man.dnssec-keygen.html revision 297be3708069ef31814d6d75c0d71a50a78feb03
d657c51f14601d0235434ffb78cf6ac0f27cc83cLennart Poettering<!--
220a21d38f675eb835f5758e3d23e896573aa5eaLennart Poettering - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - Copyright (C) 2000-2003 Internet Software Consortium.
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann -
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - Permission to use, copy, modify, and distribute this software for any
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - purpose with or without fee is hereby granted, provided that the above
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - copyright notice and this permission notice appear in all copies.
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann -
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann - PERFORMANCE OF THIS SOFTWARE.
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann-->
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<!-- $Id: man.dnssec-keygen.html,v 1.62 2008/01/03 01:12:37 marka Exp $ -->
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<html>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<head>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<title>dnssec-keygen</title>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<link rel="prev" href="man.host.html" title="host">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</head>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="navheader">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<table width="100%" summary="Navigation header">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<tr>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<td width="20%" align="left">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<a accesskey="p" href="man.host.html">Prev</a>�</td>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<th width="60%" align="center">Manual pages</th>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</td>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</tr>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</table>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<hr>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</div>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="refentry" lang="en">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="refnamediv">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<h2>Name</h2>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</div>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="refsynopsisdiv">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<h2>Synopsis</h2>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</div>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="refsect1" lang="en">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<a name="id2598984"></a><h2>DESCRIPTION</h2>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<p><span><strong class="command">dnssec-keygen</strong></span>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann and RFC 4034. It can also generate keys for use with
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann TSIG (Transaction Signatures), as defined in RFC 2845.
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann </p>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann</div>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="refsect1" lang="en">
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<a name="id2598998"></a><h2>OPTIONS</h2>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<div class="variablelist"><dl>
c9912c5eafa03fdf53e569eaf2e89d7e0932975bDavid Herrmann<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
ec5249a27adb1ffbcd41f2c771e19c3353819456Daniel Mack<dd>
ec5249a27adb1ffbcd41f2c771e19c3353819456Daniel Mack<p>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann Selects the cryptographic algorithm. The value of
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann DSA, DH (Diffie Hellman), or HMAC-MD5. These values
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann are case insensitive.
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann </p>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann<p>
ec5249a27adb1ffbcd41f2c771e19c3353819456Daniel Mack Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
ec5249a27adb1ffbcd41f2c771e19c3353819456Daniel Mack algorithm,
ec5249a27adb1ffbcd41f2c771e19c3353819456Daniel Mack and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
ec5249a27adb1ffbcd41f2c771e19c3353819456Daniel Mack </p>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann<p>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann Note 2: HMAC-MD5 and DH automatically set the -k flag.
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann </p>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann</dd>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann<dd><p>
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann Specifies the number of bits in the key. The choice of key
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann between
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann 512 and 2048 bits. Diffie Hellman keys must be between
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann 128 and 4096 bits. DSA keys must be between 512 and 1024
e1439a1472c5f691733b8ef10e702beac2496a63David Herrmann bits and an exact multiple of 64. HMAC-MD5 keys must be
ec5249a27adb1ffbcd41f2c771e19c3353819456Daniel Mack between 1 and 512 bits.
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann </p></dd>
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
10fa421cd2abdc2ae1a07f7c13bfaa4ee6d6de4fDavid Herrmann<dd><p>
10fa421cd2abdc2ae1a07f7c13bfaa4ee6d6de4fDavid Herrmann Specifies the owner type of the key. The value of
10fa421cd2abdc2ae1a07f7c13bfaa4ee6d6de4fDavid Herrmann <code class="option">nametype</code> must either be ZONE (for a DNSSEC
10fa421cd2abdc2ae1a07f7c13bfaa4ee6d6de4fDavid Herrmann zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
10fa421cd2abdc2ae1a07f7c13bfaa4ee6d6de4fDavid Herrmann a host (KEY)),
10fa421cd2abdc2ae1a07f7c13bfaa4ee6d6de4fDavid Herrmann USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
10fa421cd2abdc2ae1a07f7c13bfaa4ee6d6de4fDavid Herrmann These values are case insensitive. Defaults to ZONE for DNSKEY
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann generation.
