man.dnssec-keygen.html revision 975ff35d8501bd2ef5f9541c4dac1157efc1609d
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley - License, v. 2.0. If a copy of the MPL was not distributed with this
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley - file, You can obtain one at http://mozilla.org/MPL/2.0/.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<link rel="next" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence<table width="100%" summary="Navigation header">
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
ae8b7e02a8e5d7febba7d79b2c759add95a48f60Brian Wellington — DNSSEC key generation tool
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
ae8b7e02a8e5d7febba7d79b2c759add95a48f60Brian Wellington [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
ae8b7e02a8e5d7febba7d79b2c759add95a48f60Brian Wellington [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
ae8b7e02a8e5d7febba7d79b2c759add95a48f60Brian Wellington [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
ae8b7e02a8e5d7febba7d79b2c759add95a48f60Brian Wellington [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
1b32bc7da1da9059abd68d6dd15b23e8a442afa3Brian Wellington [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
0d89afffb26d5e53a761fc425dab3dda07c7e191Brian Wellington [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
1b32bc7da1da9059abd68d6dd15b23e8a442afa3Brian Wellington [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt <p><span class="command"><strong>dnssec-keygen</strong></span>
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt and RFC 4034. It can also generate keys for use with
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews (Transaction Key) as defined in RFC 2930.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 The <code class="option">name</code> of the key is specified on the command
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 line. For DNSSEC keys, this must match the name of the zone for
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 which the key is being generated.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉<a name="id-1.14.12.8"></a><h2>OPTIONS</h2>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 <div class="variablelist"><dl class="variablelist">
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 Selects the cryptographic algorithm. For DNSSEC keys, the value
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 ECDSAP256SHA256 or ECDSAP384SHA384.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 case insensitive.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 If no algorithm is specified, then RSASHA1 will be used by
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 default, unless the <code class="option">-3</code> option is specified,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 in which case NSEC3RSASHA1 will be used instead. (If
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 <code class="option">-3</code> is used and an algorithm is specified,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 that algorithm will be checked for compatibility with NSEC3.)
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 automatically set the -T KEY option.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews Specifies the number of bits in the key. The choice of key
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 size depends on the algorithm used. RSA keys must be
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 between 512 and 2048 bits. Diffie Hellman keys must be between
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 128 and 4096 bits. DSA keys must be between 512 and 1024
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 bits and an exact multiple of 64. HMAC keys must be
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 between 1 and 512 bits. Elliptic curve algorithms don't need
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 this parameter.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 The key size does not need to be specified if using a default
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 algorithm. The default key size is 1024 bits for zone signing
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews keys (ZSKs) and 2048 bits for key signing keys (KSKs,
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews generated with <code class="option">-f KSK</code>). However, if an
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt algorithm is explicitly specified with the <code class="option">-a</code>,
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt then there is no default key size, and the <code class="option">-b</code>
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt must be used.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 Specifies the owner type of the key. The value of
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 <code class="option">nametype</code> must either be ZONE (for a DNSSEC
a829555ed724caa56b1ff7716d7eda2266491eafBob Halley zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein a host (KEY)),
03dd96d177e4ed6771be7fb5f86a3a9d5f17be4eBob Halley USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
03dd96d177e4ed6771be7fb5f86a3a9d5f17be4eBob Halley These values are case insensitive. Defaults to ZONE for DNSKEY
03dd96d177e4ed6771be7fb5f86a3a9d5f17be4eBob Halley Use an NSEC3-capable algorithm to generate a DNSSEC key.
a829555ed724caa56b1ff7716d7eda2266491eafBob Halley If this option is used and no algorithm is explicitly
a829555ed724caa56b1ff7716d7eda2266491eafBob Halley set on the command line, NSEC3RSASHA1 will be used by
a829555ed724caa56b1ff7716d7eda2266491eafBob Halley default. Note that RSASHA256, RSASHA512, ECCGOST,
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley are NSEC3-capable.
