man.dnssec-keygen.html revision 44d0f0256fbdce130a18655023c3b06bacacbd61
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - Copyright (C) 2000-2003 Internet Software Consortium.
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - Permission to use, copy, modify, and/or distribute this software for any
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe - purpose with or without fee is hereby granted, provided that the above
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - copyright notice and this permission notice appear in all copies.
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe - PERFORMANCE OF THIS SOFTWARE.
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe<!-- $Id: man.dnssec-keygen.html,v 1.157 2010/02/04 01:14:16 tbox Exp $ -->
29fc13ae8c586a980b0d4e8cba4546b370a951e6wrowe<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
1e83c8de3aa48b316b28057d53995272baf1260cwrowe<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
995f5596d461cdd916f9ae5b7b4dcd27efbc3c2fwrowe<p><span><strong class="command">dnssec-keygen</strong></span>
95f1a92bf784a801a2f60ccf6c23d610b2dbe628wrowe generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
95f1a92bf784a801a2f60ccf6c23d610b2dbe628wrowe and RFC 4034. It can also generate keys for use with
1e83c8de3aa48b316b28057d53995272baf1260cwrowe TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
1e83c8de3aa48b316b28057d53995272baf1260cwrowe (Transaction Key) as defined in RFC 2930.
1e83c8de3aa48b316b28057d53995272baf1260cwrowe The <code class="option">name</code> of the key is specified on the command
1e83c8de3aa48b316b28057d53995272baf1260cwrowe line. For DNSSEC keys, this must match the name of the zone for
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe which the key is being generated.
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
1e83c8de3aa48b316b28057d53995272baf1260cwrowe Selects the cryptographic algorithm. For DNSSEC keys, the value
1e83c8de3aa48b316b28057d53995272baf1260cwrowe of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
1e83c8de3aa48b316b28057d53995272baf1260cwrowe DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
1e83c8de3aa48b316b28057d53995272baf1260cwrowe be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
1e83c8de3aa48b316b28057d53995272baf1260cwrowe HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
29fc13ae8c586a980b0d4e8cba4546b370a951e6wrowe case insensitive.
1e83c8de3aa48b316b28057d53995272baf1260cwrowe If no algorithm is specified, then RSASHA1 will be used by
1e83c8de3aa48b316b28057d53995272baf1260cwrowe default, unless the <code class="option">-3</code> option is specified,
1e83c8de3aa48b316b28057d53995272baf1260cwrowe in which case NSEC3RSASHA1 will be used instead. (If
1e83c8de3aa48b316b28057d53995272baf1260cwrowe <code class="option">-3</code> is used and an algorithm is specified,
1e83c8de3aa48b316b28057d53995272baf1260cwrowe that algorithm will be checked for compatibility with NSEC3.)
1e83c8de3aa48b316b28057d53995272baf1260cwrowe Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
1e83c8de3aa48b316b28057d53995272baf1260cwrowe algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
1e83c8de3aa48b316b28057d53995272baf1260cwrowe Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
1e83c8de3aa48b316b28057d53995272baf1260cwrowe automatically set the -T KEY option.
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
1e83c8de3aa48b316b28057d53995272baf1260cwrowe Specifies the number of bits in the key. The choice of key
1e83c8de3aa48b316b28057d53995272baf1260cwrowe size depends on the algorithm used. RSA keys must be
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe between 512 and 2048 bits. Diffie Hellman keys must be between
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe 128 and 4096 bits. DSA keys must be between 512 and 1024
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe bits and an exact multiple of 64. HMAC keys must be
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe between 1 and 512 bits.
995f5596d461cdd916f9ae5b7b4dcd27efbc3c2fwrowe The key size does not need to be specified if using a default
995f5596d461cdd916f9ae5b7b4dcd27efbc3c2fwrowe algorithm. The default key size is 1024 bits for zone signing
995f5596d461cdd916f9ae5b7b4dcd27efbc3c2fwrowe keys (ZSK's) and 2048 bits for key signing keys (KSK's,
1e83c8de3aa48b316b28057d53995272baf1260cwrowe generated with <code class="option">-f KSK</code>). However, if an
1e83c8de3aa48b316b28057d53995272baf1260cwrowe algorithm is explicitly specified with the <code class="option">-a</code>,
1e83c8de3aa48b316b28057d53995272baf1260cwrowe then there is no default key size, and the <code class="option">-b</code>
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe must be used.
