eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<html>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<head>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<title>dnssec-keygen</title>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</head>

b0465323d102d12fdad78489cccc5e6a379db9e0Kamal Sivanandam<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

472fc80404c5545ee7bdc88554b8580758ccccdaKohei Tamura<div class="navheader">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<table width="100%" summary="Navigation header">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<tr>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<td width="20%" align="left">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<th width="60%" align="center">Manual pages</th>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</td>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</tr>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</table>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<hr>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</div>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<div class="refentry" lang="en">

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major<a name="man.dnssec-keygen"></a><div class="titlepage"></div>

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major<div class="refnamediv">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<h2>Name</h2>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major</div>

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major<div class="refsynopsisdiv">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<h2>Synopsis</h2>

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major</div>

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major<div class="refsect1" lang="en">

f35fa6b495e6ea8bfb6b752ecc172d75187e7b48Peter Major<a name="id2602782"></a><h2>DESCRIPTION</h2>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<p><span><strong class="command">dnssec-keygen</strong></span>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici generates keys for DNSSEC (Secure DNS), as defined in RFC 2535

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici and RFC 4034. It can also generate keys for use with

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici TSIG (Transaction Signatures), as defined in RFC 2845.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</div>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<div class="refsect1" lang="en">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<a name="id2602796"></a><h2>OPTIONS</h2>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<div class="variablelist"><dl>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Selects the cryptographic algorithm. The value of

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,

472fc80404c5545ee7bdc88554b8580758ccccdaKohei Tamura DSA, DH (Diffie Hellman), or HMAC-MD5. These values

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici are case insensitive.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici algorithm,

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Note 2: HMAC-MD5 and DH automatically set the -k flag.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd><p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Specifies the number of bits in the key. The choice of key

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici between

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici 512 and 2048 bits. Diffie Hellman keys must be between

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici 128 and 4096 bits. DSA keys must be between 512 and 1024

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici bits and an exact multiple of 64. HMAC-MD5 keys must be

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici between 1 and 512 bits.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p></dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd><p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Specifies the owner type of the key. The value of

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici <code class="option">nametype</code> must either be ZONE (for a DNSSEC

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici a host (KEY)),

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici These values are case insensitive. Defaults to ZONE for DNSKEY

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici generation.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p></dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd><p>

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major Indicates that the DNS record containing the key should have

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major the specified class. If not specified, class IN is used.

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major </p></dd>

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major<dt><span class="term">-e</span></dt>

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major<dd><p>

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major If generating an RSAMD5/RSASHA1 key, use a large exponent.

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major </p></dd>

b0465323d102d12fdad78489cccc5e6a379db9e0Kamal Sivanandam<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>

b0465323d102d12fdad78489cccc5e6a379db9e0Kamal Sivanandam<dd><p>

b0465323d102d12fdad78489cccc5e6a379db9e0Kamal Sivanandam Set the specified flag in the flag field of the KEY/DNSKEY record.

b0465323d102d12fdad78489cccc5e6a379db9e0Kamal Sivanandam The only recognized flag is KSK (Key Signing Key) DNSKEY.

b0465323d102d12fdad78489cccc5e6a379db9e0Kamal Sivanandam </p></dd>

0e93e49a78b66390d2ff541eea6307b4c3fb33b4Peter Major<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd><p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici If generating a Diffie Hellman key, use this generator.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Allowed values are 2 and 5. If no generator

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici is specified, a known prime from RFC 2539 will be used

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici if possible; otherwise the default is 2.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p></dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-h</span></dt>

972cf11d75985240ffcd151efe0f0fa055263591Bernhard Thalmayr<dd><p>

972cf11d75985240ffcd151efe0f0fa055263591Bernhard Thalmayr Prints a short summary of the options and arguments to

972cf11d75985240ffcd151efe0f0fa055263591Bernhard Thalmayr <span><strong class="command">dnssec-keygen</strong></span>.

972cf11d75985240ffcd151efe0f0fa055263591Bernhard Thalmayr </p></dd>

972cf11d75985240ffcd151efe0f0fa055263591Bernhard Thalmayr<dt><span class="term">-k</span></dt>

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major<dd><p>

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major Generate KEY records rather than DNSKEY records.

