a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich<html>

a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich<head>

a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

a53841f6d6e86ac751c12a33dc8aadf53f59d977Klaus Luettich<title>dnssec-keygen</title>

a737caf82de97c1907027c03e4b4509eb492b4b8Christian Maeder<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

68d10d143f29fcff3c637ba24f90e983995ceae6Christian Maeder<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

96646aed2ae087b942ae23f15bbe729a8f7c43d3Christian Maeder<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">

01e383014b555bbcf639c0ca60c5810b3eff83c0Christian Maeder<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">

3b06e23643a9f65390cb8c1caabe83fa7e87a708Till Mossakowski<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">

df29370ae8d8b41587957f6bcdcb43a3f1927e47Christian Maeder</head>

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

ce8b15da31cd181b7e90593cbbca98f47eda29d6Till Mossakowski<div class="navheader">

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder<table width="100%" summary="Navigation header">

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<tr>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<td width="20%" align="left">

ac0bbbcb2774629bb87986e69cf53d3402c5f575Christian Maeder<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<th width="60%" align="center">Manual pages</th>

2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>

2e2094a642e3775b0d76b890556407941d3a53b6Christian Maeder</td>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder</tr>

e8db9a65830cf71504e33c6f441a67b4d184a3caChristian Maeder</table>

c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder<hr>

8410667510a76409aca9bb24ff0eda0420088274Christian Maeder</div>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<div class="refentry" lang="en">

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<a name="man.dnssec-keygen"></a><div class="titlepage"></div>

8410667510a76409aca9bb24ff0eda0420088274Christian Maeder<div class="refnamediv">

404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich<h2>Name</h2>

b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>

ad270004874ce1d0697fb30d7309f180553bb315Christian Maeder</div>

4d56f2fa72e4aec20eb827c11ed49c8cbb7014bdChristian Maeder<div class="refsynopsisdiv">

4cb215739e9ab13447fa21162482ebe485b47455Christian Maeder<h2>Synopsis</h2>

8ef75f1cc0437656bf622cec5ac9e8ea221da8f2Christian Maeder<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>

404166b9366552e9ec5abb87a37c76ec8a815fb7Klaus Luettich</div>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<div class="refsect1" lang="en">

356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder<a name="id2613195"></a><h2>DESCRIPTION</h2>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<p><span><strong class="command">dnssec-keygen</strong></span>

55adfe57a4de1f36adc3e3bfc16f342e44a7d444Christian Maeder generates keys for DNSSEC (Secure DNS), as defined in RFC 2535

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder and RFC 4034. It can also generate keys for use with

8d97ef4f234681b11bb5924bd4d03adef858d2d2Christian Maeder TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder (Transaction Key) as defined in RFC 2930.

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </p>

e593b89bfd4952698dc37feced21cefe869d87a2Christian Maeder<p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder The <code class="option">name</code> of the key is specified on the command

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder line. For DNSSEC keys, this must match the name of the zone for

7cc09dd93962a2155c34d209d1d4cd7d7b838264Christian Maeder which the key is being generated.

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder </p>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</div>

f041c9a6bda23de33a38490e35b831ae18d96b45Christian Maeder<div class="refsect1" lang="en">

7cc09dd93962a2155c34d209d1d4cd7d7b838264Christian Maeder<a name="id2613216"></a><h2>OPTIONS</h2>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<div class="variablelist"><dl>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

c3053d57f642ca507cdf79512e604437c4546cb9Christian Maeder<dd>

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder<p>

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder Selects the cryptographic algorithm. For DNSSEC keys, the value

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.

4ed0007ac9caea5b468f202521352d153481423cChristian Maeder For TSIG/TKEY, the value must

c2fcc35abb03cf0b4ca4b050efeb10827f38c322Christian Maeder be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are

356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder case insensitive.