97f1a75cf072c2cab98b4bc28c4d2491cfcd3086Bob Halley Compatibility mode: generates an old-style key, without
97f1a75cf072c2cab98b4bc28c4d2491cfcd3086Bob Halley any metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
2f012d936b5ccdf6520c96a4de23721dc58a2221Automatic Updater will include the key's creation date in the metadata stored
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 with the private key, and other dates may be set there as well
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley (publication date, activation date, etc). Keys that include
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley this data may be incompatible with older versions of BIND; the
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley <code class="option">-C</code> option suppresses them.
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
91cd0f93ad34d23e8b09dca337120f64fbe8f0a1Andreas Gustafsson Indicates that the DNS record containing the key should have
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley the specified class. If not specified, class IN is used.
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
9cd6d409b78a6f833b681c13a68fbdc7c024fe66David Lawrence Specifies the cryptographic hardware to use, when applicable.
4b87939256ede703385e9cab92d3c58d03c31098Mark Andrews When BIND is built with OpenSSL PKCS#11 support, this defaults
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley to the string "pkcs11", which identifies an OpenSSL engine
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley that can drive a cryptographic accelerator or hardware service
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence module. When BIND is built with native PKCS#11 cryptography
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley (--enable-native-pkcs11), it defaults to the path of the PKCS#11
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley provider library specified via "--with-pkcs11".
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt Set the specified flag in the flag field of the KEY/DNSKEY record.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt The only recognized flags are KSK (Key Signing Key) and REVOKE.
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley Generate a key, but do not publish it or sign with it. This
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley option is incompatible with -P and -A.
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley If generating a Diffie Hellman key, use this generator.
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley Allowed values are 2 and 5. If no generator
4b87939256ede703385e9cab92d3c58d03c31098Mark Andrews is specified, a known prime from RFC 2539 will be used
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley if possible; otherwise the default is 2.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt Prints a short summary of the options and arguments to
a829555ed724caa56b1ff7716d7eda2266491eafBob Halley <span class="command"><strong>dnssec-keygen</strong></span>.
a829555ed724caa56b1ff7716d7eda2266491eafBob Halley<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 Sets the directory in which the key files are to be written.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt Deprecated in favor of -T KEY.
634a52966f2324e6d5ceda191fd873ba1cfeb936Evan Hunt<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt Sets the default TTL to use for this key when it is converted
634a52966f2324e6d5ceda191fd873ba1cfeb936Evan Hunt into a DNSKEY RR. If the key is imported into a zone,
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt this is the TTL that will be used for it, unless there was
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 already a DNSKEY RRset in place, in which case the existing TTL
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 would take precedence. If this value is not set and there
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 is no existing DNSKEY RRset, the TTL will default to the
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 SOA TTL. Setting the default TTL to <code class="literal">0</code>
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 or <code class="literal">none</code> is the same as leaving it unset.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
0e58c0998df1ccd1a289b2c3f078e7d03d9331d3Bob Halley Sets the protocol value for the generated key. The protocol
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley is a number between 0 and 255. The default is 3 (DNSSEC).
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley Other possible values for this argument are listed in
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley RFC 2535 and its successors.
03dd96d177e4ed6771be7fb5f86a3a9d5f17be4eBob Halley Quiet mode: Suppresses unnecessary output, including
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley progress indication. Without this option, when
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley to generate an RSA or DSA key pair, it will print a string
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley of symbols to <code class="filename">stderr</code> indicating the
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley progress of the key generation. A '.' indicates that a
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley random number has been found which passed an initial
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley sieve test; '+' means a number has passed a single
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley round of the Miller-Rabin primality test; a space
dd324bd791a766c48d90ce9e43d1ab1446378983Bob Halley means that the number has passed all the tests and is
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt a satisfactory key.
