man.dnssec-keygen.html revision 9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdff
c869993e79c1eafbec61a56bf6cea848fe754c71xy - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
c869993e79c1eafbec61a56bf6cea848fe754c71xy - Copyright (C) 2000-2003 Internet Software Consortium.
c869993e79c1eafbec61a56bf6cea848fe754c71xy - Permission to use, copy, modify, and distribute this software for any
c869993e79c1eafbec61a56bf6cea848fe754c71xy - purpose with or without fee is hereby granted, provided that the above
c869993e79c1eafbec61a56bf6cea848fe754c71xy - copyright notice and this permission notice appear in all copies.
da14cebe459d3275048785f25bd869cb09b5307fEric Cheng - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c869993e79c1eafbec61a56bf6cea848fe754c71xy - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c869993e79c1eafbec61a56bf6cea848fe754c71xy - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c869993e79c1eafbec61a56bf6cea848fe754c71xy - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
da14cebe459d3275048785f25bd869cb09b5307fEric Cheng - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
da14cebe459d3275048785f25bd869cb09b5307fEric Cheng - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c869993e79c1eafbec61a56bf6cea848fe754c71xy - PERFORMANCE OF THIS SOFTWARE.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<!-- $Id: man.dnssec-keygen.html,v 1.107 2009/02/26 01:12:16 tbox Exp $ -->
c869993e79c1eafbec61a56bf6cea848fe754c71xy<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
69b2d733deffed6bf9baf89d901afd9c81b484edGuoqing Zhu<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
da14cebe459d3275048785f25bd869cb09b5307fEric Cheng<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
43ae55058ad99c869a9ae39d039490e8a3680520Dan McDonald<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c869993e79c1eafbec61a56bf6cea848fe754c71xy<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span><strong class="command">dnssec-keygen</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
c869993e79c1eafbec61a56bf6cea848fe754c71xy and RFC 4034. It can also generate keys for use with
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore TSIG (Transaction Signatures), as defined in RFC 2845.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Selects the cryptographic algorithm. The value of
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
c869993e79c1eafbec61a56bf6cea848fe754c71xy These values are case insensitive.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
c869993e79c1eafbec61a56bf6cea848fe754c71xy mandatory.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Note 2: HMAC-MD5 and DH automatically set the -k flag.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Specifies the number of bits in the key. The choice of key
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
c869993e79c1eafbec61a56bf6cea848fe754c71xy 512 and 2048 bits. Diffie Hellman keys must be between
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore 128 and 4096 bits. DSA keys must be between 512 and 1024
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore bits and an exact multiple of 64. HMAC-MD5 keys must be
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore between 1 and 512 bits.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Specifies the owner type of the key. The value of
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="option">nametype</code> must either be ZONE (for a DNSSEC
c869993e79c1eafbec61a56bf6cea848fe754c71xy zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
c869993e79c1eafbec61a56bf6cea848fe754c71xy a host (KEY)),
c869993e79c1eafbec61a56bf6cea848fe754c71xy USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
c869993e79c1eafbec61a56bf6cea848fe754c71xy These values are case insensitive. Defaults to ZONE for DNSKEY
c869993e79c1eafbec61a56bf6cea848fe754c71xy generation.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Indicates that the DNS record containing the key should have
c869993e79c1eafbec61a56bf6cea848fe754c71xy the specified class. If not specified, class IN is used.
c869993e79c1eafbec61a56bf6cea848fe754c71xy If generating an RSAMD5/RSASHA1 key, use a large exponent.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Set the specified flag in the flag field of the KEY/DNSKEY record.
c869993e79c1eafbec61a56bf6cea848fe754c71xy The only recognized flag is KSK (Key Signing Key) DNSKEY.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy If generating a Diffie Hellman key, use this generator.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Allowed values are 2 and 5. If no generator
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore is specified, a known prime from RFC 2539 will be used
c869993e79c1eafbec61a56bf6cea848fe754c71xy if possible; otherwise the default is 2.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Prints a short summary of the options and arguments to
c869993e79c1eafbec61a56bf6cea848fe754c71xy <span><strong class="command">dnssec-keygen</strong></span>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Generate KEY records rather than DNSKEY records.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Sets the protocol value for the generated key. The protocol
c869993e79c1eafbec61a56bf6cea848fe754c71xy is a number between 0 and 255. The default is 3 (DNSSEC).