995f5596d461cdd916f9ae5b7b4dcd27efbc3c2fwrowe<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
f4b681ff0aa05efee56b42a893911f28c3ad931ewrowe Specifies the owner type of the key. The value of
f4b681ff0aa05efee56b42a893911f28c3ad931ewrowe <code class="option">nametype</code> must either be ZONE (for a DNSSEC
f4b681ff0aa05efee56b42a893911f28c3ad931ewrowe zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
f4b681ff0aa05efee56b42a893911f28c3ad931ewrowe a host (KEY)),
f4b681ff0aa05efee56b42a893911f28c3ad931ewrowe USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
f4b681ff0aa05efee56b42a893911f28c3ad931ewrowe These values are case insensitive. Defaults to ZONE for DNSKEY
f4b681ff0aa05efee56b42a893911f28c3ad931ewrowe generation.
95f1a92bf784a801a2f60ccf6c23d610b2dbe628wrowe Use an NSEC3-capable algorithm to generate a DNSSEC key.
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe If this option is used and no algorithm is explicitly
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe set on the command line, NSEC3RSASHA1 will be used by
23902cb3bb53a648f142db888c0a72f77586d736wrowe default. Note that RSASHA256 and RSASHA512 algorithms
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe are NSEC3-capable.
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe Compatibility mode: generates an old-style key, without
23902cb3bb53a648f142db888c0a72f77586d736wrowe any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
23902cb3bb53a648f142db888c0a72f77586d736wrowe will include the key's creation date in the metadata stored
23902cb3bb53a648f142db888c0a72f77586d736wrowe with the private key, and other dates may be set there as well
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe (publication date, activation date, etc). Keys that include
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe this data may be incompatible with older versions of BIND; the
4d1b0ff0bb6735f8a7ec1936acc4bf587ef4db0dwrowe <code class="option">-C</code> option suppresses them.
0da26d2fb6dbf94bde757fe5b00136656c6493ccwrowe<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
29fc13ae8c586a980b0d4e8cba4546b370a951e6wrowe Indicates that the DNS record containing the key should have
d1993a5a05e4e06b796b67e36ad1ac1ccf1bbe04wrowe the specified class. If not specified, class IN is used.
d1993a5a05e4e06b796b67e36ad1ac1ccf1bbe04wrowe<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
d1993a5a05e4e06b796b67e36ad1ac1ccf1bbe04wrowe Uses a crypto hardware (OpenSSL engine) for random number
23902cb3bb53a648f142db888c0a72f77586d736wrowe and, when supported, key generation. When compiled with PKCS#11
23902cb3bb53a648f142db888c0a72f77586d736wrowe support it defaults to pkcs11; the empty name resets it to
23902cb3bb53a648f142db888c0a72f77586d736wrowe If generating an RSAMD5/RSASHA1 key, use a large exponent.
23902cb3bb53a648f142db888c0a72f77586d736wrowe<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
23902cb3bb53a648f142db888c0a72f77586d736wrowe Set the specified flag in the flag field of the KEY/DNSKEY record.
23902cb3bb53a648f142db888c0a72f77586d736wrowe The only recognized flags are KSK (Key Signing Key) and REVOKE.
23902cb3bb53a648f142db888c0a72f77586d736wrowe Generate a key, but do not publish it or sign with it. This
23902cb3bb53a648f142db888c0a72f77586d736wrowe option is incompatible with -P and -A.
23902cb3bb53a648f142db888c0a72f77586d736wrowe<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
23902cb3bb53a648f142db888c0a72f77586d736wrowe If generating a Diffie Hellman key, use this generator.
23902cb3bb53a648f142db888c0a72f77586d736wrowe Allowed values are 2 and 5. If no generator
23902cb3bb53a648f142db888c0a72f77586d736wrowe is specified, a known prime from RFC 2539 will be used
23902cb3bb53a648f142db888c0a72f77586d736wrowe if possible; otherwise the default is 2.
23902cb3bb53a648f142db888c0a72f77586d736wrowe Prints a short summary of the options and arguments to
23902cb3bb53a648f142db888c0a72f77586d736wrowe <span><strong class="command">dnssec-keygen</strong></span>.
b284ca949996f5952cfa89f09b0bcc4c7b148144wrowe<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
b284ca949996f5952cfa89f09b0bcc4c7b148144wrowe Sets the directory in which the key files are to be written.
23902cb3bb53a648f142db888c0a72f77586d736wrowe Deprecated in favor of -T KEY.
23902cb3bb53a648f142db888c0a72f77586d736wrowe<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
afee14ff2e73a518f92e9d993e4023922496953cstoddard Sets the protocol value for the generated key. The protocol
afee14ff2e73a518f92e9d993e4023922496953cstoddard is a number between 0 and 255. The default is 3 (DNSSEC).
afee14ff2e73a518f92e9d993e4023922496953cstoddard Other possible values for this argument are listed in
afee14ff2e73a518f92e9d993e4023922496953cstoddard RFC 2535 and its successors.
