man.dnssec-keygen.html revision 6cd01c0a96332a9f6b4a1a3c6b404555287a020c
7d32c065c7bb56f281651ae3dd2888f32ce4f1d9Bob Halley - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
2f072c2982861ec2e86e97f8a3ed199fe45c1f70Michael Graff - Copyright (C) 2000-2003 Internet Software Consortium.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - purpose with or without fee is hereby granted, provided that the above
2f072c2982861ec2e86e97f8a3ed199fe45c1f70Michael Graff - copyright notice and this permission notice appear in all copies.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<!-- $Id$ -->
ecd3b66f8c4544a55dd44fddda7c7134b936cd3bJames Brister<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
47830e3a58e943550bb9e7d0c2f0adac0b2b3857Andreas Gustafsson<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
854d0238dbc2908490197984b3b9d558008a53dfMark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
854d0238dbc2908490197984b3b9d558008a53dfMark Andrews<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
59a6d9effd893036e39e14e775e1c98b0cd22388Andreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
59a6d9effd893036e39e14e775e1c98b0cd22388Andreas Gustafsson<table width="100%" summary="Navigation header">
59a6d9effd893036e39e14e775e1c98b0cd22388Andreas Gustafsson<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<th width="60%" align="center">Manual pages</th>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
6e482e595d2b04e65f17851626a61a82efc4bd12David Lawrence<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
34b394b43e2207e8f8f3703f0402422121455638David Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence<p><span><strong class="command">dnssec-keygen</strong></span>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews and RFC 4034. It can also generate keys for use with
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews (Transaction Key) as defined in RFC 2930.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews The <code class="option">name</code> of the key is specified on the command
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews line. For DNSSEC keys, this must match the name of the zone for
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews which the key is being generated.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
19c5c23ef6e38965949c996592bd92478da0612cMark Andrews Selects the cryptographic algorithm. For DNSSEC keys, the value
19c5c23ef6e38965949c996592bd92478da0612cMark Andrews of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
34b394b43e2207e8f8f3703f0402422121455638David Lawrence DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews ECDSAP256SHA256 or ECDSAP384SHA384.
8d3e74b1683f714a484bbcf73249e8ee470e36d7Mark Andrews be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
19c5c23ef6e38965949c996592bd92478da0612cMark Andrews case insensitive.
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff If no algorithm is specified, then RSASHA1 will be used by
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews default, unless the <code class="option">-3</code> option is specified,
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews in which case NSEC3RSASHA1 will be used instead. (If
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews <code class="option">-3</code> is used and an algorithm is specified,
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews that algorithm will be checked for compatibility with NSEC3.)
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews automatically set the -T KEY option.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Specifies the number of bits in the key. The choice of key
5fc7ba3e1ac5d72239e9971e0f469dd5796738f9Andreas Gustafsson size depends on the algorithm used. RSA keys must be
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews between 512 and 2048 bits. Diffie Hellman keys must be between
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews 128 and 4096 bits. DSA keys must be between 512 and 1024
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews bits and an exact multiple of 64. HMAC keys must be
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews between 1 and 512 bits. Elliptic curve algorithms don't need
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews this parameter.
6e482e595d2b04e65f17851626a61a82efc4bd12David Lawrence The key size does not need to be specified if using a default
5436ac555325d888c822f6be8c4fe69d2343d827Andreas Gustafsson algorithm. The default key size is 1024 bits for zone signing
5436ac555325d888c822f6be8c4fe69d2343d827Andreas Gustafsson keys (ZSKs) and 2048 bits for key signing keys (KSKs,
a1f16c81a1e54f52745f64555e6affa0add44173David Lawrence generated with <code class="option">-f KSK</code>). However, if an
a1f16c81a1e54f52745f64555e6affa0add44173David Lawrence algorithm is explicitly specified with the <code class="option">-a</code>,
5436ac555325d888c822f6be8c4fe69d2343d827Andreas Gustafsson then there is no default key size, and the <code class="option">-b</code>
a1f16c81a1e54f52745f64555e6affa0add44173David Lawrence<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Specifies the owner type of the key. The value of
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews a host (KEY)),
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Use an NSEC3-capable algorithm to generate a DNSSEC key.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews If this option is used and no algorithm is explicitly
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews set on the command line, NSEC3RSASHA1 will be used by
ecd3b66f8c4544a55dd44fddda7c7134b936cd3bJames Brister default. Note that RSASHA256, RSASHA512, ECCGOST,
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
94a08e09db3dc844b6ee4841c368a2d7074a9c3fAndreas Gustafsson are NSEC3-capable.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Compatibility mode: generates an old-style key, without
6e49e91bd08778d7eae45a2229dcf41ed97cc636David Lawrence any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
d66d2cb7284874189d3425c29dd3639eb3f242ffBob Halley will include the key's creation date in the metadata stored
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews with the private key, and other dates may be set there as well
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews (publication date, activation date, etc). Keys that include
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews this data may be incompatible with older versions of BIND; the
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews <code class="option">-C</code> option suppresses them.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff Indicates that the DNS record containing the key should have
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence the specified class. If not specified, class IN is used.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Specifies the cryptographic hardware to use, when applicable.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews When BIND is built with OpenSSL PKCS#11 support, this defaults
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews to the string "pkcs11", which identifies an OpenSSL engine
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews that can drive a cryptographic accelerator or hardware service
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews module. When BIND is built with native PKCS#11 cryptography
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews (--enable-native-pkcs11), it defaults to the path of the PKCS#11
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews provider library specified via "--with-pkcs11".