356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder </p>

4ed0007ac9caea5b468f202521352d153481423cChristian Maeder<p>

356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder If no algorithm is specified, then RSASHA1 will be used by

356fa49fe3e6a8398f92d13e9f920d0f093697ecChristian Maeder default, unless the <code class="option">-3</code> option is specified,

0206ab93ef846e4e0885996d052b9b73b9dc66b0Christian Maeder in which case NSEC3RSASHA1 will be used instead. (If

f13d1e86e58da53680e78043e8df182eed867efbChristian Maeder <code class="option">-3</code> is used and an algorithm is specified,

c2a4d8ae266aa37cc922eba97077520229a19902Christian Maeder that algorithm will be checked for compatibility with NSEC3.)

03a6d8f77f588dc5d3dd6653797fa2362efa1751Christian Maeder </p>

757e6c79ec40491d45dc72c82b5eb59a386634b0Jian Chun Wang<p>

ecf76bc89d9a2ecd7ac7310d30654b9a79d97d62Klaus Luettich Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement

ecf76bc89d9a2ecd7ac7310d30654b9a79d97d62Klaus Luettich algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is

ecf76bc89d9a2ecd7ac7310d30654b9a79d97d62Klaus Luettich mandatory.

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder </p>

c6fcd42c6d6d9dae8c7835c24fcb7ce8531a9050Christian Maeder<p>

31c49f2fa23d4ac089f35145d80a224deb6ea7e4Till Mossakowski Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512

c55a0f77be7e88d3620b419ec8961f4379a586e3Klaus Luettich automatically set the -T KEY option.

36f63902db2b3463faa9f59912ad106e2d5aaa24Klaus Luettich </p>

36f63902db2b3463faa9f59912ad106e2d5aaa24Klaus Luettich</dd>

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>

5ad5dffe06818a13e1632b1119fbca7881085fc1Dominik Luecke<dd>

8cacad2a09782249243b80985f28e9387019fe40Christian Maeder<p>

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder Specifies the number of bits in the key. The choice of key

a7c27282e71cf4505026645f96d4f5cb8a284e32Christian Maeder size depends on the algorithm used. RSA keys must be

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder between 512 and 2048 bits. Diffie Hellman keys must be between

8a28707e9155465c6f2236a06eac6580a65c7025Christian Maeder 128 and 4096 bits. DSA keys must be between 512 and 1024

df35538fec1d9135602308d577255c0d466b6365Christian Maeder bits and an exact multiple of 64. HMAC keys must be

df35538fec1d9135602308d577255c0d466b6365Christian Maeder between 1 and 512 bits.

431d34c7007a787331c4e5ec997badb0f8190fc7Christian Maeder </p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<p>

d3ae0072823e2ef0d41d4431fcc768e66489c20eChristian Maeder The key size does not need to be specified if using a default

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder algorithm. The default key size is 1024 bits for zone signing

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder keys (ZSK's) and 2048 bits for key signing keys (KSK's,

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder generated with <code class="option">-f KSK</code>). However, if an

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder algorithm is explicitly specified with the <code class="option">-a</code>,

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder then there is no default key size, and the <code class="option">-b</code>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder must be used.

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder </p>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder</dd>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<dd><p>

a7c27282e71cf4505026645f96d4f5cb8a284e32Christian Maeder Specifies the owner type of the key. The value of

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder <code class="option">nametype</code> must either be ZONE (for a DNSSEC

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder a host (KEY)),

776a1a086df734581431e6edb4343ed4c8d34d55Christian Maeder USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder These values are case insensitive. Defaults to ZONE for DNSKEY

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder generation.

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder </p></dd>

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder<dt><span class="term">-3</span></dt>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dd><p>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder Use an NSEC3-capable algorithm to generate a DNSSEC key.

c0c2380bced8159ff0297ece14eba948bd236471Christian Maeder If this option is used and no algorithm is explicitly

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder set on the command line, NSEC3RSASHA1 will be used by

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder default. Note that RSASHA256 and RSASHA512 algorithms

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder are NSEC3-capable.

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </p></dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">-C</span></dt>

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder<dd><p>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder Compatibility mode: generates an old-style key, without

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder will include the key's creation date in the metadata stored

03a6d8f77f588dc5d3dd6653797fa2362efa1751Christian Maeder with the private key, and other dates may be set there as well

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder (publication date, activation date, etc). Keys that include

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder this data may be incompatible with older versions of BIND; the

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <code class="option">-C</code> option suppresses them.

