man.dnssec-keygen.html revision 6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7c
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - Permission to use, copy, modify, and/or distribute this software for any
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - purpose with or without fee is hereby granted, provided that the above
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen - copyright notice and this permission notice appear in all copies.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen - PERFORMANCE OF THIS SOFTWARE.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<!-- $Id: man.dnssec-keygen.html,v 1.200 2011/10/14 00:04:22 tbox Exp $ -->
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<table width="100%" summary="Navigation header">
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<th width="60%" align="center">Manual pages</th>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
91dca97b367c54a139c268b56a0c67f564bd9197Timo Sirainen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen and RFC 4034. It can also generate keys for use with
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen (Transaction Key) as defined in RFC 2930.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen The <code class="option">name</code> of the key is specified on the command
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen line. For DNSSEC keys, this must match the name of the zone for
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen which the key is being generated.
648d24583c1574441c4fa0331a90bd4d6e7996c5Timo Sirainen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Selects the cryptographic algorithm. For DNSSEC keys, the value
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
dfdb752a8e61fc03569845a94329ab14b91bb8f9Timo Sirainen be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen case insensitive.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen If no algorithm is specified, then RSASHA1 will be used by
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen default, unless the <code class="option">-3</code> option is specified,
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen in which case NSEC3RSASHA1 will be used instead. (If
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen <code class="option">-3</code> is used and an algorithm is specified,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen that algorithm will be checked for compatibility with NSEC3.)
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen automatically set the -T KEY option.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Specifies the number of bits in the key. The choice of key
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen size depends on the algorithm used. RSA keys must be
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen between 512 and 2048 bits. Diffie Hellman keys must be between
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen 128 and 4096 bits. DSA keys must be between 512 and 1024
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen bits and an exact multiple of 64. HMAC keys must be
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen between 1 and 512 bits.
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen The key size does not need to be specified if using a default
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen algorithm. The default key size is 1024 bits for zone signing
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen keys (ZSK's) and 2048 bits for key signing keys (KSK's,
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen generated with <code class="option">-f KSK</code>). However, if an
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen algorithm is explicitly specified with the <code class="option">-a</code>,
19e8adccba16ff419f5675b1575358c2956dce83Timo Sirainen then there is no default key size, and the <code class="option">-b</code>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen must be used.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen Specifies the owner type of the key. The value of
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen <code class="option">nametype</code> must either be ZONE (for a DNSSEC
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen a host (KEY)),
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen These values are case insensitive. Defaults to ZONE for DNSKEY
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen Use an NSEC3-capable algorithm to generate a DNSSEC key.
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen If this option is used and no algorithm is explicitly
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen set on the command line, NSEC3RSASHA1 will be used by
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen default. Note that RSASHA256, RSASHA512 and ECCGOST algorithms
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen are NSEC3-capable.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Compatibility mode: generates an old-style key, without
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen will include the key's creation date in the metadata stored
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen with the private key, and other dates may be set there as well
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen (publication date, activation date, etc). Keys that include
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen this data may be incompatible with older versions of BIND; the
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <code class="option">-C</code> option suppresses them.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Indicates that the DNS record containing the key should have
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen the specified class. If not specified, class IN is used.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Uses a crypto hardware (OpenSSL engine) for random number
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen and, when supported, key generation. When compiled with PKCS#11
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen support it defaults to pkcs11; the empty name resets it to
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen If generating an RSAMD5/RSASHA1 key, use a large exponent.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Set the specified flag in the flag field of the KEY/DNSKEY record.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen The only recognized flags are KSK (Key Signing Key) and REVOKE.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Generate a key, but do not publish it or sign with it. This
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen option is incompatible with -P and -A.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen If generating a Diffie Hellman key, use this generator.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Allowed values are 2 and 5. If no generator
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen is specified, a known prime from RFC 2539 will be used
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen if possible; otherwise the default is 2.
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen Prints a short summary of the options and arguments to
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <span><strong class="command">dnssec-keygen</strong></span>.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
3ccab0bac68040f179a7de45c516cec258e28fdbTimo Sirainen Sets the directory in which the key files are to be written.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Deprecated in favor of -T KEY.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Sets the default TTL to use for this key when it is converted
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen into a DNSKEY RR. If the key is imported into a zone,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen this is the TTL that will be used for it, unless there was
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen already a DNSKEY RRset in place, in which case the existing TTL
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen would take precedence. Setting the default TTL to
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <code class="literal">0</code> or <code class="literal">none</code> removes it.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Sets the protocol value for the generated key. The protocol
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen is a number between 0 and 255. The default is 3 (DNSSEC).
