doc/arm/man.dnssec-keygen.html

	man.dnssec-keygen.html revision 603de7394f5a466ea39a33a6eea2022885ec3f87
e59faf65ce864fe95dc00f5d52b8323cdbd0608aTimo Sirainen<!--
657afb33796f8216c568ad813627da89970760beTimo Sirainen - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
08d6658a4e2ec8104cd1307f6baa75fdb07a24f8Mark Washenberger - Copyright (C) 2000-2003 Internet Software Consortium.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen -
a550b0fbcf7e876eeb88f4528209ed28cc416752Timo Sirainen - Permission to use, copy, modify, and/or distribute this software for any
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen - purpose with or without fee is hereby granted, provided that the above
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen - copyright notice and this permission notice appear in all copies.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen -
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d99107ddf4d9bccb710994482daf65276a9d6321Timo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ecb1b2d6236942bf82f822e8d0167f0e160b206dTimo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
657afb33796f8216c568ad813627da89970760beTimo Sirainen - PERFORMANCE OF THIS SOFTWARE.
657afb33796f8216c568ad813627da89970760beTimo Sirainen-->
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<!-- $Id$ -->
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<html>
a3b3e5b452be15049a1f8bfd5b3bb640af41121cTimo Sirainen<head>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<title>dnssec-keygen</title>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</head>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<div class="navheader">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<table width="100%" summary="Navigation header">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen<tr>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen<td width="20%" align="left">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<th width="60%" align="center">Manual pages</th>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen</td>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</tr>
657afb33796f8216c568ad813627da89970760beTimo Sirainen</table>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<hr>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen</div>
59151b71059df1190acd75d8717ed04a7920c862Timo Sirainen<div class="refentry" lang="en">
657afb33796f8216c568ad813627da89970760beTimo Sirainen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
9be4e6701d086c009f3db1913a148139ea180420Timo Sirainen<div class="refnamediv">
ad49932dae8ba31e07544b66bbc4f4de707a751cTimo Sirainen<h2>Name</h2>
657afb33796f8216c568ad813627da89970760beTimo Sirainen<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<div class="refsynopsisdiv">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<h2>Synopsis</h2>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<div class="refsect1" lang="en">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<a name="id2624453"></a><h2>DESCRIPTION</h2>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      and RFC 4034.  It can also generate keys for use with
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      (Transaction Key) as defined in RFC 2930.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      The <code class="option">name</code> of the key is specified on the command
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen      line.  For DNSSEC keys, this must match the name of the zone for
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      which the key is being generated.
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen    </p>
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen</div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<div class="refsect1" lang="en">
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen<a name="id2624473"></a><h2>OPTIONS</h2>
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen<div class="variablelist"><dl>
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen<dd>
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen<p>
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            Selects the cryptographic algorithm.  For DNSSEC keys, the value
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen        DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen        ECDSAP256SHA256 or ECDSAP384SHA384.
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen        For TSIG/TKEY, the value must
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            case insensitive.
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen          </p>
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen<p>
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            If no algorithm is specified, then RSASHA1 will be used by
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            default, unless the <code class="option">-3</code> option is specified,
cc4d0d30fbba883d5d1b600646491fb77bdb989cTimo Sirainen            in which case NSEC3RSASHA1 will be used instead.  (If
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen            <code class="option">-3</code> is used and an algorithm is specified,
f19cf95ae8fc233567b1c7751595eb66876d684aTimo Sirainen            that algorithm will be checked for compatibility with NSEC3.)
8c6c6b95f482d2a2cdc74db5582aeb24871e3579Timo Sirainen          </p>
8c6c6b95f482d2a2cdc74db5582aeb24871e3579Timo Sirainen<p>
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen        mandatory.
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen          </p>
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen<p>
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen            automatically set the -T KEY option.
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen          </p>
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen</dd>
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen<dd>
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen<p>
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen            Specifies the number of bits in the key.  The choice of key
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen            size depends on the algorithm used.  RSA keys must be
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen            between 512 and 2048 bits.  Diffie Hellman keys must be between
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen            128 and 4096 bits.  DSA keys must be between 512 and 1024
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen            bits and an exact multiple of 64.  HMAC keys must be
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen            between 1 and 512 bits. Elliptic curve algorithms don't need
fbee9bffb56d882b98146dd0de76a5bcccc2bdc3Timo Sirainen            this parameter.