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder </p></dd>

a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian Maeder<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

bc8cbf12aa172bf5673b92a9e7a0151d4aa4c315Christian Maeder<dd><p>

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder Indicates that the DNS record containing the key should have

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder the specified class. If not specified, class IN is used.

a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian Maeder </p></dd>

a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian Maeder<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder<dd><p>

bc8cbf12aa172bf5673b92a9e7a0151d4aa4c315Christian Maeder Uses a crypto hardware (OpenSSL engine) for random number

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder and, when supported, key generation. When compiled with PKCS#11

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder support it defaults to pkcs11; the empty name resets it to

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder no engine.

2d130d212db7208777ca896a7ecad619a8944971Christian Maeder </p></dd>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<dt><span class="term">-e</span></dt>

6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder<dd><p>

6ff7a91875597d6e4dfaa68c79187d01473e8341Christian Maeder If generating an RSAMD5/RSASHA1 key, use a large exponent.

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder </p></dd>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>

4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder<dd><p>

a9b59eb2ce961014974276cdae0e9df4419bd212Christian Maeder Set the specified flag in the flag field of the KEY/DNSKEY record.

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder The only recognized flags are KSK (Key Signing Key) and REVOKE.

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder </p></dd>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<dt><span class="term">-G</span></dt>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder<dd><p>

88318aafc287e92931dceffbb943d58a9310001dChristian Maeder Generate a key, but do not publish it or sign with it. This

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder option is incompatible with -P and -A.

a3c6d8e0670bf2aa71bc8e2a3b1f45d56dd65e4cChristian Maeder </p></dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dd><p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder If generating a Diffie Hellman key, use this generator.

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder Allowed values are 2 and 5. If no generator

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder is specified, a known prime from RFC 2539 will be used

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder if possible; otherwise the default is 2.

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder </p></dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">-h</span></dt>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder<dd><p>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder Prints a short summary of the options and arguments to

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder <span><strong class="command">dnssec-keygen</strong></span>.

4017ebc0f692820736d796af3110c3b3018c108aChristian Maeder </p></dd>

b568982efd0997d877286faa592d81b03c8c67b8Christian Maeder<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder<dd><p>

0be0db405c49906bd7057255069bf6df53395ac9Klaus Luettich Sets the directory in which the key files are to be written.

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder </p></dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">-k</span></dt>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dd><p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Deprecated in favor of -T KEY.

f2f9df2e17e70674f0bf426ed1763c973ee4cde0Christian Maeder </p></dd>

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder<dd><p>

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder Sets the protocol value for the generated key. The protocol

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder is a number between 0 and 255. The default is 3 (DNSSEC).

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder Other possible values for this argument are listed in

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder RFC 2535 and its successors.

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder </p></dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">-q</span></dt>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dd><p>

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder Quiet mode: Suppresses unnecessary output, including

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder progress indication. Without this option, when

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <span><strong class="command">dnssec-keygen</strong></span> is run interactively

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder to generate an RSA or DSA key pair, it will print a string

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder of symbols to <code class="filename">stderr</code> indicating the

ca074a78b8dcccbb8c419586787882f98d0c6163Christian Maeder progress of the key generation. A '.' indicates that a

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder random number has been found which passed an initial

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder sieve test; '+' means a number has passed a single

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder round of the Miller-Rabin primality test; a space

6dc9bc98d0854fe2e3dd3bfc4275096a0c28ee1cChristian Maeder means that the number has passed all the tests and is

d946c1bfdd7d58aa7c023efe864d5999eb44a61bChristian Maeder a satisfactory key.

89f7631cbfbd1bb99fc152b434bd362a7799d295Christian Maeder </p></dd>

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder<dd><p>

f1541d4a151dbd08002dbd14e7eb1d5dde253689Christian Maeder Specifies the source of randomness. If the operating

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder system does not provide a <code class="filename">/dev/random</code>

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder or equivalent device, the default source of randomness

f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich is keyboard input. <code class="filename">randomdev</code>

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder specifies

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder the name of a character device or file containing random

f4505a64a089693012a3f5c3b1f12a82cd7a2a5aKlaus Luettich data to be used instead of the default. The special value

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder <code class="filename">keyboard</code> indicates that keyboard

4ed0007ac9caea5b468f202521352d153481423cChristian Maeder input should be used.

