man.dnssec-keygen.html revision 824f38c0310fddef55f0f691580154022a7852f5
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - Permission to use, copy, modify, and distribute this software for any
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - purpose with or without fee is hereby granted, provided that the above
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - copyright notice and this permission notice appear in all copies.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User - PERFORMANCE OF THIS SOFTWARE.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<!-- $Id: man.dnssec-keygen.html,v 1.84 2008/09/24 01:12:39 tbox Exp $ -->
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<table width="100%" summary="Navigation header">
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<p><span><strong class="command">dnssec-keygen</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User and RFC 4034. It can also generate keys for use with
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User TSIG (Transaction Signatures), as defined in RFC 2845.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Selects the cryptographic algorithm. The value of
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User DSA, DH (Diffie Hellman), or HMAC-MD5. These values
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User are case insensitive.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Note 2: HMAC-MD5 and DH automatically set the -k flag.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Specifies the number of bits in the key. The choice of key
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 512 and 2048 bits. Diffie Hellman keys must be between
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 128 and 4096 bits. DSA keys must be between 512 and 1024
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User bits and an exact multiple of 64. HMAC-MD5 keys must be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User between 1 and 512 bits.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Specifies the owner type of the key. The value of
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User <code class="option">nametype</code> must either be ZONE (for a DNSSEC
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User a host (KEY)),
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User These values are case insensitive. Defaults to ZONE for DNSKEY
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Indicates that the DNS record containing the key should have
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User the specified class. If not specified, class IN is used.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User If generating an RSAMD5/RSASHA1 key, use a large exponent.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Set the specified flag in the flag field of the KEY/DNSKEY record.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User The only recognized flag is KSK (Key Signing Key) DNSKEY.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User If generating a Diffie Hellman key, use this generator.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Allowed values are 2 and 5. If no generator
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is specified, a known prime from RFC 2539 will be used
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User if possible; otherwise the default is 2.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Prints a short summary of the options and arguments to
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User <span><strong class="command">dnssec-keygen</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Generate KEY records rather than DNSKEY records.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Sets the protocol value for the generated key. The protocol
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is a number between 0 and 255. The default is 3 (DNSSEC).
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Other possible values for this argument are listed in
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User RFC 2535 and its successors.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Specifies the source of randomness. If the operating
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User system does not provide a <code class="filename">/dev/random</code>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User or equivalent device, the default source of randomness
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User is keyboard input. <code class="filename">randomdev</code>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User the name of a character device or file containing random
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User data to be used instead of the default. The special value
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">keyboard</code> indicates that keyboard
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User input should be used.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Specifies the strength value of the key. The strength is
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User a number between 0 and 15, and currently has no defined
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User purpose in DNSSEC.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Indicates the use of the key. <code class="option">type</code> must be
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User is AUTHCONF. AUTH refers to the ability to authenticate
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User data, and CONF the ability to encrypt data.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Sets the debugging level.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<a name="id2604285"></a><h2>GENERATED KEYS</h2>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User When <span><strong class="command">dnssec-keygen</strong></span> completes
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User successfully,
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User to the standard output. This is an identification string for
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User the key it has generated.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<li><p><code class="filename">nnnn</code> is the key name.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<li><p><code class="filename">aaa</code> is the numeric representation
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<li><p><code class="filename">iiiii</code> is the key identifier (or
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<p><span><strong class="command">dnssec-keygen</strong></span>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User creates two files, with names based
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User contains the public key, and
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User The <code class="filename">.key</code> file contains a DNS KEY record
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User can be inserted into a zone file (directly or with a $INCLUDE
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User The <code class="filename">.private</code> file contains
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User algorithm-specific
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User fields. For obvious security reasons, this file does not have
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User general read permission.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User Both <code class="filename">.key</code> and <code class="filename">.private</code>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User files are generated for symmetric encryption algorithms such as
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User HMAC-MD5, even though the public and private key are equivalent.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User To generate a 768-bit DSA key for the domain
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User <strong class="userinput"><code>example.com</code></strong>, the following command would be
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User The command would print a string of the form:
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User the files <code class="filename">Kexample.com.+003+26160.key</code>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User <code class="filename">Kexample.com.+003+26160.private</code>.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<table width="100%" summary="Navigation footer">
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<span class="application">dnssec-keyfromlabel</span>�</td>
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>