man.dnssec-keygen.html revision 8b1cba45ade83893c009b37f47d5478e97eb61d2
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<!--
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - Copyright (C) 2000-2003 Internet Software Consortium.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce -
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - Permission to use, copy, modify, and distribute this software for any
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - purpose with or without fee is hereby granted, provided that the above
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - copyright notice and this permission notice appear in all copies.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce -
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce - PERFORMANCE OF THIS SOFTWARE.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce-->
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<!-- $Id: man.dnssec-keygen.html,v 1.87 2008/09/28 01:11:38 tbox Exp $ -->
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<html>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<head>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<title>dnssec-keygen</title>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</head>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<div class="navheader">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<table width="100%" summary="Navigation header">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<tr>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<td width="20%" align="left">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<th width="60%" align="center">Manual pages</th>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</td>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</tr>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</table>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<hr>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</div>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<div class="refentry" lang="en">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<div class="refnamediv">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<h2>Name</h2>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</div>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<div class="refsynopsisdiv">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<h2>Synopsis</h2>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce</div>
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<div class="refsect1" lang="en">
6acf7c92ab38ad388295b2d57cc97c4598aa95ccSimo Sorce<a name="id2603506"></a><h2>DESCRIPTION</h2>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<p><span><strong class="command">dnssec-keygen</strong></span>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce and RFC 4034. It can also generate keys for use with
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce TSIG (Transaction Signatures), as defined in RFC 2845.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</div>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<div class="refsect1" lang="en">
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<a name="id2603520"></a><h2>OPTIONS</h2>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<div class="variablelist"><dl>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<p>
4869633dc87dadb2b9a114444d375c39703ac863Pavel Březina Selects the cryptographic algorithm. The value of
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce These values are case insensitive.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<p>
31c47cacc7f9453153e57319474909d23122883fPavel Březina Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
31c47cacc7f9453153e57319474909d23122883fPavel Březina algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
31c47cacc7f9453153e57319474909d23122883fPavel Březina mandatory.
31c47cacc7f9453153e57319474909d23122883fPavel Březina </p>
31c47cacc7f9453153e57319474909d23122883fPavel Březina<p>
31c47cacc7f9453153e57319474909d23122883fPavel Březina Note 2: HMAC-MD5 and DH automatically set the -k flag.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce</dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek<dd><p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce Specifies the number of bits in the key. The choice of key
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce between
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce 512 and 2048 bits. Diffie Hellman keys must be between
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce 128 and 4096 bits. DSA keys must be between 512 and 1024
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce bits and an exact multiple of 64. HMAC-MD5 keys must be
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce between 1 and 512 bits.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p></dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dd><p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce Specifies the owner type of the key. The value of
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce <code class="option">nametype</code> must either be ZONE (for a DNSSEC
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce a host (KEY)),
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce These values are case insensitive. Defaults to ZONE for DNSKEY
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce generation.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p></dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dd><p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce Indicates that the DNS record containing the key should have
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce the specified class. If not specified, class IN is used.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p></dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-e</span></dt>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dd><p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce If generating an RSAMD5/RSASHA1 key, use a large exponent.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p></dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dd><p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce Set the specified flag in the flag field of the KEY/DNSKEY record.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce The only recognized flag is KSK (Key Signing Key) DNSKEY.
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek </p></dd>
9028706a00da1bc48547e74aa872c825ac15adb2Michal Zidek<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dd><p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce If generating a Diffie Hellman key, use this generator.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce Allowed values are 2 and 5. If no generator
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce is specified, a known prime from RFC 2539 will be used
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce if possible; otherwise the default is 2.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p></dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-h</span></dt>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dd><p>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce Prints a short summary of the options and arguments to
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce <span><strong class="command">dnssec-keygen</strong></span>.
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce </p></dd>
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce<dt><span class="term">-k</span></dt>
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce<dd><p>
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce Generate KEY records rather than DNSKEY records.
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce </p></dd>
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce<dd><p>
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce Sets the protocol value for the generated key. The protocol
c3ef027218fe9a7d16a70ca9d2f53e3d995e369fSimo Sorce is a number between 0 and 255. The default is 3 (DNSSEC).
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce Other possible values for this argument are listed in
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce RFC 2535 and its successors.
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce </p></dd>
5f90993426fa2bdc3b3d994c9e85e0805bb92bbcSimo Sorce<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
<dd><p>
Specifies the source of randomness. If the operating
system does not provide a <code class="filename">/dev/random</code>
or equivalent device, the default source of randomness
is keyboard input. <code class="filename">randomdev</code>
specifies
the name of a character device or file containing random
data to be used instead of the default. The special value
<code class="filename">keyboard</code> indicates that keyboard
input should be used.
</p></dd>
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
<dd><p>
Specifies the strength value of the key. The strength is
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2606252"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the
algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keygen</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private
key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
<p>
Both <code class="filename">.key</code> and <code class="filename">.private</code>
files are generated for symmetric encryption algorithms such as
HMAC-MD5, even though the public and private key are equivalent.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606497"></a><h2>EXAMPLE</h2>
<p>
To generate a 768-bit DSA key for the domain
<strong class="userinput"><code>example.com</code></strong>, the following command would be
issued:
</p>
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
</p>
<p>
The command would print a string of the form:
</p>
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
</p>
<p>
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
the files <code class="filename">Kexample.com.+003+26160.key</code>
and
<code class="filename">Kexample.com.+003+26160.private</code>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606553"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 2535</em>,
<em class="citetitle">RFC 2845</em>,
<em class="citetitle">RFC 2539</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2606584"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-keyfromlabel</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
</td>
</tr>
</table>
</div>
</body>
</html>