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Other possible values for this argument are listed in
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore RFC 2535 and its successors.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Specifies the source of randomness. If the operating
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore system does not provide a <code class="filename">/dev/random</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy or equivalent device, the default source of randomness
c869993e79c1eafbec61a56bf6cea848fe754c71xy is keyboard input. <code class="filename">randomdev</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy the name of a character device or file containing random
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore data to be used instead of the default. The special value
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore <code class="filename">keyboard</code> indicates that keyboard
c869993e79c1eafbec61a56bf6cea848fe754c71xy input should be used.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore Specifies the strength value of the key. The strength is
c869993e79c1eafbec61a56bf6cea848fe754c71xy a number between 0 and 15, and currently has no defined
c869993e79c1eafbec61a56bf6cea848fe754c71xy purpose in DNSSEC.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Indicates the use of the key. <code class="option">type</code> must be
c869993e79c1eafbec61a56bf6cea848fe754c71xy one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
c869993e79c1eafbec61a56bf6cea848fe754c71xy is AUTHCONF. AUTH refers to the ability to authenticate
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore data, and CONF the ability to encrypt data.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
c869993e79c1eafbec61a56bf6cea848fe754c71xy Sets the debugging level.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore When <span><strong class="command">dnssec-keygen</strong></span> completes
c869993e79c1eafbec61a56bf6cea848fe754c71xy successfully,
c869993e79c1eafbec61a56bf6cea848fe754c71xy it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy to the standard output. This is an identification string for
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore the key it has generated.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<li><p><code class="filename">nnnn</code> is the key name.
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore<li><p><code class="filename">aaa</code> is the numeric representation
c869993e79c1eafbec61a56bf6cea848fe754c71xy algorithm.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<li><p><code class="filename">iiiii</code> is the key identifier (or
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span><strong class="command">dnssec-keygen</strong></span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy creates two files, with names based
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
13485e69b5429e6c7d27301fb3c0deee0e93768aGarrett D'Amore contains the public key, and
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
c869993e79c1eafbec61a56bf6cea848fe754c71xy The <code class="filename">.key</code> file contains a DNS KEY record
c869993e79c1eafbec61a56bf6cea848fe754c71xy can be inserted into a zone file (directly or with a $INCLUDE
c869993e79c1eafbec61a56bf6cea848fe754c71xy algorithm-specific
c869993e79c1eafbec61a56bf6cea848fe754c71xy fields. For obvious security reasons, this file does not have
c869993e79c1eafbec61a56bf6cea848fe754c71xy general read permission.
c869993e79c1eafbec61a56bf6cea848fe754c71xy Both <code class="filename">.key</code> and <code class="filename">.private</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy files are generated for symmetric encryption algorithms such as
c869993e79c1eafbec61a56bf6cea848fe754c71xy HMAC-MD5, even though the public and private key are equivalent.
c869993e79c1eafbec61a56bf6cea848fe754c71xy To generate a 768-bit DSA key for the domain
c869993e79c1eafbec61a56bf6cea848fe754c71xy <strong class="userinput"><code>example.com</code></strong>, the following command would be
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy The command would print a string of the form:
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
c869993e79c1eafbec61a56bf6cea848fe754c71xy In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
c869993e79c1eafbec61a56bf6cea848fe754c71xy the files <code class="filename">Kexample.com.+003+26160.key</code>
c869993e79c1eafbec61a56bf6cea848fe754c71xy <code class="filename">Kexample.com.+003+26160.private</code>.
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
c869993e79c1eafbec61a56bf6cea848fe754c71xy<p><span class="corpauthor">Internet Systems Consortium</span>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<span class="application">dnssec-keyfromlabel</span>�</td>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
c869993e79c1eafbec61a56bf6cea848fe754c71xy<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>