doc/arm/man.dnssec-keygen.html

	man.dnssec-keygen.html revision 2f8d63983c297c62630044d28a6f66676b4d339d
00ca39daf18414d50f8d3ab55b72c0c13346153eMark Andrews<!--
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
816e576f77e2c46df3e3d97d65822aa8aded7c4bDavid Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson -
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews - Permission to use, copy, modify, and distribute this software for any
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence - purpose with or without fee is hereby granted, provided that the above
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - copyright notice and this permission notice appear in all copies.
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson -
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson - PERFORMANCE OF THIS SOFTWARE.
361a4334ec8ef9d678dcd6c94f96547efedb02bdAndreas Gustafsson-->
361a4334ec8ef9d678dcd6c94f96547efedb02bdAndreas Gustafsson<!-- $Id: man.dnssec-keygen.html,v 1.51 2007/06/18 23:37:20 marka Exp $ -->
361a4334ec8ef9d678dcd6c94f96547efedb02bdAndreas Gustafsson<html>
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson<head>
aff4e48c82c1de198a627fe7a57fb6f400d6d3c1Andreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
aff4e48c82c1de198a627fe7a57fb6f400d6d3c1Andreas Gustafsson<title>dnssec-keygen</title>
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson<link rel="prev" href="man.host.html" title="host">
b3651a8e87c12ea0428eeb5cf4b304be5bcd9db0Brian Wellington<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson</head>
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<div class="navheader">
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<table width="100%" summary="Navigation header">
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
bfe7da9c6b20573c2da09ad2e7cac0a54c8cd47bMark Andrews<tr>
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<td width="20%" align="left">
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<a accesskey="p" href="man.host.html">Prev</a>�</td>
c5b14e2676e8832de77bf63b8f58890d13a6c1e2Andreas Gustafsson<th width="60%" align="center">Manual pages</th>
65dfcdc392b93f9d67684adce8b33a1d8168e67cAndreas Gustafsson<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews</td>
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews</tr>
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews</table>
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews<hr>
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews</div>
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<div class="refentry" lang="en">
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<div class="refnamediv">
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<h2>Name</h2>
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
0e780f132d725c59bae021b6c0bcb34b800a9230Mark Andrews</div>
0e873a120279dbae16ec3773d7c67d473602b7c6Andreas Gustafsson<div class="refsynopsisdiv">
0e873a120279dbae16ec3773d7c67d473602b7c6Andreas Gustafsson<h2>Synopsis</h2>
0e873a120279dbae16ec3773d7c67d473602b7c6Andreas Gustafsson<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
0e873a120279dbae16ec3773d7c67d473602b7c6Andreas Gustafsson</div>
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson<div class="refsect1" lang="en">
72e278abc7c73059de68017eceae7d5138ee98c1Andreas Gustafsson<a name="id2598262"></a><h2>DESCRIPTION</h2>
72e278abc7c73059de68017eceae7d5138ee98c1Andreas Gustafsson<p><span><strong class="command">dnssec-keygen</strong></span>
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
c5b14e2676e8832de77bf63b8f58890d13a6c1e2Andreas Gustafsson      and RFC 4034.  It can also generate keys for use with
d075bd326e34600c036c905eea6c80f565ea951fAndreas Gustafsson      TSIG (Transaction Signatures), as defined in RFC 2845.
d075bd326e34600c036c905eea6c80f565ea951fAndreas Gustafsson    </p>
361a4334ec8ef9d678dcd6c94f96547efedb02bdAndreas Gustafsson</div>
7f800a6b10b0172e36e6fef855f48109717b6a2cAndreas Gustafsson<div class="refsect1" lang="en">
7f800a6b10b0172e36e6fef855f48109717b6a2cAndreas Gustafsson<a name="id2598276"></a><h2>OPTIONS</h2>
b976f9c60a09f4a098852d0653ad5df6842557a7Andreas Gustafsson<div class="variablelist"><dl>
a1bb4b0e4f71fb2878050905087d279cfa87b786Andreas Gustafsson<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson<dd>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson<p>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            Selects the cryptographic algorithm.  The value of
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson                      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            are case insensitive.
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson          </p>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson<p>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson            algorithm,
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson          </p>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson<p>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            Note 2: HMAC-MD5 and DH automatically set the -k flag.
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson          </p>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson</dd>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson<dd><p>
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            Specifies the number of bits in the key.  The choice of key
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
63404af69b0b99b8fa551e92702921f01c3bbfd7Andreas Gustafsson            between
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson            512 and 2048 bits.  Diffie Hellman keys must be between
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson            128 and 4096 bits.  DSA keys must be between 512 and 1024
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson            bits and an exact multiple of 64.  HMAC-MD5 keys must be
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson            between 1 and 512 bits.