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major </p></dd>

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major<dd><p>

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major Sets the protocol value for the generated key. The protocol

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major is a number between 0 and 255. The default is 3 (DNSSEC).

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major Other possible values for this argument are listed in

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major RFC 2535 and its successors.

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major </p></dd>

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>

7b231e67dc8acb6995cce9bcdbc71f40a4f37dd9Peter Major<dd><p>

4dc602d4e4ad1f57d4c9e3fdd7da27ad84aad32cPeter Major Specifies the source of randomness. If the operating

4dc602d4e4ad1f57d4c9e3fdd7da27ad84aad32cPeter Major system does not provide a <code class="filename">/dev/random</code>

4dc602d4e4ad1f57d4c9e3fdd7da27ad84aad32cPeter Major or equivalent device, the default source of randomness

4dc602d4e4ad1f57d4c9e3fdd7da27ad84aad32cPeter Major is keyboard input. <code class="filename">randomdev</code>

4dc602d4e4ad1f57d4c9e3fdd7da27ad84aad32cPeter Major specifies

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici the name of a character device or file containing random

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici data to be used instead of the default. The special value

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici <code class="filename">keyboard</code> indicates that keyboard

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici input should be used.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p></dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd><p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Specifies the strength value of the key. The strength is

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici a number between 0 and 15, and currently has no defined

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici purpose in DNSSEC.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p></dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd><p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Indicates the use of the key. <code class="option">type</code> must be

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici is AUTHCONF. AUTH refers to the ability to authenticate

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici data, and CONF the ability to encrypt data.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p></dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<dd><p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici Sets the debugging level.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p></dd>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</dl></div>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici</div>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<div class="refsect1" lang="en">

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<a name="id2603481"></a><h2>GENERATED KEYS</h2>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici<p>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici When <span><strong class="command">dnssec-keygen</strong></span> completes

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici successfully,

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici to the standard output. This is an identification string for

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici the key it has generated.

eff90ff0c76aeda1c8a5f091602c67f929ee29a2Alin Brici </p>

972cf11d75985240ffcd151efe0f0fa055263591Bernhard Thalmayr<div class="itemizedlist"><ul type="disc">

972cf11d75985240ffcd151efe0f0fa055263591Bernhard Thalmayr<li><p><code class="filename">nnnn</code> is the key name.

</p></li>

<li><p><code class="filename">aaa</code> is the numeric representation

of the

algorithm.

</p></li>

<li><p><code class="filename">iiiii</code> is the key identifier (or

footprint).

</p></li>

</ul></div>

<p><span><strong class="command">dnssec-keygen</strong></span>

creates two files, with names based

on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>

contains the public key, and

<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the

private

key.

</p>

<p>

The <code class="filename">.key</code> file contains a DNS KEY record

that

can be inserted into a zone file (directly or with a $INCLUDE

statement).

</p>

<p>

The <code class="filename">.private</code> file contains

algorithm-specific

fields. For obvious security reasons, this file does not have

general read permission.

</p>

<p>

Both <code class="filename">.key</code> and <code class="filename">.private</code>

files are generated for symmetric encryption algorithms such as

HMAC-MD5, even though the public and private key are equivalent.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2605773"></a><h2>EXAMPLE</h2>

<p>

To generate a 768-bit DSA key for the domain

<strong class="userinput"><code>example.com</code></strong>, the following command would be

issued:

</p>

<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>

</p>

<p>

The command would print a string of the form:

</p>

<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>

</p>

<p>

In this example, <span><strong class="command">dnssec-keygen</strong></span> creates

the files <code class="filename">Kexample.com.+003+26160.key</code>

and

<code class="filename">Kexample.com.+003+26160.private</code>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2605830"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

<em class="citetitle">RFC 2535</em>,

<em class="citetitle">RFC 2845</em>,

<em class="citetitle">RFC 2539</em>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2605861"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

</div>

<div class="navfooter">

<hr>

<table width="100%" summary="Navigation footer">

<tr>

<td width="40%" align="left">

<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>

<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>

<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>

</td>

</tr>

<tr>

<td width="40%" align="left" valign="top">

<span class="application">dnssec-keyfromlabel</span>�</td>

<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>

</td>

</tr>

</table>

</div>

</body>

</html>