doc/arm/man.dnssec-keygen.html

	man.dnssec-keygen.html revision 6ddb448306dd58f2521b4f9859b38dbb402e1dd1
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<!--
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Copyright (C) 2000-2003 Internet Software Consortium.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews -
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Permission to use, copy, modify, and distribute this software for any
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews - purpose with or without fee is hereby granted, provided that the above
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - copyright notice and this permission notice appear in all copies.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt -
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - PERFORMANCE OF THIS SOFTWARE.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt-->
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<!-- $Id: man.dnssec-keygen.html,v 1.54 2007/08/13 05:27:51 marka Exp $ -->
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<html>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<head>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<title>dnssec-keygen</title>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="prev" href="man.host.html" title="host">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</head>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="navheader">
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<table width="100%" summary="Navigation header">
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<tr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="20%" align="left">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a accesskey="p" href="man.host.html">Prev</a>�</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<th width="60%" align="center">Manual pages</th>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</tr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</table>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<hr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<div class="refentry" lang="en">
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="refnamediv">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<h2>Name</h2>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="refsynopsisdiv">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<h2>Synopsis</h2>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="refsect1" lang="en">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2598413"></a><h2>DESCRIPTION</h2>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p><span><strong class="command">dnssec-keygen</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      and RFC 4034.  It can also generate keys for use with
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      TSIG (Transaction Signatures), as defined in RFC 2845.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews</div>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<div class="refsect1" lang="en">
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<a name="id2598427"></a><h2>OPTIONS</h2>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<div class="variablelist"><dl>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Selects the cryptographic algorithm.  The value of
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews                      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            are case insensitive.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            algorithm,
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Note 2: HMAC-MD5 and DH automatically set the -k flag.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews</dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Specifies the number of bits in the key.  The choice of key
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            between
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            512 and 2048 bits.  Diffie Hellman keys must be between
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            128 and 4096 bits.  DSA keys must be between 512 and 1024
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            bits and an exact multiple of 64.  HMAC-MD5 keys must be
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            between 1 and 512 bits.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p></dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Specifies the owner type of the key.  The value of
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            a host (KEY)),
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            These values are case insensitive.  Defaults to ZONE for DNSKEY
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews        generation.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p></dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Indicates that the DNS record containing the key should have
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            the specified class.  If not specified, class IN is used.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p></dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-e</span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt            If generating an RSAMD5/RSASHA1 key, use a large exponent.
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt          </p></dd>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<dd><p>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt            Set the specified flag in the flag field of the KEY/DNSKEY record.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews                    The only recognized flag is KSK (Key Signing Key) DNSKEY.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p></dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            If generating a Diffie Hellman key, use this generator.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Allowed values are 2 and 5.  If no generator
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt            is specified, a known prime from RFC 2539 will be used
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            if possible; otherwise the default is 2.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          </p></dd>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="term">-h</span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dd><p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            Prints a short summary of the options and arguments to
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            <span><strong class="command">dnssec-keygen</strong></span>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          </p></dd>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="term">-k</span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dd><p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            Generate KEY records rather than DNSKEY records.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          </p></dd>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Sets the protocol value for the generated key.  The protocol
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            is a number between 0 and 255.  The default is 3 (DNSSEC).
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            Other possible values for this argument are listed in
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            RFC 2535 and its successors.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          </p></dd>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dd><p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            Specifies the source of randomness.  If the operating
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            system does not provide a <code class="filename">/dev/random</code>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            or equivalent device, the default source of randomness
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            is keyboard input.  <code class="filename">randomdev</code>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            specifies
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            the name of a character device or file containing random
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            data to be used instead of the default.  The special value
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            <code class="filename">keyboard</code> indicates that keyboard
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            input should be used.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          </p></dd>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dd><p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            Specifies the strength value of the key.  The strength is
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            a number between 0 and 15, and currently has no defined
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            purpose in DNSSEC.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p></dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            Indicates the use of the key.  <code class="option">type</code> must be
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt            is AUTHCONF.  AUTH refers to the ability to authenticate
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            data, and CONF the ability to encrypt data.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews          </p></dd>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dd><p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews            Sets the debugging level.
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt          </p></dd>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt</dl></div>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt</div>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<div class="refsect1" lang="en">
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<a name="id2598771"></a><h2>GENERATED KEYS</h2>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<p>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt      When <span><strong class="command">dnssec-keygen</strong></span> completes
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt      successfully,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      to the standard output.  This is an identification string for
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      the key it has generated.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="itemizedlist"><ul type="disc">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<li><p><code class="filename">nnnn</code> is the key name.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt        </p></li>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<li><p><code class="filename">aaa</code> is the numeric representation
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          of the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          algorithm.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt        </p></li>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<li><p><code class="filename">iiiii</code> is the key identifier (or
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt          footprint).
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt        </p></li>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</ul></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p><span><strong class="command">dnssec-keygen</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      creates two files, with names based
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      contains the public key, and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews      private
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      key.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      The <code class="filename">.key</code> file contains a DNS KEY record
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      that
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      can be inserted into a zone file (directly or with a $INCLUDE
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      statement).
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews    </p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews      The <code class="filename">.private</code> file contains
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      algorithm-specific
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      fields.  For obvious security reasons, this file does not have
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      general read permission.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      Both <code class="filename">.key</code> and <code class="filename">.private</code>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews      files are generated for symmetric encryption algorithms such as
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews      HMAC-MD5, even though the public and private key are equivalent.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="refsect1" lang="en">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2600517"></a><h2>EXAMPLE</h2>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      To generate a 768-bit DSA key for the domain
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      <strong class="userinput"><code>example.com</code></strong>, the following command would be
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews      issued:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      The command would print a string of the form:
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews    </p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      the files <code class="filename">Kexample.com.+003+26160.key</code>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      and
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      <code class="filename">Kexample.com.+003+26160.private</code>.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<div class="refsect1" lang="en">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2600642"></a><h2>SEE ALSO</h2>
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
a747113422afaa29ce72d2c5ba7f0b7ea9ec2054Evan Hunt      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      <em class="citetitle">RFC 2535</em>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt      <em class="citetitle">RFC 2845</em>,
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews      <em class="citetitle">RFC 2539</em>.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews    </p>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews</div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="refsect1" lang="en">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2600673"></a><h2>AUTHOR</h2>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt    </p>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="navfooter">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<hr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<table width="100%" summary="Navigation footer">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<tr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="40%" align="left">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a accesskey="p" href="man.host.html">Prev</a>�</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</tr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<tr>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<td width="40%" align="left" valign="top">host�</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</tr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</table>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</body>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt</html>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt