used.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Create a new key which is an explicit successor to an
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen existing key. The name, algorithm, size, and type of the
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen key will be set to match the existing key. The activation
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen date of the new key will be set to the inactivation date of
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen the existing one. The publication date will be set to the
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen activation date minus the prepublication interval, which
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen defaults to 30 days.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Specifies the strength value of the key. The strength is
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen a number between 0 and 15, and currently has no defined
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen purpose in DNSSEC.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Specifies the resource record type to use for the key.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen <code class="option">rrtype</code> must be either DNSKEY or KEY. The
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen default is DNSKEY when using a DNSSEC algorithm, but it can be
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen overridden to KEY for use with SIG(0).
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Using any TSIG algorithm (HMAC-* or DH) forces this option
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen Indicates the use of the key. <code class="option">type</code> must be
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen is AUTHCONF. AUTH refers to the ability to authenticate
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen data, and CONF the ability to encrypt data.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Sets the debugging level.
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen Prints version information.
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen<a name="id-1.14.12.9"></a><h2>TIMING OPTIONS</h2>
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen If the argument begins with a '+' or '-', it is interpreted as
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen an offset from the present time. For convenience, if such an offset
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen then the offset is computed in years (defined as 365 24-hour days,
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen ignoring leap years), months (defined as 30 24-hour days), weeks,
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen days, hours, or minutes, respectively. Without a suffix, the offset
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen is computed in seconds. To explicitly prevent a date from being
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen set, use 'none' or 'never'.
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen <div class="variablelist"><dl class="variablelist">
51ead2f4c04ee85615d23c453924633b9ed8a4c2Timo Sirainen<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Sets the date on which a key is to be published to the zone.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen After that date, the key will be included in the zone but will
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen not be used to sign it. If not set, and if the -G option has
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen not been used, the default is "now".
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen Sets the date on which CDS and CDNSKEY records that match this
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen key are to be published to the zone.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Sets the date on which the key is to be activated. After that
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen date, the key will be included in the zone and used to sign
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen it. If not set, and if the -G option has not been used, the
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen default is "now". If set, if and -P is not set, then
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen the publication date will be set to the activation date
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen minus the prepublication interval.
da11064e816463cf2bf7961d9fa2c8aa22d22c52Timo Sirainen<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
a08c9703ba33332997e0d06cbe694192895caa70Timo Sirainen Sets the date on which the key is to be revoked. After that
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen date, the key will be flagged as revoked. It will be included
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen in the zone and will be used to sign it.
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Sets the date on which the key is to be retired. After that
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen date, the key will still be included in the zone, but it
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen will not be used to sign it.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
a75d470c9223a75801418fcdda258885c36317e0Timo Sirainen Sets the date on which the key is to be deleted. After that
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen date, the key will no longer be included in the zone. (It
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen may remain in the key repository, however.)
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen Sets the date on which the CDS and CDNSKEY records that match this
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen key are to be deleted.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen Sets the prepublication interval for a key. If set, then
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen the publication and activation dates must be separated by at least
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen this much time. If the activation date is specified but the
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen publication date isn't, then the publication date will default
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen to this much time before the activation date; conversely, if
6135260095e1704ed6edff9d00bdfc043c11429cTimo Sirainen the publication date is specified but activation date isn't,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen then activation will be set to this much time after publication.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen If the key is being created as an explicit successor to another
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen key, then the default prepublication interval is 30 days;
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen otherwise it is zero.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen As with date offsets, if the argument is followed by one of
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
5e114f59ad9b9632bf7f3403d56bea17bd494e8eTimo Sirainen interval is measured in years, months, weeks, days, hours,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen or minutes, respectively. Without a suffix, the interval is
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen measured in seconds.
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen<a name="id-1.14.12.10"></a><h2>GENERATED KEYS</h2>
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen When <span class="command"><strong>dnssec-keygen</strong></span> completes
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen successfully,
1294c06fcf841b62b0e40de3388354107c7fc012Timo Sirainen it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
5e114f59ad9b9632bf7f3403d56bea17bd494e8eTimo Sirainen to the standard output. This is an identification string for
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen the key it has generated.
d2e9712e64846fa8d222b04cb5c380a65e417bcfTimo Sirainen <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <p><code class="filename">nnnn</code> is the key name.
4307c886579381dbb1897ea1388ae6978c96f560Timo Sirainen <p><code class="filename">aaa</code> is the numeric representation
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <p><code class="filename">iiiii</code> is the key identifier (or
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <p><span class="command"><strong>dnssec-keygen</strong></span>
4307c886579381dbb1897ea1388ae6978c96f560Timo Sirainen creates two files, with names based
4307c886579381dbb1897ea1388ae6978c96f560Timo Sirainen on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
4307c886579381dbb1897ea1388ae6978c96f560Timo Sirainen contains the public key, and
4307c886579381dbb1897ea1388ae6978c96f560Timo Sirainen <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen The <code class="filename">.key</code> file contains a DNS KEY record
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen can be inserted into a zone file (directly or with a $INCLUDE
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen The <code class="filename">.private</code> file contains
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen algorithm-specific
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen fields. For obvious security reasons, this file does not have
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen general read permission.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen Both <code class="filename">.key</code> and <code class="filename">.private</code>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen files are generated for symmetric cryptography algorithms such as
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen HMAC-MD5, even though the public and private key are equivalent.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen To generate a 768-bit DSA key for the domain
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <strong class="userinput"><code>example.com</code></strong>, the following command would be
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen The command would print a string of the form:
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen the files <code class="filename">Kexample.com.+003+26160.key</code>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <code class="filename">Kexample.com.+003+26160.private</code>.
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <span class="refentrytitle">dnssec-signzone</span>(8)
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<table width="100%" summary="Navigation footer">
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
a75d470c9223a75801418fcdda258885c36317e0Timo Sirainen<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<span class="application">dnssec-keyfromlabel</span>�</td>
a75d470c9223a75801418fcdda258885c36317e0Timo Sirainen<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<td width="40%" align="right" valign="top">�<span class="application">dnssec-keymgr</span>
b3c3d6f46f165cee9f9e80145b9ab5f636a81ba7Timo Sirainen<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1rc1</p>