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen          </p>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen<p>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            The key size does not need to be specified if using a default
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            algorithm.  The default key size is 1024 bits for zone signing
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            keys (ZSKs) and 2048 bits for key signing keys (KSKs,
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            generated with <code class="option">-f KSK</code>).  However, if an
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            algorithm is explicitly specified with the <code class="option">-a</code>,
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            then there is no default key size, and the <code class="option">-b</code>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            must be used.
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen          </p>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen</dd>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
70905e51a5148bd5613cb04720807177474a2496Timo Sirainen<dd><p>
70905e51a5148bd5613cb04720807177474a2496Timo Sirainen            Specifies the owner type of the key.  The value of
70905e51a5148bd5613cb04720807177474a2496Timo Sirainen            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
657afb33796f8216c568ad813627da89970760beTimo Sirainen            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            a host (KEY)),
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
657afb33796f8216c568ad813627da89970760beTimo Sirainen            These values are case insensitive.  Defaults to ZONE for DNSKEY
657afb33796f8216c568ad813627da89970760beTimo Sirainen        generation.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen          </p></dd>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dt><span class="term">-3</span></dt>
657afb33796f8216c568ad813627da89970760beTimo Sirainen<dd><p>
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen        Use an NSEC3-capable algorithm to generate a DNSSEC key.
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen            If this option is used and no algorithm is explicitly
ea95a057fa5f02d50027122cacd3147fce7679faTimo Sirainen            set on the command line, NSEC3RSASHA1 will be used by
ea95a057fa5f02d50027122cacd3147fce7679faTimo Sirainen            default. Note that RSASHA256, RSASHA512, ECCGOST,
ea95a057fa5f02d50027122cacd3147fce7679faTimo Sirainen        ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
ea95a057fa5f02d50027122cacd3147fce7679faTimo Sirainen        are NSEC3-capable.
ea95a057fa5f02d50027122cacd3147fce7679faTimo Sirainen          </p></dd>
ea95a057fa5f02d50027122cacd3147fce7679faTimo Sirainen<dt><span class="term">-C</span></dt>
e69e7b734b625de1f8921b7e0d92afa1df6b900dTimo Sirainen<dd><p>
e69e7b734b625de1f8921b7e0d92afa1df6b900dTimo Sirainen        Compatibility mode:  generates an old-style key, without
e69e7b734b625de1f8921b7e0d92afa1df6b900dTimo Sirainen        any metadata.  By default, <span><strong class="command">dnssec-keygen</strong></span>
e69e7b734b625de1f8921b7e0d92afa1df6b900dTimo Sirainen        will include the key's creation date in the metadata stored
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen        with the private key, and other dates may be set there as well
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen        (publication date, activation date, etc).  Keys that include
657afb33796f8216c568ad813627da89970760beTimo Sirainen        this data may be incompatible with older versions of BIND; the
657afb33796f8216c568ad813627da89970760beTimo Sirainen        <code class="option">-C</code> option suppresses them.
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen          </p></dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
137ea7ca34005345aa2304a940149b7f3774d727Timo Sirainen            Indicates that the DNS record containing the key should have
8bb360f9e5de1c25e4f875205bb06e8bf15dae14Timo Sirainen            the specified class.  If not specified, class IN is used.
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen          </p></dd>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
bbf81c8fc6f21382707673dc6bd7b87ffc27981bTimo Sirainen<dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<p>
137ea7ca34005345aa2304a940149b7f3774d727Timo Sirainen            Specifies the cryptographic hardware to use, when applicable.
bbf81c8fc6f21382707673dc6bd7b87ffc27981bTimo Sirainen          </p>
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen<p>
bbf81c8fc6f21382707673dc6bd7b87ffc27981bTimo Sirainen            When BIND is built with OpenSSL PKCS#11 support, this defaults
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen            to the string "pkcs11", which identifies an OpenSSL engine
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            that can drive a cryptographic accelerator or hardware service
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            module.  When BIND is built with native PKCS#11 cryptography
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            provider library specified via "--with-pkcs11".
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen          </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</dd>
137ea7ca34005345aa2304a940149b7f3774d727Timo Sirainen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
8bb360f9e5de1c25e4f875205bb06e8bf15dae14Timo Sirainen<dd><p>
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen            Set the specified flag in the flag field of the KEY/DNSKEY record.
