man.dnssec-keygen.html revision 36da16fa31fa2a582afe67010ba449a57177fd2f
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - Copyright (C) 2000-2003 Internet Software Consortium.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - Permission to use, copy, modify, and/or distribute this software for any
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - purpose with or without fee is hereby granted, provided that the above
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - copyright notice and this permission notice appear in all copies.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg - PERFORMANCE OF THIS SOFTWARE.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<!-- $Id: man.dnssec-keygen.html,v 1.205 2011/11/07 01:15:03 tbox Exp $ -->
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fe9eeff08e8901ae06ce3b24392a2ce3ec57c131jaspervdg<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<p><span><strong class="command">dnssec-keygen</strong></span>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
fe9eeff08e8901ae06ce3b24392a2ce3ec57c131jaspervdg and RFC 4034. It can also generate keys for use with
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg (Transaction Key) as defined in RFC 2930.
fe9eeff08e8901ae06ce3b24392a2ce3ec57c131jaspervdg The <code class="option">name</code> of the key is specified on the command
fe9eeff08e8901ae06ce3b24392a2ce3ec57c131jaspervdg line. For DNSSEC keys, this must match the name of the zone for
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg which the key is being generated.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Selects the cryptographic algorithm. For DNSSEC keys, the value
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg case insensitive.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg If no algorithm is specified, then RSASHA1 will be used by
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg default, unless the <code class="option">-3</code> option is specified,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg in which case NSEC3RSASHA1 will be used instead. (If
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg <code class="option">-3</code> is used and an algorithm is specified,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg that algorithm will be checked for compatibility with NSEC3.)
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
fe9eeff08e8901ae06ce3b24392a2ce3ec57c131jaspervdg Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg automatically set the -T KEY option.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Specifies the number of bits in the key. The choice of key
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg size depends on the algorithm used. RSA keys must be
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg between 512 and 2048 bits. Diffie Hellman keys must be between
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg 128 and 4096 bits. DSA keys must be between 512 and 1024
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg bits and an exact multiple of 64. HMAC keys must be
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg between 1 and 512 bits.
fe9eeff08e8901ae06ce3b24392a2ce3ec57c131jaspervdg The key size does not need to be specified if using a default
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg algorithm. The default key size is 1024 bits for zone signing
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg keys (ZSK's) and 2048 bits for key signing keys (KSK's,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg generated with <code class="option">-f KSK</code>). However, if an
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg algorithm is explicitly specified with the <code class="option">-a</code>,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg then there is no default key size, and the <code class="option">-b</code>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg must be used.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Specifies the owner type of the key. The value of
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg <code class="option">nametype</code> must either be ZONE (for a DNSSEC
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg a host (KEY)),
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg These values are case insensitive. Defaults to ZONE for DNSKEY
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Use an NSEC3-capable algorithm to generate a DNSSEC key.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg If this option is used and no algorithm is explicitly
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg set on the command line, NSEC3RSASHA1 will be used by
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg are NSEC3-capable.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Compatibility mode: generates an old-style key, without
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg will include the key's creation date in the metadata stored
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg with the private key, and other dates may be set there as well
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg (publication date, activation date, etc). Keys that include
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg this data may be incompatible with older versions of BIND; the
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg <code class="option">-C</code> option suppresses them.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Indicates that the DNS record containing the key should have
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg the specified class. If not specified, class IN is used.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Uses a crypto hardware (OpenSSL engine) for random number
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg and, when supported, key generation. When compiled with PKCS#11
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg support it defaults to pkcs11; the empty name resets it to
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg If generating an RSAMD5/RSASHA1 key, use a large exponent.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Set the specified flag in the flag field of the KEY/DNSKEY record.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg The only recognized flags are KSK (Key Signing Key) and REVOKE.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Generate a key, but do not publish it or sign with it. This
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg option is incompatible with -P and -A.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg If generating a Diffie Hellman key, use this generator.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Allowed values are 2 and 5. If no generator
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg is specified, a known prime from RFC 2539 will be used
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg if possible; otherwise the default is 2.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Prints a short summary of the options and arguments to
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg <span><strong class="command">dnssec-keygen</strong></span>.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Sets the directory in which the key files are to be written.
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen Deprecated in favor of -T KEY.
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen Sets the default TTL to use for this key when it is converted
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg into a DNSKEY RR. If the key is imported into a zone,
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg this is the TTL that will be used for it, unless there was
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg already a DNSKEY RRset in place, in which case the existing TTL
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen would take precedence. Setting the default TTL to
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg <code class="literal">0</code> or <code class="literal">none</code> removes it.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Sets the protocol value for the generated key. The protocol
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg is a number between 0 and 255. The default is 3 (DNSSEC).
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen Other possible values for this argument are listed in
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen RFC 2535 and its successors.
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen Quiet mode: Suppresses unnecessary output, including
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg progress indication. Without this option, when
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg <span><strong class="command">dnssec-keygen</strong></span> is run interactively
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg to generate an RSA or DSA key pair, it will print a string
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen of symbols to <code class="filename">stderr</code> indicating the
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg progress of the key generation. A '.' indicates that a
99fae8b11f74e464ad0f55a7bfcc02933c4c1747johanengelen random number has been found which passed an initial
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg sieve test; '+' means a number has passed a single
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg round of the Miller-Rabin primality test; a space
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg means that the number has passed all the tests and is
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg a satisfactory key.
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen Specifies the source of randomness. If the operating
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg system does not provide a <code class="filename">/dev/random</code>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg or equivalent device, the default source of randomness
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg is keyboard input. <code class="filename">randomdev</code>
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen the name of a character device or file containing random
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg data to be used instead of the default. The special value
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen <code class="filename">keyboard</code> indicates that keyboard
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg input should be used.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen Create a new key which is an explicit successor to an
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen existing key. The name, algorithm, size, and type of the
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen key will be set to match the existing key. The activation
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen date of the new key will be set to the inactivation date of
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg the existing one. The publication date will be set to the
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg activation date minus the prepublication interval, which
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg defaults to 30 days.
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
a5e13ccd37256098e74af9c865a5becb6a2b8c79johanengelen Specifies the strength value of the key. The strength is
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg a number between 0 and 15, and currently has no defined
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg purpose in DNSSEC.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Specifies the resource record type to use for the key.
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg <code class="option">rrtype</code> must be either DNSKEY or KEY. The
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg default is DNSKEY when using a DNSSEC algorithm, but it can be
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg overridden to KEY for use with SIG(0).
f30a3d27abf3baff3c4cc30512d9dbf19224a65ajaspervdg Using any TSIG algorithm (HMAC-* or DH) forces this option