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder </p></dd>

2c619a4dfdc1df27573eba98e81ed1ace906941dChristian Maeder<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>

4ed0007ac9caea5b468f202521352d153481423cChristian Maeder<dd><p>

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder Specifies the strength value of the key. The strength is

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder a number between 0 and 15, and currently has no defined

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder purpose in DNSSEC.

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder </p></dd>

42b12fba6830ada5057949f825fc27edf5574e5fChristian Maeder<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>

42b12fba6830ada5057949f825fc27edf5574e5fChristian Maeder<dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<p>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder Specifies the resource record type to use for the key.

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder <code class="option">rrtype</code> must be either DNSKEY or KEY. The

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder default is DNSKEY when using a DNSSEC algorithm, but it can be

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder overridden to KEY for use with SIG(0).

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder </p>

9df11f85fd7f8c4745d64464876e84ec4e263692Christian Maeder<p>

8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers </p>

6770ec11184086a81daddba75e0cd1f45a2eff96Christian Maeder<p>

fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich Using any TSIG algorithm (HMAC-* or DH) forces this option

3b06e23643a9f65390cb8c1caabe83fa7e87a708Till Mossakowski to KEY.

cf04ba46b9eb495d334466e24e082e391055ca7bDominik Luecke </p>

5b818f10e11fc79def1fdd5c8a080d64a6438d87Christian Maeder</dd>

8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>

819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder<dd><p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder Indicates the use of the key. <code class="option">type</code> must be

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder is AUTHCONF. AUTH refers to the ability to authenticate

8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers data, and CONF the ability to encrypt data.

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder </p></dd>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder<dd><p>

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder Sets the debugging level.

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder </p></dd>

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder</dl></div>

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder</div>

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder<div class="refsect1" lang="en">

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder<a name="id2665460"></a><h2>TIMING OPTIONS</h2>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder<p>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder If the argument begins with a '+' or '-', it is interpreted as

819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder an offset from the present time. For convenience, if such an offset

819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',

819e29dba060687cf391e444e0f6ff88c1908cc3Christian Maeder then the offset is computed in years (defined as 365 24-hour days,

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder ignoring leap years), months (defined as 30 24-hour days), weeks,

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder days, hours, or minutes, respectively. Without a suffix, the offset

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder is computed in seconds.

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder </p>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder<div class="variablelist"><dl>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder<dd><p>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder Sets the date on which a key is to be published to the zone.

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder After that date, the key will be included in the zone but will

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder not be used to sign it. If not set, and if the -G option has

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder not been used, the default is "now".

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder </p></dd>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>

ac34194a668399bb8ef238da77c3a09e93fb253bChristian Maeder<dd><p>

ac34194a668399bb8ef238da77c3a09e93fb253bChristian Maeder Sets the date on which the key is to be activated. After that

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder date, the key will be included in the zone and used to sign

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder it. If not set, and if the -G option has not been used, the

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder default is "now".

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder </p></dd>

4561227a776bdf0ab679b19fb92f1eaaed8786f7Christian Maeder<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>

6fe9628743562678acf97d6730ebcfee5e9e50c2Christian Maeder<dd><p>

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder Sets the date on which the key is to be revoked. After that

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder date, the key will be flagged as revoked. It will be included

5ad5dffe06818a13e1632b1119fbca7881085fc1Dominik Luecke in the zone and will be used to sign it.

1b5b696aa3bc2a6747a4eeac777f850788482c98Dominik Luecke </p></dd>

1b5b696aa3bc2a6747a4eeac777f850788482c98Dominik Luecke<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<dd><p>

3b06e23643a9f65390cb8c1caabe83fa7e87a708Till Mossakowski Sets the date on which the key is to be retired. After that

b1f59a4ea7c96f4c03a4d7cfcb9c5e66871cfbbbChristian Maeder date, the key will still be included in the zone, but it

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder will not be used to sign it.

