man.dnssec-keygen.html revision 71c66a876ecca77923638d3f94cc0783152b2f03
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<!--
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen -
258adfa09081ea8600a39759d486e678b5aa5f60Timo Sirainen - Permission to use, copy, modify, and distribute this software for any
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen - purpose with or without fee is hereby granted, provided that the above
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen - copyright notice and this permission notice appear in all copies.
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen -
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen - PERFORMANCE OF THIS SOFTWARE.
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen-->
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<!-- $Id: man.dnssec-keygen.html,v 1.31 2006/06/29 13:03:32 marka Exp $ -->
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<html>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<head>
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<title>dnssec-keygen</title>
4afaedfcbd43896befbe1fd5c10eba42246f3fdeTimo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.70.1">
4afaedfcbd43896befbe1fd5c10eba42246f3fdeTimo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
eed03830015b7138b9d4522e72bef650aa24b45fTimo Sirainen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
eed03830015b7138b9d4522e72bef650aa24b45fTimo Sirainen<link rel="prev" href="man.host.html" title="host">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen</head>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<div class="navheader">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<table width="100%" summary="Navigation header">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<tr>
9c45821d7448c6f63391d318a6dff785e46e58eeTimo Sirainen<td width="20%" align="left">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<a accesskey="p" href="man.host.html">Prev</a>�</td>
9c45821d7448c6f63391d318a6dff785e46e58eeTimo Sirainen<th width="60%" align="center">Manual pages</th>
9c45821d7448c6f63391d318a6dff785e46e58eeTimo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen</td>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen</tr>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen</table>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<hr>
2ef5254ab6b446b93ce7733bc96eeefa6f731ee4Timo Sirainen</div>
2ef5254ab6b446b93ce7733bc96eeefa6f731ee4Timo Sirainen<div class="refentry" lang="en">
2ef5254ab6b446b93ce7733bc96eeefa6f731ee4Timo Sirainen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
2ef5254ab6b446b93ce7733bc96eeefa6f731ee4Timo Sirainen<div class="refnamediv">
2ef5254ab6b446b93ce7733bc96eeefa6f731ee4Timo Sirainen<h2>Name</h2>
291f1e54dcb8c7f38e5b78afc1eaf518e3756692Timo Sirainen<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
291f1e54dcb8c7f38e5b78afc1eaf518e3756692Timo Sirainen</div>
291f1e54dcb8c7f38e5b78afc1eaf518e3756692Timo Sirainen<div class="refsynopsisdiv">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<h2>Synopsis</h2>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
2ef5254ab6b446b93ce7733bc96eeefa6f731ee4Timo Sirainen</div>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<div class="refsect1" lang="en">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<a name="id2602966"></a><h2>DESCRIPTION</h2>
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen and RFC &lt;TBA\&gt;. It can also generate keys for use with
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen TSIG (Transaction Signatures), as defined in RFC 2845.
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen </p>
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen</div>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<div class="refsect1" lang="en">
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<a name="id2602980"></a><h2>OPTIONS</h2>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<div class="variablelist"><dl>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<dd>
16d8197506b63d2ca7e38447df9faf1612c1f288Timo Sirainen<p>
16d8197506b63d2ca7e38447df9faf1612c1f288Timo Sirainen Selects the cryptographic algorithm. The value of
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen DSA, DH (Diffie Hellman), or HMAC-MD5. These values
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen are case insensitive.
16d8197506b63d2ca7e38447df9faf1612c1f288Timo Sirainen </p>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<p>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen algorithm,
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen </p>
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen<p>
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen Note 2: HMAC-MD5 and DH automatically set the -k flag.
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen </p>
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen</dd>
f9db221d0793f05c4631885e71f98145428a7e1bTimo Sirainen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
258adfa09081ea8600a39759d486e678b5aa5f60Timo Sirainen<dd><p>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen Specifies the number of bits in the key. The choice of key
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen between
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen 512 and 2048 bits. Diffie Hellman keys must be between
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen 128 and 4096 bits. DSA keys must be between 512 and 1024
44f3f472a49078312432b785fddcfe7b95928391Timo Sirainen bits and an exact multiple of 64. HMAC-MD5 keys must be
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen between 1 and 512 bits.
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen </p></dd>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen<dd><p>
92e6bb6497f8c9d57bff334a5c9f31bc2f040394Timo Sirainen Specifies the owner type of the key. The value of
92e6bb6497f8c9d57bff334a5c9f31bc2f040394Timo Sirainen <code class="option">nametype</code> must either be ZONE (for a DNSSEC
92e6bb6497f8c9d57bff334a5c9f31bc2f040394Timo Sirainen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
92e6bb6497f8c9d57bff334a5c9f31bc2f040394Timo Sirainen a host (KEY)),
58c61ac5650583d21c891e61e051c614290d31fbTimo Sirainen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are
case insensitive.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p></dd>
<dt><span class="term">-e</span></dt>
<dd><p>
If generating an RSAMD5/RSASHA1 key, use a large exponent.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
If generating a Diffie Hellman key, use this generator.
Allowed values are 2 and 5. If no generator
is specified, a known prime from RFC 2539 will be used
if possible; otherwise the default is 2.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
Sets the protocol value for the generated key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p></dd>
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2603528"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keygen</strong></span>
creates two file, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains algorithm
specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606571"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
</p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
<p>
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606628"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2535</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 2539</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606659"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.host.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">host�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span></td>
</tr>
</table>
</div>
</body>
</html>