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen            The only recognized flags are KSK (Key Signing Key) and REVOKE.
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen          </p></dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dt><span class="term">-G</span></dt>
1e0bdb2d0fa7bbd0a0a254754680f6c6d0195333Timo Sirainen<dd><p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            Generate a key, but do not publish it or sign with it.  This
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen            option is incompatible with -P and -A.
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen          </p></dd>
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen<dd><p>
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen            If generating a Diffie Hellman key, use this generator.
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen            Allowed values are 2 and 5.  If no generator
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen            is specified, a known prime from RFC 2539 will be used
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen            if possible; otherwise the default is 2.
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen          </p></dd>
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen<dt><span class="term">-h</span></dt>
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen<dd><p>
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen            Prints a short summary of the options and arguments to
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen            <span><strong class="command">dnssec-keygen</strong></span>.
ccef83820a01bb37ad48653a05a9c5aa6560826aTimo Sirainen          </p></dd>
662a9000b1788f1cdf765e6b1c89df9a42cc3e32Timo Sirainen<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            Sets the directory in which the key files are to be written.
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen          </p></dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dt><span class="term">-k</span></dt>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dd><p>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            Deprecated in favor of -T KEY.
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen          </p></dd>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<dd><p>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            Sets the default TTL to use for this key when it is converted
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            into a DNSKEY RR.  If the key is imported into a zone,
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            this is the TTL that will be used for it, unless there was
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            already a DNSKEY RRset in place, in which case the existing TTL
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            would take precedence.  If this value is not set and there
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            is no existing DNSKEY RRset, the TTL will default to the
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            SOA TTL. Setting the default TTL to <code class="literal">0</code>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            or <code class="literal">none</code> is the same as leaving it unset.
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen          </p></dd>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
9d75363d3fbabc2fbc2d80f06672e3ed8965804aTimo Sirainen<dd><p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            Sets the protocol value for the generated key.  The protocol
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            is a number between 0 and 255.  The default is 3 (DNSSEC).
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            Other possible values for this argument are listed in
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            RFC 2535 and its successors.
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen          </p></dd>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<dt><span class="term">-q</span></dt>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<dd><p>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            Quiet mode: Suppresses unnecessary output, including
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            progress indication.  Without this option, when
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            <span><strong class="command">dnssec-keygen</strong></span> is run interactively
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen            to generate an RSA or DSA key pair, it will print a string
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen            of symbols to <code class="filename">stderr</code> indicating the
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen            progress of the key generation.  A '.' indicates that a
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen            random number has been found which passed an initial
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen            sieve test; '+' means a number has passed a single
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen            round of the Miller-Rabin primality test; a space
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            means that the number has passed all the tests and is
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            a satisfactory key.
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen          </p></dd>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen<dd><p>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            Specifies the source of randomness.  If the operating
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            system does not provide a <code class="filename">/dev/random</code>
2872c818f9c6704609f4d67d984b033a63e3a108Timo Sirainen            or equivalent device, the default source of randomness
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            is keyboard input.  <code class="filename">randomdev</code>
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            specifies
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            the name of a character device or file containing random
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            data to be used instead of the default.  The special value
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            <code class="filename">keyboard</code> indicates that keyboard
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            input should be used.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen          </p></dd>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen<dd><p>
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            Create a new key which is an explicit successor to an
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            existing key.  The name, algorithm, size, and type of the
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            key will be set to match the existing key.  The activation
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            date of the new key will be set to the inactivation date of
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            the existing one.  The publication date will be set to the
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen            activation date minus the prepublication interval, which
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            defaults to 30 days.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen          </p></dd>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dd><p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            Specifies the strength value of the key.  The strength is
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            a number between 0 and 15, and currently has no defined
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            purpose in DNSSEC.
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen          </p></dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            Specifies the resource record type to use for the key.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            default is DNSKEY when using a DNSSEC algorithm, but it can be
0fec6dfc23e568bae53f03c9491df7f64473dd67Timo Sirainen            overridden to KEY for use with SIG(0).
3d8f3c378de13e32018e2b116f6b67bd69cd28fbTimo Sirainen          </p>
2c8ff32886e56a5e037169c9ebef4219f85a5629Timo Sirainen<p>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen          </p>
1cc683c5d442a1a3bed5a18c1fb37180cb7ef84bTimo Sirainen<p>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen            Using any TSIG algorithm (HMAC-* or DH) forces this option
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen            to KEY.