0b349288edfa50fdf38fda1a14e1562d03f92574Christian Maeder </p></dd>

0b349288edfa50fdf38fda1a14e1562d03f92574Christian Maeder<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder<dd><p>

fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich Sets the date on which the key is to be deleted. After that

fb328c4f646dd3dd78a9391c5cb58450a3dd0aa9Klaus Luettich date, the key will no longer be included in the zone. (It

e96a0bf4040fd789339958c01f145c5057d26db6René Wagner may remain in the key repository, however.)

e96a0bf4040fd789339958c01f145c5057d26db6René Wagner </p></dd>

abf2487c3aece95c371ea89ac64319370dcb6483Klaus Luettich</dl></div>

abf2487c3aece95c371ea89ac64319370dcb6483Klaus Luettich</div>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder<div class="refsect1" lang="en">

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder<a name="id2665558"></a><h2>GENERATED KEYS</h2>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder<p>

8b0f493ae42bad8b94918cc0957f1af57096cda4Felix Reckers When <span><strong class="command">dnssec-keygen</strong></span> completes

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder successfully,

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>

b9b960bc75e34658e70c4a0231dbc6a6e7373f2dChristian Maeder to the standard output. This is an identification string for

18a4d5cb6828f080db9c5f9551785c5151027271Christian Maeder the key it has generated.

0be0db405c49906bd7057255069bf6df53395ac9Klaus Luettich </p>

9e748851c150e1022fb952bab3315e869aaf0214Christian Maeder<div class="itemizedlist"><ul type="disc">

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<li><p><code class="filename">nnnn</code> is the key name.

fdb2d618144159395f7bf8ce3327b3c112a17dd3Till Mossakowski </p></li>

43b4c41fbb07705c9df321221ab9cb9832460407Christian Maeder<li><p><code class="filename">aaa</code> is the numeric representation

383aa66e5142365fe9b1f88b18c1da5b27cc8c04Christian Maeder of the

3b06e23643a9f65390cb8c1caabe83fa7e87a708Till Mossakowski algorithm.

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder </p></li>

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder<li><p><code class="filename">iiiii</code> is the key identifier (or

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder footprint).

d8bebe0559abdfcd912ac68cf0948fe601249a66Christian Maeder </p></li>

63e50b4c36074d5fb9de872c4007b688b4bce534Christian Maeder</ul></div>

9a5fda85e9eaf0e6a18d0dd2b8535805c5135e9aDominik Luecke<p><span><strong class="command">dnssec-keygen</strong></span>

63e50b4c36074d5fb9de872c4007b688b4bce534Christian Maeder creates two files, with names based

bd54a9917cd87169b8e40bcc5616c537fed85815Christian Maeder on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>

7dfbfdd1c4175dc0f640b1731a70854526c0e5c6Christian Maeder contains the public key, and

11b55e6fbbc397b9fa41a7d61be53c6f4f027824Christian Maeder <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder private

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder key.

e7757995211bd395dc79d26fe017d99375f7d2a6Christian Maeder </p>

d23b0cc79c0d204e6ec758dff8d0ba71c9f693f7Christian Maeder<p>

6a79849bed67264c396dddb3e9c184bdfc1a1bc9Christian Maeder The <code class="filename">.key</code> file contains a DNS KEY record

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder that

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder can be inserted into a zone file (directly or with a $INCLUDE

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder statement).

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder </p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<p>

6bf24e5eb644064ad650eb3fd9774483fccbf601Christian Maeder The <code class="filename">.private</code> file contains

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder algorithm-specific

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder fields. For obvious security reasons, this file does not have

ffd3a0c7339cc3637f022c38e66a7aa9f0cf10d3Rainer Grabbe general read permission.

e8db9a65830cf71504e33c6f441a67b4d184a3caChristian Maeder </p>

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder<p>

1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder Both <code class="filename">.key</code> and <code class="filename">.private</code>

1f8a7f8343f7df719768d2b1d7e3077ee291a1caChristian Maeder files are generated for symmetric encryption algorithms such as

61fa0ac06ede811c7aad54ec4c4202346727368eChristian Maeder HMAC-MD5, even though the public and private key are equivalent.