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann </p></dd>
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann<dd><p>
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann Indicates that the DNS record containing the key should have
11811e856b0c63439d45edc9c9834ad427e1bb6aDavid Herrmann the specified class. If not specified, class IN is used.
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann </p></dd>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dt><span class="term">-e</span></dt>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dd><p>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann If generating an RSAMD5/RSASHA1 key, use a large exponent.
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann </p></dd>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dd><p>
01608bc86a104423d192364f9534b83d0c75db7fKay Sievers Set the specified flag in the flag field of the KEY/DNSKEY record.
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann The only recognized flag is KSK (Key Signing Key) DNSKEY.
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann </p></dd>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dd><p>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann If generating a Diffie Hellman key, use this generator.
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack Allowed values are 2 and 5. If no generator
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack is specified, a known prime from RFC 2539 will be used
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack if possible; otherwise the default is 2.
37d54b938faeefd0a5a74f9197a33d78bbb8d6bfDaniel Mack </p></dd>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dt><span class="term">-h</span></dt>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dd><p>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack Prints a short summary of the options and arguments to
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack <span><strong class="command">dnssec-keygen</strong></span>.
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack </p></dd>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dt><span class="term">-k</span></dt>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dd><p>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack Generate KEY records rather than DNSKEY records.
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack </p></dd>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dd><p>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack Sets the protocol value for the generated key. The protocol
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack is a number between 0 and 255. The default is 3 (DNSSEC).
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack Other possible values for this argument are listed in
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack RFC 2535 and its successors.
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack </p></dd>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack<dd><p>
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack Specifies the source of randomness. If the operating
931618d08c64083ff7b29c494f482c40a5b05608Daniel Mack system does not provide a <code class="filename">/dev/random</code>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann or equivalent device, the default source of randomness
f5f113f66692abaf72e83698cb7b4f3690b90cf8David Herrmann is keyboard input. <code class="filename">randomdev</code>
f5f113f66692abaf72e83698cb7b4f3690b90cf8David Herrmann specifies
f5f113f66692abaf72e83698cb7b4f3690b90cf8David Herrmann the name of a character device or file containing random
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann data to be used instead of the default. The special value
01608bc86a104423d192364f9534b83d0c75db7fKay Sievers <code class="filename">keyboard</code> indicates that keyboard
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann input should be used.
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann </p></dd>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dd><p>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann Specifies the strength value of the key. The strength is
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann a number between 0 and 15, and currently has no defined
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann purpose in DNSSEC.
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann </p></dd>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<dd><p>
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann Indicates the use of the key. <code class="option">type</code> must be
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann is AUTHCONF. AUTH refers to the ability to authenticate
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann data, and CONF the ability to encrypt data.
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann </p></dd>
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann<dd><p>
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann Sets the debugging level.
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann </p></dd>
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann</dl></div>
e4e66993951e9e349e8008fa7c81184b6e4ae385David Herrmann</div>
e57eaef8a187762ca92838c24b9b6460878a800cDavid Herrmann<div class="refsect1" lang="en">
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann<a name="id2599614"></a><h2>GENERATED KEYS</h2>
5541c88977e63215e74b7517fb33cb27e5a04f17David Herrmann<p>
861b02ebd6ec997a6880824960ba8903bac74f7dKay Sievers When <span><strong class="command">dnssec-keygen</strong></span> completes
861b02ebd6ec997a6880824960ba8903bac74f7dKay Sievers successfully,
861b02ebd6ec997a6880824960ba8903bac74f7dKay Sievers it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
861b02ebd6ec997a6880824960ba8903bac74f7dKay Sievers to the standard output. This is an identification string for
861b02ebd6ec997a6880824960ba8903bac74f7dKay Sievers the key it has generated.
861b02ebd6ec997a6880824960ba8903bac74f7dKay Sievers </p>
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann<div class="itemizedlist"><ul type="disc">
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann<li><p><code class="filename">nnnn</code> is the key name.
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann </p></li>
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann<li><p><code class="filename">aaa</code> is the numeric representation
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann of the
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann algorithm.