33e482fa3e8befab0d9aaf32ed47b4695e0e6ba3Andreas Gustafsson<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
dde4382b7fd55c945ef7f4ae5792099ae3a09883Brian Wellington Specifies the source of randomness. If the operating
a6f31a3fd079f37ad0a7c75ef2d50842cd01811cBrian Wellington system does not provide a <code class="filename">/dev/random</code>
a6f31a3fd079f37ad0a7c75ef2d50842cd01811cBrian Wellington or equivalent device, the default source of randomness
a6f31a3fd079f37ad0a7c75ef2d50842cd01811cBrian Wellington is keyboard input. <code class="filename">randomdev</code>
d8afbf2f30213b2638a4d77207913db576089c02Michael Sawyer the name of a character device or file containing random
838f13fbdc513895d1826201a11531dbde9de04aBrian Wellington data to be used instead of the default. The special value
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt <code class="filename">keyboard</code> indicates that keyboard
a6f31a3fd079f37ad0a7c75ef2d50842cd01811cBrian Wellington input should be used.
838f13fbdc513895d1826201a11531dbde9de04aBrian Wellington<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
d8afbf2f30213b2638a4d77207913db576089c02Michael Sawyer Create a new key which is an explicit successor to an
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt existing key. The name, algorithm, size, and type of the
a6f31a3fd079f37ad0a7c75ef2d50842cd01811cBrian Wellington key will be set to match the existing key. The activation
d8afbf2f30213b2638a4d77207913db576089c02Michael Sawyer date of the new key will be set to the inactivation date of
ae8b7e02a8e5d7febba7d79b2c759add95a48f60Brian Wellington the existing one. The publication date will be set to the
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley activation date minus the prepublication interval, which
97f1a75cf072c2cab98b4bc28c4d2491cfcd3086Bob Halley defaults to 30 days.
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
0e58c0998df1ccd1a289b2c3f078e7d03d9331d3Bob Halley Specifies the strength value of the key. The strength is
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley a number between 0 and 15, and currently has no defined
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley purpose in DNSSEC.
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
4b87939256ede703385e9cab92d3c58d03c31098Mark Andrews Specifies the resource record type to use for the key.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt <code class="option">rrtype</code> must be either DNSKEY or KEY. The
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt default is DNSKEY when using a DNSSEC algorithm, but it can be
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley overridden to KEY for use with SIG(0).
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence Using any TSIG algorithm (HMAC-* or DH) forces this option
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
48565891e8f2f8c77b87908b4893f693a08e9ba9Brian Wellington Indicates the use of the key. <code class="option">type</code> must be
48565891e8f2f8c77b87908b4893f693a08e9ba9Brian Wellington one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
48565891e8f2f8c77b87908b4893f693a08e9ba9Brian Wellington is AUTHCONF. AUTH refers to the ability to authenticate
48565891e8f2f8c77b87908b4893f693a08e9ba9Brian Wellington data, and CONF the ability to encrypt data.
48565891e8f2f8c77b87908b4893f693a08e9ba9Brian Wellington<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
48565891e8f2f8c77b87908b4893f693a08e9ba9Brian Wellington Sets the debugging level.
48565891e8f2f8c77b87908b4893f693a08e9ba9Brian Wellington Prints version information.
96f55bdc736f8559b3a57260db6f0e964c44070dBob Halley Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt If the argument begins with a '+' or '-', it is interpreted as
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt an offset from the present time. For convenience, if such an offset
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt then the offset is computed in years (defined as 365 24-hour days,
e47208b6fb724cba7053baee4246b308e35403a2Evan Hunt ignoring leap years), months (defined as 30 24-hour days), weeks,
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt days, hours, or minutes, respectively. Without a suffix, the offset
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt is computed in seconds. To explicitly prevent a date from being
e47208b6fb724cba7053baee4246b308e35403a2Evan Hunt set, use 'none' or 'never'.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt <div class="variablelist"><dl class="variablelist">
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt Sets the date on which a key is to be published to the zone.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt After that date, the key will be included in the zone but will
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt not be used to sign it. If not set, and if the -G option has
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt not been used, the default is "now".
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt Sets the date on which CDS and CDNSKEY records that match this
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 key are to be published to the zone.
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews Sets the date on which the key is to be activated. After that
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews date, the key will be included in the zone and used to sign
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews it. If not set, and if the -G option has not been used, the
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews default is "now". If set, if and -P is not set, then
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews the publication date will be set to the activation date
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews minus the prepublication interval.