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen          </p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen</dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            Indicates the use of the key.  <code class="option">type</code> must be
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            is AUTHCONF.  AUTH refers to the ability to authenticate
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            data, and CONF the ability to encrypt data.
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen          </p></dd>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            Sets the debugging level.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen          </p></dd>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dt><span class="term">-V</span></dt>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dd><p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen        Prints version information.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      </p></dd>
0fec6dfc23e568bae53f03c9491df7f64473dd67Timo Sirainen</dl></div>
0fec6dfc23e568bae53f03c9491df7f64473dd67Timo Sirainen</div>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<div class="refsect1" lang="en">
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<a name="id2675197"></a><h2>TIMING OPTIONS</h2>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
708ea1c397d89586af66c97d74c907f3f2b95134Timo Sirainen      If the argument begins with a '+' or '-', it is interpreted as
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      an offset from the present time.  For convenience, if such an offset
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
708ea1c397d89586af66c97d74c907f3f2b95134Timo Sirainen      then the offset is computed in years (defined as 365 24-hour days,
708ea1c397d89586af66c97d74c907f3f2b95134Timo Sirainen      ignoring leap years), months (defined as 30 24-hour days), weeks,
708ea1c397d89586af66c97d74c907f3f2b95134Timo Sirainen      days, hours, or minutes, respectively.  Without a suffix, the offset
708ea1c397d89586af66c97d74c907f3f2b95134Timo Sirainen      is computed in seconds.  To explicitly prevent a date from being
708ea1c397d89586af66c97d74c907f3f2b95134Timo Sirainen      set, use 'none' or 'never'.
e5dec382163b476bed16dbf7eb470913a9bbdbe1Timo Sirainen    </p>
e5dec382163b476bed16dbf7eb470913a9bbdbe1Timo Sirainen<div class="variablelist"><dl>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            Sets the date on which a key is to be published to the zone.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            After that date, the key will be included in the zone but will
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            not be used to sign it.  If not set, and if the -G option has
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            not been used, the default is "now".
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen          </p></dd>
d5cebe7f98e63d4e2822863ef2faa4971e8b3a5dTimo Sirainen<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            Sets the date on which the key is to be activated.  After that
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            date, the key will be included in the zone and used to sign
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            it.  If not set, and if the -G option has not been used, the
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            default is "now".  If set, if and -P is not set, then
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            the publication date will be set to the activation date
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen            minus the prepublication interval.
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen          </p></dd>
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            Sets the date on which the key is to be revoked.  After that
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            date, the key will be flagged as revoked.  It will be included
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            in the zone and will be used to sign it.
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen          </p></dd>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            Sets the date on which the key is to be retired.  After that
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            date, the key will still be included in the zone, but it
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            will not be used to sign it.
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen          </p></dd>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<dd><p>
226259ee6fb9830dafc1a5ba1e95bf5a4345b406Timo Sirainen            Sets the date on which the key is to be deleted.  After that
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen            date, the key will no longer be included in the zone.  (It
657afb33796f8216c568ad813627da89970760beTimo Sirainen            may remain in the key repository, however.)
657afb33796f8216c568ad813627da89970760beTimo Sirainen          </p></dd>
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen<dd>
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen<p>
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            Sets the prepublication interval for a key.  If set, then
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            the publication and activation dates must be separated by at least
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            this much time.  If the activation date is specified but the
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            publication date isn't, then the publication date will default
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            to this much time before the activation date; conversely, if
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            the publication date is specified but activation date isn't,
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            then activation will be set to this much time after publication.
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen          </p>
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen<p>
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            If the key is being created as an explicit successor to another
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            key, then the default prepublication interval is 30 days;
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen            otherwise it is zero.
a72dde3805d0e9148de4caf44d6f4dc167431380Timo Sirainen          </p>
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen<p>
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen            As with date offsets, if the argument is followed by one of
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen            interval is measured in years, months, weeks, days, hours,
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen            or minutes, respectively.  Without a suffix, the interval is
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen            measured in seconds.