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson          </p></dd>
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson<dd><p>
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson            Specifies the owner type of the key.  The value of
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
3d4a70fe38769e42b943717256208b63fec05f32Andreas Gustafsson            a host (KEY)),
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson            These values are case insensitive.  Defaults to ZONE for DNSKEY
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson        generation.
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson          </p></dd>
6f6fbed6eb4d755198a452e557eead49f215d54bAndreas Gustafsson<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson<dd><p>
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson            Indicates that the DNS record containing the key should have
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson            the specified class.  If not specified, class IN is used.
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson          </p></dd>
6af37648dd5e0cb407cbef1fed5255dd874e61efAndreas Gustafsson<dt><span class="term">-e</span></dt>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dd><p>
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson            If generating an RSAMD5/RSASHA1 key, use a large exponent.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence          </p></dd>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson<dd><p>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson            Set the specified flag in the flag field of the KEY/DNSKEY record.
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson                    The only recognized flag is KSK (Key Signing Key) DNSKEY.
f8b11dc88787139b40c12f4cd797fef7d27e6809Mark Andrews          </p></dd>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
021a3183ec1db24e2b9627bdd059a121c56ab886Andreas Gustafsson<dd><p>
021a3183ec1db24e2b9627bdd059a121c56ab886Andreas Gustafsson            If generating a Diffie Hellman key, use this generator.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence            Allowed values are 2 and 5.  If no generator
3494f301f7d3897a56350010005a5758aad32711Rob Austein            is specified, a known prime from RFC 2539 will be used
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            if possible; otherwise the default is 2.
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein          </p></dd>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein<dt><span class="term">-h</span></dt>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein<dd><p>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            Prints a short summary of the options and arguments to
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            <span><strong class="command">dnssec-keygen</strong></span>.
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein          </p></dd>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dt><span class="term">-k</span></dt>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dd><p>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence            Generate KEY records rather than DNSKEY records.
1ae59f0202d4dd5f41f978804b092115c6e053eaDavid Lawrence          </p></dd>
1ae59f0202d4dd5f41f978804b092115c6e053eaDavid Lawrence<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dd><p>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            Sets the protocol value for the generated key.  The protocol
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            is a number between 0 and 255.  The default is 3 (DNSSEC).
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            Other possible values for this argument are listed in
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            RFC 2535 and its successors.
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein          </p></dd>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein<dd><p>
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews            Specifies the source of randomness.  If the operating
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            system does not provide a <code class="filename">/dev/random</code>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence            or equivalent device, the default source of randomness
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence            is keyboard input.  <code class="filename">randomdev</code>
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews            specifies
3494f301f7d3897a56350010005a5758aad32711Rob Austein            the name of a character device or file containing random
1676408640d8283c9f17eec0b183e1302ea7fd70Mark Andrews            data to be used instead of the default.  The special value
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            <code class="filename">keyboard</code> indicates that keyboard
f11c81f4fe26ae9f1ef990257b3b2cac6ab5be12Mark Andrews            input should be used.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence          </p></dd>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein<dd><p>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein            Specifies the strength value of the key.  The strength is
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence            a number between 0 and 15, and currently has no defined
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence            purpose in DNSSEC.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence          </p></dd>
b5ecd4d276c0daa3371d645aba7840b4d8419310Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence<dd><p>
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews            Indicates the use of the key.  <code class="option">type</code> must be
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews            is AUTHCONF.  AUTH refers to the ability to authenticate
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews            data, and CONF the ability to encrypt data.
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews          </p></dd>
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews<dd><p>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence            Sets the debugging level.
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence          </p></dd>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence</dl></div>
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence</div>
1ae59f0202d4dd5f41f978804b092115c6e053eaDavid Lawrence<div class="refsect1" lang="en">
1ae59f0202d4dd5f41f978804b092115c6e053eaDavid Lawrence<a name="id2598619"></a><h2>GENERATED KEYS</h2>
1e730144b4cbb0767510f5f6adef6666bf861bbbMark Andrews<p>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein      When <span><strong class="command">dnssec-keygen</strong></span> completes
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein      successfully,
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
5d2568aa9d3218e32bcbe795473e6d2d710a4ab6Mark Andrews      to the standard output.  This is an identification string for
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews      the key it has generated.