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley Sets the date on which the key is to be revoked. After that
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews date, the key will be flagged as revoked. It will be included
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley in the zone and will be used to sign it.
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley Sets the date on which the key is to be retired. After that
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley date, the key will still be included in the zone, but it
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley will not be used to sign it.
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley Sets the date on which the key is to be deleted. After that
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence date, the key will no longer be included in the zone. (It
62f016d5d301713c72a59e83d3ab41170a77f674Mark Andrews may remain in the key repository, however.)
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley Sets the date on which the CDS and CDNSKEY records that match this
bed86971bf7eb315e9c64f75bba331917f4557cfBob Halley key are to be deleted.
b99bfa184bc9375421b5df915eea7dfac6a68a99Evan Hunt<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson Sets the prepublication interval for a key. If set, then
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson the publication and activation dates must be separated by at least
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 this much time. If the activation date is specified but the
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson publication date isn't, then the publication date will default
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 to this much time before the activation date; conversely, if
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 the publication date is specified but activation date isn't,
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson then activation will be set to this much time after publication.
386d3a99c190bad55edf44d076e6bd087e230ab8Tatuya JINMEI 神明達哉 If the key is being created as an explicit successor to another
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson key, then the default prepublication interval is 30 days;
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 otherwise it is zero.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 As with date offsets, if the argument is followed by one of
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 interval is measured in years, months, weeks, days, hours,
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 or minutes, respectively. Without a suffix, the interval is
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 measured in seconds.
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉<a name="id-1.14.12.10"></a><h2>GENERATED KEYS</h2>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson When <span class="command"><strong>dnssec-keygen</strong></span> completes
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson to the standard output. This is an identification string for
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 the key it has generated.
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson <p><code class="filename">nnnn</code> is the key name.
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 <p><code class="filename">aaa</code> is the numeric representation
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson <p><code class="filename">iiiii</code> is the key identifier (or
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 <p><span class="command"><strong>dnssec-keygen</strong></span>
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 creates two files, with names based
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 contains the public key, and
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 The <code class="filename">.key</code> file contains a DNS KEY record
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 can be inserted into a zone file (directly or with a $INCLUDE
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 The <code class="filename">.private</code> file contains
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉 algorithm-specific
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson fields. For obvious security reasons, this file does not have
307d2084502eddc7ce921e5ce439aec3531d90e0Tatuya JINMEI 神明達哉 general read permission.
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson Both <code class="filename">.key</code> and <code class="filename">.private</code>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson files are generated for symmetric cryptography algorithms such as
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson HMAC-MD5, even though the public and private key are equivalent.
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<a name="id-1.14.12.11"></a><h2>EXAMPLE</h2>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson To generate a 768-bit DSA key for the domain
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson <strong class="userinput"><code>example.com</code></strong>, the following command would be
1d90a73d6d0aa3f82c7e8d638e0013c331835eedAndreas Gustafsson <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
1d90a73d6d0aa3f82c7e8d638e0013c331835eedAndreas Gustafsson The command would print a string of the form:
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
1d90a73d6d0aa3f82c7e8d638e0013c331835eedAndreas Gustafsson In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson the files <code class="filename">Kexample.com.+003+26160.key</code>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson <code class="filename">Kexample.com.+003+26160.private</code>.
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<a name="id-1.14.12.12"></a><h2>SEE ALSO</h2>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson <span class="refentrytitle">dnssec-signzone</span>(8)
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<table width="100%" summary="Navigation footer">
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<td width="40%" align="left" valign="top">
6da7c87a77ecfd9ccce36f96b4ccd20e1b9cccf1Tatuya JINMEI 神明達哉<span class="application">dnssec-keyfromlabel</span>�</td>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<td width="40%" align="right" valign="top">�<span class="application">dnssec-keymgr</span>
8e7ce54bef167f582c675ac76c373009595578a3Andreas Gustafsson<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1rc3</p>