afee14ff2e73a518f92e9d993e4023922496953cstoddard Quiet mode: Suppresses unnecessary output, including
afee14ff2e73a518f92e9d993e4023922496953cstoddard progress indication. Without this option, when
afee14ff2e73a518f92e9d993e4023922496953cstoddard <span><strong class="command">dnssec-keygen</strong></span> is run interactively
afee14ff2e73a518f92e9d993e4023922496953cstoddard to generate an RSA or DSA key pair, it will print a string
afee14ff2e73a518f92e9d993e4023922496953cstoddard of symbols to <code class="filename">stderr</code> indicating the
afee14ff2e73a518f92e9d993e4023922496953cstoddard progress of the key generation. A '.' indicates that a
afee14ff2e73a518f92e9d993e4023922496953cstoddard random number has been found which passed an initial
afee14ff2e73a518f92e9d993e4023922496953cstoddard sieve test; '+' means a number has passed a single
afee14ff2e73a518f92e9d993e4023922496953cstoddard round of the Miller-Rabin primality test; a space
afee14ff2e73a518f92e9d993e4023922496953cstoddard means that the number has passed all the tests and is
743aeb835754aadabaec38c00742899668eb9dd1wrowe a satisfactory key.
743aeb835754aadabaec38c00742899668eb9dd1wrowe<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
743aeb835754aadabaec38c00742899668eb9dd1wrowe Specifies the source of randomness. If the operating
743aeb835754aadabaec38c00742899668eb9dd1wrowe system does not provide a <code class="filename">/dev/random</code>
743aeb835754aadabaec38c00742899668eb9dd1wrowe or equivalent device, the default source of randomness
743aeb835754aadabaec38c00742899668eb9dd1wrowe is keyboard input. <code class="filename">randomdev</code>
743aeb835754aadabaec38c00742899668eb9dd1wrowe the name of a character device or file containing random
743aeb835754aadabaec38c00742899668eb9dd1wrowe data to be used instead of the default. The special value
743aeb835754aadabaec38c00742899668eb9dd1wrowe <code class="filename">keyboard</code> indicates that keyboard
743aeb835754aadabaec38c00742899668eb9dd1wrowe input should be used.
743aeb835754aadabaec38c00742899668eb9dd1wrowe<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
743aeb835754aadabaec38c00742899668eb9dd1wrowe Specifies the strength value of the key. The strength is
743aeb835754aadabaec38c00742899668eb9dd1wrowe a number between 0 and 15, and currently has no defined
95f1a92bf784a801a2f60ccf6c23d610b2dbe628wrowe purpose in DNSSEC.
b7d8f625e4c4dc7d8f7cf34b4be179a4ea3da879wrowe<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
b7d8f625e4c4dc7d8f7cf34b4be179a4ea3da879wrowe Specifies the resource record type to use for the key.
b7d8f625e4c4dc7d8f7cf34b4be179a4ea3da879wrowe <code class="option">rrtype</code> must be either DNSKEY or KEY. The
b7d8f625e4c4dc7d8f7cf34b4be179a4ea3da879wrowe default is DNSKEY when using a DNSSEC algorithm, but it can be
b7d8f625e4c4dc7d8f7cf34b4be179a4ea3da879wrowe overridden to KEY for use with SIG(0).
83cb9e783386a18eecdb0749d9d17aa8e3bc012estoddard Using any TSIG algorithm (HMAC-* or DH) forces this option
83cb9e783386a18eecdb0749d9d17aa8e3bc012estoddard<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
83cb9e783386a18eecdb0749d9d17aa8e3bc012estoddard Indicates the use of the key. <code class="option">type</code> must be
55b812b85435635a074dfdc9b28b6222351d96d4wrowe one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
06bd11dc20356466f38185ddb47fc798b4508d5fwrowe is AUTHCONF. AUTH refers to the ability to authenticate
3f2e5bf9c35267c2a825624bfb7f56ff0d07b68dwrowe data, and CONF the ability to encrypt data.
fbdbe32b9368b0b8cd517b2c6a85bd351f79354cfielding<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
fbdbe32b9368b0b8cd517b2c6a85bd351f79354cfielding Sets the debugging level.
afee14ff2e73a518f92e9d993e4023922496953cstoddard Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard If the argument begins with a '+' or '-', it is interpreted as
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard an offset from the present time. For convenience, if such an offset
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard then the offset is computed in years (defined as 365 24-hour days,
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard ignoring leap years), months (defined as 30 24-hour days), weeks,
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard days, hours, or minutes, respectively. Without a suffix, the offset
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard is computed in seconds.
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
afee14ff2e73a518f92e9d993e4023922496953cstoddard Sets the date on which a key is to be published to the zone.
29680b95f640069ec78f49485863f6218b100f74wrowe After that date, the key will be included in the zone but will
29680b95f640069ec78f49485863f6218b100f74wrowe not be used to sign it. If not set, and if the -G option has
29680b95f640069ec78f49485863f6218b100f74wrowe not been used, the default is "now".