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann </p></li>
5541c88977e63215e74b7517fb33cb27e5a04f17David Herrmann<li><p><code class="filename">iiiii</code> is the key identifier (or
5541c88977e63215e74b7517fb33cb27e5a04f17David Herrmann footprint).
5541c88977e63215e74b7517fb33cb27e5a04f17David Herrmann </p></li>
5541c88977e63215e74b7517fb33cb27e5a04f17David Herrmann</ul></div>
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack<p><span><strong class="command">dnssec-keygen</strong></span>
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack creates two files, with names based
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack contains the public key, and
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack private
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack key.
9b361114f568e839784a3aeba5c1df5a95e86832Daniel Mack </p>
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann<p>
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann The <code class="filename">.key</code> file contains a DNS KEY record
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann that
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann can be inserted into a zone file (directly or with a $INCLUDE
5541c88977e63215e74b7517fb33cb27e5a04f17David Herrmann statement).
5541c88977e63215e74b7517fb33cb27e5a04f17David Herrmann </p>
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann<p>
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann The <code class="filename">.private</code> file contains
2d1ca11270e66777c90a449096203afebc37ec9cDavid Herrmann algorithm-specific
2d1ca11270e66777c90a449096203afebc37ec9cDavid Herrmann fields. For obvious security reasons, this file does not have
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann general read permission.
2d1ca11270e66777c90a449096203afebc37ec9cDavid Herrmann </p>
0db83ad7334809a6605501e24bad55f3b652c072David Herrmann<p>
0f0467e63b0e0688ae9edb1512c1a2637d62ddb4Martin Pitt Both <code class="filename">.key</code> and <code class="filename">.private</code>
0f0467e63b0e0688ae9edb1512c1a2637d62ddb4Martin Pitt files are generated for symmetric encryption algorithms such as
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering HMAC-MD5, even though the public and private key are equivalent.
5f92d24fa85d6652c4754e3b3b2a3393026bd0b9Kay Sievers </p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</div>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<div class="refsect1" lang="en">
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<a name="id2599790"></a><h2>EXAMPLE</h2>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering To generate a 768-bit DSA key for the domain
0aee49d5fba2b2ec94e5c069d937004858a04b4fThomas Hindoe Paaboel Andersen <strong class="userinput"><code>example.com</code></strong>, the following command would be
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering issued:
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering </p>
5f92d24fa85d6652c4754e3b3b2a3393026bd0b9Kay Sievers<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
0f0467e63b0e0688ae9edb1512c1a2637d62ddb4Martin Pitt </p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering The command would print a string of the form:
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering </p>
c65514649680e5d5ee6a118db6e5b20438cb1710Ronny Chevalier<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering </p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering the files <code class="filename">Kexample.com.+003+26160.key</code>
0aee49d5fba2b2ec94e5c069d937004858a04b4fThomas Hindoe Paaboel Andersen and
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering <code class="filename">Kexample.com.+003+26160.private</code>.
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering </p>
0f0467e63b0e0688ae9edb1512c1a2637d62ddb4Martin Pitt</div>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<div class="refsect1" lang="en">
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<a name="id2601144"></a><h2>SEE ALSO</h2>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
0aee49d5fba2b2ec94e5c069d937004858a04b4fThomas Hindoe Paaboel Andersen <em class="citetitle">RFC 2535</em>,
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering <em class="citetitle">RFC 2845</em>,
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering <em class="citetitle">RFC 2539</em>.
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering </p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</div>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<div class="refsect1" lang="en">
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<a name="id2601175"></a><h2>AUTHOR</h2>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<p><span class="corpauthor">Internet Systems Consortium</span>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering </p>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</div>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</div>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<div class="navfooter">
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<hr>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<table width="100%" summary="Navigation footer">
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<tr>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<td width="40%" align="left">
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<a accesskey="p" href="man.host.html">Prev</a>�</td>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
0aee49d5fba2b2ec94e5c069d937004858a04b4fThomas Hindoe Paaboel Andersen<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</td>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</tr>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<tr>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<td width="40%" align="left" valign="top">host�</td>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</td>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</tr>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</table>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</div>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</body>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering</html>
470e72d4081c7d0fd74666b7a45358d5ee2abee1Lennart Poettering