6bf24e5eb644064ad650eb3fd9774483fccbf601Christian Maeder </p>

dbe752ee940baae7f9f231f29c62284bb0f90a25Christian Maeder</div>

53818ced114da21321063fff307aa41c1ab31dd3Achim Mahnke<div class="refsect1" lang="en">

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder<a name="id2665734"></a><h2>EXAMPLE</h2>

53818ced114da21321063fff307aa41c1ab31dd3Achim Mahnke<p>

63f0e65a37b95621334db9ee4ba0cd9d826f5c0fChristian Maeder To generate a 768-bit DSA key for the domain

53818ced114da21321063fff307aa41c1ab31dd3Achim Mahnke <strong class="userinput"><code>example.com</code></strong>, the following command would be

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder issued:

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder </p>

5191fa24c532d1f67e7a642e9aece65efb8a0975Christian Maeder<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>

3e61f574717499939bd8e0ff538ea9e7b72d4e2dKlaus Luettich </p>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<p>

27785f379d6810811b4e6d23feab18845fde9a98Christian Maeder The command would print a string of the form:

f443a57f2a8e0ca3daa7431b0c89a18ba52c337aChristian Maeder </p>

363939beade943a02b31004cea09dec34fa8a6d9Christian Maeder<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>

0b349288edfa50fdf38fda1a14e1562d03f92574Christian Maeder </p>

a5e5b8c3e5c11177e5034ef2423813a5d28979edChristian Maeder<p>

857992065be4ed40a72c6296b6c0aec62ab4c5b9Christian Maeder In this example, <span><strong class="command">dnssec-keygen</strong></span> creates

fdb2d618144159395f7bf8ce3327b3c112a17dd3Till Mossakowski the files <code class="filename">Kexample.com.+003+26160.key</code>

7c99e334446bb97120e30e967baeeddfdd1278deKlaus Luettich and

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder <code class="filename">Kexample.com.+003+26160.private</code>.

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder </p>

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder</div>

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder<div class="refsect1" lang="en">

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder<a name="id2665859"></a><h2>SEE ALSO</h2>

f041c9a6bda23de33a38490e35b831ae18d96b45Christian Maeder<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder <em class="citetitle">BIND 9 Administrator Reference Manual</em>,

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder <em class="citetitle">RFC 2539</em>,

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder <em class="citetitle">RFC 2845</em>,

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder <em class="citetitle">RFC 4034</em>.

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder </p>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</div>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<div class="refsect1" lang="en">

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder<a name="id2665890"></a><h2>AUTHOR</h2>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<p><span class="corpauthor">Internet Systems Consortium</span>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder </p>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</div>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</div>

dcbd32289a7bdf1e6edd06c6ab0698c6a9dbf37aChristian Maeder<div class="navfooter">

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<hr>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<table width="100%" summary="Navigation footer">

215d42ce4d6397a453d5887292bc786e8fa9c1a2Christian Maeder<tr>

215d42ce4d6397a453d5887292bc786e8fa9c1a2Christian Maeder<td width="40%" align="left">

215d42ce4d6397a453d5887292bc786e8fa9c1a2Christian Maeder<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</td>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</tr>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<tr>

215d42ce4d6397a453d5887292bc786e8fa9c1a2Christian Maeder<td width="40%" align="left" valign="top">

215d42ce4d6397a453d5887292bc786e8fa9c1a2Christian Maeder<span class="application">dnssec-keyfromlabel</span>�</td>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</td>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</tr>

215d42ce4d6397a453d5887292bc786e8fa9c1a2Christian Maeder</table>

215d42ce4d6397a453d5887292bc786e8fa9c1a2Christian Maeder</div>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</body>

1aee4aaddde105264c1faf394d88e302c05094ffChristian Maeder</html>

f4a2a20e49f41b2afa657e5e64d9e349c7faa091Christian Maeder