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Other possible values for this argument are listed in
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen RFC 2535 and its successors.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Quiet mode: Suppresses unnecessary output, including
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen progress indication. Without this option, when
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <span><strong class="command">dnssec-keygen</strong></span> is run interactively
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen to generate an RSA or DSA key pair, it will print a string
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen of symbols to <code class="filename">stderr</code> indicating the
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen progress of the key generation. A '.' indicates that a
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen random number has been found which passed an initial
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen sieve test; '+' means a number has passed a single
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen round of the Miller-Rabin primality test; a space
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen means that the number has passed all the tests and is
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen a satisfactory key.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Specifies the source of randomness. If the operating
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen system does not provide a <code class="filename">/dev/random</code>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen or equivalent device, the default source of randomness
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen is keyboard input. <code class="filename">randomdev</code>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen the name of a character device or file containing random
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen data to be used instead of the default. The special value
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <code class="filename">keyboard</code> indicates that keyboard
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen input should be used.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Create a new key which is an explicit successor to an
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen existing key. The name, algorithm, size, and type of the
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen key will be set to match the existing key. The activation
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen date of the new key will be set to the inactivation date of
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen the existing one. The publication date will be set to the
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen activation date minus the prepublication interval, which
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen defaults to 30 days.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Specifies the strength value of the key. The strength is
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen a number between 0 and 15, and currently has no defined
02a54da28f376dd66d7939d8546a196a0045b486Timo Sirainen purpose in DNSSEC.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Specifies the resource record type to use for the key.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <code class="option">rrtype</code> must be either DNSKEY or KEY. The
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen default is DNSKEY when using a DNSSEC algorithm, but it can be
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen overridden to KEY for use with SIG(0).
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Using any TSIG algorithm (HMAC-* or DH) forces this option
dfdb752a8e61fc03569845a94329ab14b91bb8f9Timo Sirainen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Indicates the use of the key. <code class="option">type</code> must be
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen is AUTHCONF. AUTH refers to the ability to authenticate
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen data, and CONF the ability to encrypt data.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Sets the debugging level.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<a name="id2668852"></a><h2>TIMING OPTIONS</h2>
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen If the argument begins with a '+' or '-', it is interpreted as
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen an offset from the present time. For convenience, if such an offset
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen then the offset is computed in years (defined as 365 24-hour days,
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen ignoring leap years), months (defined as 30 24-hour days), weeks,
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen days, hours, or minutes, respectively. Without a suffix, the offset
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen is computed in seconds.
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen Sets the date on which a key is to be published to the zone.
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen After that date, the key will be included in the zone but will
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen not be used to sign it. If not set, and if the -G option has
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen not been used, the default is "now".
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen Sets the date on which the key is to be activated. After that
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen date, the key will be included in the zone and used to sign
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen it. If not set, and if the -G option has not been used, the
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen default is "now".
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen Sets the date on which the key is to be revoked. After that
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen date, the key will be flagged as revoked. It will be included
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen in the zone and will be used to sign it.
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen Sets the date on which the key is to be retired. After that
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen date, the key will still be included in the zone, but it
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen will not be used to sign it.
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen Sets the date on which the key is to be deleted. After that
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen date, the key will no longer be included in the zone. (It
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen may remain in the key repository, however.)
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen Sets the prepublication interval for a key. If set, then
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen the publication and activation dates must be separated by at least
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen this much time. If the activation date is specified but the
55c2029f111653b7c70ec58d7efef531efea63ccTimo Sirainen publication date isn't, then the publication date will default
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen to this much time before the activation date; conversely, if
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen the publication date is specified but activation date isn't,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen then activation will be set to this much time after publication.
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen If the key is being created as an explicit successor to another
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen key, then the default prepublication interval is 30 days;
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen otherwise it is zero.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen As with date offsets, if the argument is followed by one of
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen interval is measured in years, months, weeks, days, hours,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen or minutes, respectively. Without a suffix, the interval is
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen measured in seconds.
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen<a name="id2668973"></a><h2>GENERATED KEYS</h2>
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen When <span><strong class="command">dnssec-keygen</strong></span> completes
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen successfully,
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen to the standard output. This is an identification string for
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen the key it has generated.
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen<li><p><code class="filename">nnnn</code> is the key name.
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen<li><p><code class="filename">aaa</code> is the numeric representation
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen<li><p><code class="filename">iiiii</code> is the key identifier (or
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen creates two files, with names based
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen contains the public key, and
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen The <code class="filename">.key</code> file contains a DNS KEY record
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen can be inserted into a zone file (directly or with a $INCLUDE
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen The <code class="filename">.private</code> file contains
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen algorithm-specific
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen fields. For obvious security reasons, this file does not have
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen general read permission.
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen Both <code class="filename">.key</code> and <code class="filename">.private</code>
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen files are generated for symmetric encryption algorithms such as
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen HMAC-MD5, even though the public and private key are equivalent.
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen To generate a 768-bit DSA key for the domain
0d7b2e0750386fe1646a17d83a803d1d5eb3d3a0Timo Sirainen <strong class="userinput"><code>example.com</code></strong>, the following command would be
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen The command would print a string of the form:
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
08a0b7b0d0444875001847ef2b1b7b76122620abTimo Sirainen In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen the files <code class="filename">Kexample.com.+003+26160.key</code>
eddd9bf1a1369aea4a2715f6be1137da6d17d293Timo Sirainen <code class="filename">Kexample.com.+003+26160.private</code>.
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
7fb70daba4e571eab5b64f496d20b9e37e31141bTimo Sirainen <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2f122b4db3f0d4eeb59ff9d306e54b2009d72cf9Timo Sirainen<p><span class="corpauthor">Internet Systems Consortium</span>