29680b95f640069ec78f49485863f6218b100f74wrowe<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
29680b95f640069ec78f49485863f6218b100f74wrowe Sets the date on which the key is to be activated. After that
29680b95f640069ec78f49485863f6218b100f74wrowe date, the key will be included in the zone and used to sign
afee14ff2e73a518f92e9d993e4023922496953cstoddard it. If not set, and if the -G option has not been used, the
afee14ff2e73a518f92e9d993e4023922496953cstoddard default is "now".
afee14ff2e73a518f92e9d993e4023922496953cstoddard<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
29680b95f640069ec78f49485863f6218b100f74wrowe Sets the date on which the key is to be revoked. After that
29680b95f640069ec78f49485863f6218b100f74wrowe date, the key will be flagged as revoked. It will be included
29680b95f640069ec78f49485863f6218b100f74wrowe in the zone and will be used to sign it.
fbdbe32b9368b0b8cd517b2c6a85bd351f79354cfielding<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
29680b95f640069ec78f49485863f6218b100f74wrowe Sets the date on which the key is to be retired. After that
29680b95f640069ec78f49485863f6218b100f74wrowe date, the key will still be included in the zone, but it
29680b95f640069ec78f49485863f6218b100f74wrowe will not be used to sign it.
29680b95f640069ec78f49485863f6218b100f74wrowe<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
29680b95f640069ec78f49485863f6218b100f74wrowe Sets the date on which the key is to be deleted. After that
29680b95f640069ec78f49485863f6218b100f74wrowe date, the key will no longer be included in the zone. (It
29680b95f640069ec78f49485863f6218b100f74wrowe may remain in the key repository, however.)
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard When <span><strong class="command">dnssec-keygen</strong></span> completes
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard successfully,
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
afee14ff2e73a518f92e9d993e4023922496953cstoddard to the standard output. This is an identification string for
afee14ff2e73a518f92e9d993e4023922496953cstoddard the key it has generated.
afee14ff2e73a518f92e9d993e4023922496953cstoddard<li><p><code class="filename">nnnn</code> is the key name.
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard<li><p><code class="filename">aaa</code> is the numeric representation
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe<li><p><code class="filename">iiiii</code> is the key identifier (or
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe footprint).
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe<p><span><strong class="command">dnssec-keygen</strong></span>
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe creates two files, with names based
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe contains the public key, and
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe The <code class="filename">.key</code> file contains a DNS KEY record
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe can be inserted into a zone file (directly or with a $INCLUDE
1ada9fb80437b7b7fca813971b7269e187e78db8wrowe statement).
52a8365acdb2a6a9d75ebc9685338c7266ec2b78wrowe The <code class="filename">.private</code> file contains
52a8365acdb2a6a9d75ebc9685338c7266ec2b78wrowe algorithm-specific
52a8365acdb2a6a9d75ebc9685338c7266ec2b78wrowe fields. For obvious security reasons, this file does not have
52a8365acdb2a6a9d75ebc9685338c7266ec2b78wrowe general read permission.
52a8365acdb2a6a9d75ebc9685338c7266ec2b78wrowe Both <code class="filename">.key</code> and <code class="filename">.private</code>
95f1a92bf784a801a2f60ccf6c23d610b2dbe628wrowe files are generated for symmetric encryption algorithms such as
afee14ff2e73a518f92e9d993e4023922496953cstoddard HMAC-MD5, even though the public and private key are equivalent.
52a8365acdb2a6a9d75ebc9685338c7266ec2b78wrowe To generate a 768-bit DSA key for the domain
52a8365acdb2a6a9d75ebc9685338c7266ec2b78wrowe <strong class="userinput"><code>example.com</code></strong>, the following command would be
167c53d624e82d105b1517e9599195a30ddb5de8stoddard<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
167c53d624e82d105b1517e9599195a30ddb5de8stoddard The command would print a string of the form:
167c53d624e82d105b1517e9599195a30ddb5de8stoddard<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
167c53d624e82d105b1517e9599195a30ddb5de8stoddard In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
167c53d624e82d105b1517e9599195a30ddb5de8stoddard the files <code class="filename">Kexample.com.+003+26160.key</code>
afee14ff2e73a518f92e9d993e4023922496953cstoddard <code class="filename">Kexample.com.+003+26160.private</code>.
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
fbdbe32b9368b0b8cd517b2c6a85bd351f79354cfielding<p><span class="corpauthor">Internet Systems Consortium</span>
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
95f1a92bf784a801a2f60ccf6c23d610b2dbe628wrowe<span class="application">dnssec-keyfromlabel</span>�</td>
8e117661fd51fd19d6430fca8d7ae87c67d6de20stoddard<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
b123b30f873d5d7be25a7f3e3962960fb9ce265bwrowe<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>