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen          </p>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen</dd>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen</dl></div>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen</div>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen<div class="refsect1" lang="en">
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen<a name="id2675319"></a><h2>GENERATED KEYS</h2>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen<p>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen      When <span><strong class="command">dnssec-keygen</strong></span> completes
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen      successfully,
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen      to the standard output.  This is an identification string for
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen      the key it has generated.
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen    </p>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen<div class="itemizedlist"><ul type="disc">
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen<li><p><code class="filename">nnnn</code> is the key name.
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen        </p></li>
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen<li><p><code class="filename">aaa</code> is the numeric representation
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen          of the
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen          algorithm.
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen        </p></li>
9ed2951bd0bb1878a27437d7c00611b2baadd614Timo Sirainen<li><p><code class="filename">iiiii</code> is the key identifier (or
6ef7e31619edfaa17ed044b45861d106a86191efTimo Sirainen          footprint).
657afb33796f8216c568ad813627da89970760beTimo Sirainen        </p></li>
7242e1ce7803b83bc82e239ef111b47c1c72dd4bAndrey Panin</ul></div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      creates two files, with names based
e76073ebaf90fa29abfdc364873acf78983949aaTimo Sirainen      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      contains the public key, and
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      private
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen      key.
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      The <code class="filename">.key</code> file contains a DNS KEY record
9261dbf0675204898c6557591c7aa376e23a52b2Timo Sirainen      that
5363f51ad46344f4e5952f2fef211a7cf8f95ddcTimo Sirainen      can be inserted into a zone file (directly or with a $INCLUDE
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      statement).
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      The <code class="filename">.private</code> file contains
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      algorithm-specific
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      fields.  For obvious security reasons, this file does not have
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      general read permission.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      Both <code class="filename">.key</code> and <code class="filename">.private</code>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      files are generated for symmetric encryption algorithms such as
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      HMAC-MD5, even though the public and private key are equivalent.
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</div>
50782de8a9d5ebe11ee61496b4e695a1d3875230Timo Sirainen<div class="refsect1" lang="en">
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen<a name="id2675495"></a><h2>EXAMPLE</h2>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      To generate a 768-bit DSA key for the domain
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      <strong class="userinput"><code>example.com</code></strong>, the following command would be
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      issued:
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      The command would print a string of the form:
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      the files <code class="filename">Kexample.com.+003+26160.key</code>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen      and
70c181da837ed85fc5b0426c010b65609bda5329Timo Sirainen      <code class="filename">Kexample.com.+003+26160.private</code>.
70c181da837ed85fc5b0426c010b65609bda5329Timo Sirainen    </p>
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen</div>
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen<div class="refsect1" lang="en">
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen<a name="id2675620"></a><h2>SEE ALSO</h2>
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen      <em class="citetitle">RFC 2539</em>,
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen      <em class="citetitle">RFC 2845</em>,
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen      <em class="citetitle">RFC 4034</em>.
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen    </p>
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen</div>
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen<div class="refsect1" lang="en">
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen<a name="id2675651"></a><h2>AUTHOR</h2>
7904d81873b36f8464c96be415881f92518452e6Timo Sirainen<p><span class="corpauthor">Internet Systems Consortium</span>
382c7aec3e3449ed8271c2a202b67cefaa31dc8eTimo Sirainen    </p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<div class="navfooter">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<hr>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<table width="100%" summary="Navigation footer">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<tr>
7904d81873b36f8464c96be415881f92518452e6Timo Sirainen<td width="40%" align="left">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
9ed2951bd0bb1878a27437d7c00611b2baadd614Timo Sirainen<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</td>
d99107ddf4d9bccb710994482daf65276a9d6321Timo Sirainen</tr>
48ac75465ae154b1d705f18de6d95045ab714b65Timo Sirainen<tr>
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen<td width="40%" align="left" valign="top">
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<span class="application">dnssec-keyfromlabel</span>�</td>
9ed2951bd0bb1878a27437d7c00611b2baadd614Timo Sirainen<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
258ff7d4f03dd9d29eca3664e4acacdf7f528234Timo Sirainen<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</td>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</tr>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</table>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</div>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
66d2db642fe24d555d113ba463e446b038d476efTimo Sirainen</body>
4f2248a8a70985c7295afc3bf91c848e81d740d9Timo Sirainen</html>
4f2248a8a70985c7295afc3bf91c848e81d740d9Timo Sirainen