4529cdaedaf1a0a5f8ff89aeca510b7a4475446cBob Halley<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Generate a key, but do not publish it or sign with it. This
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews option is incompatible with -P and -A.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews If generating a Diffie Hellman key, use this generator.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Allowed values are 2 and 5. If no generator
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews is specified, a known prime from RFC 2539 will be used
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews if possible; otherwise the default is 2.
41aad56b6cc458cbf7b8483576d990a77ae9bac2Andreas Gustafsson Prints a short summary of the options and arguments to
41aad56b6cc458cbf7b8483576d990a77ae9bac2Andreas Gustafsson <span><strong class="command">dnssec-keygen</strong></span>.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Sets the directory in which the key files are to be written.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Deprecated in favor of -T KEY.
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews Sets the default TTL to use for this key when it is converted
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews into a DNSKEY RR. If the key is imported into a zone,
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews this is the TTL that will be used for it, unless there was
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews already a DNSKEY RRset in place, in which case the existing TTL
373ce67419680a398ba3dc51a14a486caaf0afb0Mark Andrews would take precedence. If this value is not set and there
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews is no existing DNSKEY RRset, the TTL will default to the
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews SOA TTL. Setting the default TTL to <code class="literal">0</code>
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff or <code class="literal">none</code> is the same as leaving it unset.
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Sets the protocol value for the generated key. The protocol
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews Other possible values for this argument are listed in
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews RFC 2535 and its successors.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews Quiet mode: Suppresses unnecessary output, including
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews progress indication. Without this option, when
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews <span><strong class="command">dnssec-keygen</strong></span> is run interactively
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews to generate an RSA or DSA key pair, it will print a string
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews of symbols to <code class="filename">stderr</code> indicating the
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews progress of the key generation. A '.' indicates that a
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews random number has been found which passed an initial
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews sieve test; '+' means a number has passed a single
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews round of the Miller-Rabin primality test; a space
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews means that the number has passed all the tests and is
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews a satisfactory key.
2bc0da0cd874b15593d65338ba96e90ceed13072Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
4529cdaedaf1a0a5f8ff89aeca510b7a4475446cBob Halley Specifies the source of randomness. If the operating
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence system does not provide a <code class="filename">/dev/random</code>
94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews or equivalent device, the default source of randomness
94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews is keyboard input. <code class="filename">randomdev</code>
94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews the name of a character device or file containing random
82ca33427bdd4f3bc4ed3431e86bd810fe751674Andreas Gustafsson data to be used instead of the default. The special value
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews <code class="filename">keyboard</code> indicates that keyboard
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews input should be used.
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
9281e7aa775026dc47c01745fdcc438645146877Mark Andrews Create a new key which is an explicit successor to an
94a3bcd132e515b4baa0884ba9dd0f361d2e17bcMark Andrews existing key. The name, algorithm, size, and type of the
d981ca645597116d227a48bf37cc5edc061c854dBob Halley key will be set to match the existing key. The activation
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff date of the new key will be set to the inactivation date of
6d12fdf96621801e80f3f4c2a8a569fe48766a20David Lawrence the existing one. The publication date will be set to the
d981ca645597116d227a48bf37cc5edc061c854dBob Halley activation date minus the prepublication interval, which
d981ca645597116d227a48bf37cc5edc061c854dBob Halley defaults to 30 days.
82ca33427bdd4f3bc4ed3431e86bd810fe751674Andreas Gustafsson<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
d981ca645597116d227a48bf37cc5edc061c854dBob Halley Specifies the strength value of the key. The strength is
419590499823ce15b5d2ad4fe71eaf04bd5a86c0Michael Graff a number between 0 and 15, and currently has no defined
d981ca645597116d227a48bf37cc5edc061c854dBob Halley purpose in DNSSEC.
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley Specifies the resource record type to use for the key.
3ddd814a97de1d152ba0913c592d6e6dc83d38a6Michael Graff <code class="option">rrtype</code> must be either DNSKEY or KEY. The
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley default is DNSKEY when using a DNSSEC algorithm, but it can be
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley overridden to KEY for use with SIG(0).
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley Using any TSIG algorithm (HMAC-* or DH) forces this option
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley Indicates the use of the key. <code class="option">type</code> must be
e27a69f8bd9538e08f775265167ba6cc5f47c587Bob Halley one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
854d0238dbc2908490197984b3b9d558008a53dfMark Andrews is AUTHCONF. AUTH refers to the ability to authenticate