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein    </p>
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews<div class="itemizedlist"><ul type="disc">
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews<li><p><code class="filename">nnnn</code> is the key name.
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein        </p></li>
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein<li><p><code class="filename">aaa</code> is the numeric representation
818bb50f16abdb79ada224cd910d500d5fd71278Rob Austein          of the
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews          algorithm.
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews        </p></li>
2984f8f7bf213642e47affe710851ff0d6580083Mark Andrews<li><p><code class="filename">iiiii</code> is the key identifier (or
070347dafd61757886d03b80628ada12214fec61Mark Andrews          footprint).
04bdb234571448ed6194e1d4048e6512f2446f1cDavid Lawrence        </p></li>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson</ul></div>
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson<p><span><strong class="command">dnssec-keygen</strong></span>
f5eb48652c7ec98514256b5b6e6fd7cbc22b1916Andreas Gustafsson      creates two files, with names based
76458ec215a57c6806afdd831b9c9a30b93344b0Andreas Gustafsson      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
021a3183ec1db24e2b9627bdd059a121c56ab886Andreas Gustafsson      contains the public key, and
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson      private
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson      key.
6f6fbed6eb4d755198a452e557eead49f215d54bAndreas Gustafsson    </p>
6f6fbed6eb4d755198a452e557eead49f215d54bAndreas Gustafsson<p>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson      The <code class="filename">.key</code> file contains a DNS KEY record
20df5357b17d31a3adc4d6f7cfdd9d4f1c5addf2Andreas Gustafsson      that
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson      can be inserted into a zone file (directly or with a $INCLUDE
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson      statement).
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson    </p>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson<p>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson      The <code class="filename">.private</code> file contains
c5b14e2676e8832de77bf63b8f58890d13a6c1e2Andreas Gustafsson      algorithm-specific
021a3183ec1db24e2b9627bdd059a121c56ab886Andreas Gustafsson      fields.  For obvious security reasons, this file does not have
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson      general read permission.
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson    </p>
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson<p>
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson      Both <code class="filename">.key</code> and <code class="filename">.private</code>
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson      files are generated for symmetric encryption algorithms such as
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      HMAC-MD5, even though the public and private key are equivalent.
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson    </p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson</div>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<div class="refsect1" lang="en">
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<a name="id2600570"></a><h2>EXAMPLE</h2>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      To generate a 768-bit DSA key for the domain
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      <strong class="userinput"><code>example.com</code></strong>, the following command would be
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      issued:
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson    </p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson    </p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      The command would print a string of the form:
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson    </p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson    </p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      the files <code class="filename">Kexample.com.+003+26160.key</code>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      and
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson      <code class="filename">Kexample.com.+003+26160.private</code>.
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson    </p>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson</div>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<div class="refsect1" lang="en">
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<a name="id2600695"></a><h2>SEE ALSO</h2>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
d5a0b9c15c0a81a982fd7375a195f368c30a47b9Andreas Gustafsson      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson      <em class="citetitle">RFC 2535</em>,
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson      <em class="citetitle">RFC 2845</em>,
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson      <em class="citetitle">RFC 2539</em>.
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson    </p>
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson</div>
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson<div class="refsect1" lang="en">
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson<a name="id2600726"></a><h2>AUTHOR</h2>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson<p><span class="corpauthor">Internet Systems Consortium</span>
b1e7bb6aef7f9c559a2b42d8fcc82001d8c83b21Andreas Gustafsson    </p>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson</div>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson</div>
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson<div class="navfooter">
f7aa8ce0b3cf7f5df618a42beecf8d5517c000acAndreas Gustafsson<hr>
c7d445ce7f4db5262ba3412eac7b1ee9d053b93dAndreas Gustafsson<table width="100%" summary="Navigation footer">
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson<tr>
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson<td width="40%" align="left">
2357f291c53de433c39ce844d2f0abc0bccfa9fcAndreas Gustafsson<a accesskey="p" href="man.host.html">Prev</a>�</td>
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson</td>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson</tr>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson<tr>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson<td width="40%" align="left" valign="top">host�</td>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
fdf2eaf21bf4530114049f3c77421a56d585aabcAndreas Gustafsson</td>
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson</tr>
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson</table>
b976f9c60a09f4a098852d0653ad5df6842557a7Andreas Gustafsson</div>
2d54cf04fc02db7c369592b6f91bbd1330df3387Andreas Gustafsson</body>
36bc6a0a8312de762caf1e984efe15c8e7170d9dAndreas Gustafsson</html>
20df5357b17d31a3adc4d6f7cfdd9d4f1c5addf2Andreas Gustafsson