man.dnssec-keygen.html revision a3ff24aaa545c45b8c581b2127d02d735aff8881
64185f9824e42f21ca7b9ae6c004484215c031a7rbb - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - Copyright (C) 2000-2003 Internet Software Consortium.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - Permission to use, copy, modify, and/or distribute this software for any
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - purpose with or without fee is hereby granted, provided that the above
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - copyright notice and this permission notice appear in all copies.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding - PERFORMANCE OF THIS SOFTWARE.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<!-- $Id$ -->
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
64185f9824e42f21ca7b9ae6c004484215c031a7rbb<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
64185f9824e42f21ca7b9ae6c004484215c031a7rbb<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<p><span><strong class="command">dnssec-keygen</strong></span>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding and RFC 4034. It can also generate keys for use with
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding (Transaction Key) as defined in RFC 2930.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding The <code class="option">name</code> of the key is specified on the command
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding line. For DNSSEC keys, this must match the name of the zone for
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding which the key is being generated.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Selects the cryptographic algorithm. For DNSSEC keys, the value
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding ECDSAP256SHA256 or ECDSAP384SHA384.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding case insensitive.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding If no algorithm is specified, then RSASHA1 will be used by
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding default, unless the <code class="option">-3</code> option is specified,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding in which case NSEC3RSASHA1 will be used instead. (If
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <code class="option">-3</code> is used and an algorithm is specified,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding that algorithm will be checked for compatibility with NSEC3.)
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding automatically set the -T KEY option.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Specifies the number of bits in the key. The choice of key
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding size depends on the algorithm used. RSA keys must be
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding between 512 and 2048 bits. Diffie Hellman keys must be between
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding 128 and 4096 bits. DSA keys must be between 512 and 1024
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding bits and an exact multiple of 64. HMAC keys must be
4cff088e460b3832142e59c63b357f8cf4d77fa8ake between 1 and 512 bits. Elliptic curve algorithms don't need
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding this parameter.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding The key size does not need to be specified if using a default
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding algorithm. The default key size is 1024 bits for zone signing
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding keys (ZSKs) and 2048 bits for key signing keys (KSKs,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding generated with <code class="option">-f KSK</code>). However, if an
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding algorithm is explicitly specified with the <code class="option">-a</code>,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding then there is no default key size, and the <code class="option">-b</code>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding must be used.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Specifies the owner type of the key. The value of
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <code class="option">nametype</code> must either be ZONE (for a DNSSEC
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding a host (KEY)),
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb These values are case insensitive. Defaults to ZONE for DNSKEY
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding generation.
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb Use an NSEC3-capable algorithm to generate a DNSSEC key.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding If this option is used and no algorithm is explicitly
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding set on the command line, NSEC3RSASHA1 will be used by
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding default. Note that RSASHA256, RSASHA512, ECCGOST,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding are NSEC3-capable.
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb Compatibility mode: generates an old-style key, without
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding will include the key's creation date in the metadata stored
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding with the private key, and other dates may be set there as well
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding (publication date, activation date, etc). Keys that include
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb this data may be incompatible with older versions of BIND; the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <code class="option">-C</code> option suppresses them.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Indicates that the DNS record containing the key should have
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding the specified class. If not specified, class IN is used.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Specifies the cryptographic hardware to use, when applicable.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding When BIND is built with OpenSSL PKCS#11 support, this defaults
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding to the string "pkcs11", which identifies an OpenSSL engine
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding that can drive a cryptographic accelerator or hardware service
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding module. When BIND is built with native PKCS#11 cryptography
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding (--enable-native-pkcs11), it defaults to the path of the PKCS#11
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding provider library specified via "--with-pkcs11".
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Set the specified flag in the flag field of the KEY/DNSKEY record.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding The only recognized flags are KSK (Key Signing Key) and REVOKE.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Generate a key, but do not publish it or sign with it. This
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding option is incompatible with -P and -A.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding If generating a Diffie Hellman key, use this generator.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Allowed values are 2 and 5. If no generator
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding is specified, a known prime from RFC 2539 will be used
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding if possible; otherwise the default is 2.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Prints a short summary of the options and arguments to
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <span><strong class="command">dnssec-keygen</strong></span>.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Sets the directory in which the key files are to be written.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Deprecated in favor of -T KEY.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Sets the default TTL to use for this key when it is converted
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding into a DNSKEY RR. If the key is imported into a zone,
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding this is the TTL that will be used for it, unless there was
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding already a DNSKEY RRset in place, in which case the existing TTL
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding would take precedence. Setting the default TTL to
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <code class="literal">0</code> or <code class="literal">none</code> removes it.
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Sets the protocol value for the generated key. The protocol
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding is a number between 0 and 255. The default is 3 (DNSSEC).
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Other possible values for this argument are listed in
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding RFC 2535 and its successors.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Quiet mode: Suppresses unnecessary output, including
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding progress indication. Without this option, when
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <span><strong class="command">dnssec-keygen</strong></span> is run interactively
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding to generate an RSA or DSA key pair, it will print a string
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding of symbols to <code class="filename">stderr</code> indicating the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding progress of the key generation. A '.' indicates that a
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding random number has been found which passed an initial
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding sieve test; '+' means a number has passed a single
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding round of the Miller-Rabin primality test; a space
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding means that the number has passed all the tests and is
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding a satisfactory key.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Specifies the source of randomness. If the operating
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding system does not provide a <code class="filename">/dev/random</code>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding or equivalent device, the default source of randomness
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding is keyboard input. <code class="filename">randomdev</code>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding the name of a character device or file containing random
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding data to be used instead of the default. The special value
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding <code class="filename">keyboard</code> indicates that keyboard
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding input should be used.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Create a new key which is an explicit successor to an
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding existing key. The name, algorithm, size, and type of the
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding key will be set to match the existing key. The activation
577a76180006add04a166b12f1ad130aeedeaa5estoddard date of the new key will be set to the inactivation date of
577a76180006add04a166b12f1ad130aeedeaa5estoddard the existing one. The publication date will be set to the
577a76180006add04a166b12f1ad130aeedeaa5estoddard activation date minus the prepublication interval, which
577a76180006add04a166b12f1ad130aeedeaa5estoddard defaults to 30 days.
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Specifies the strength value of the key. The strength is
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding a number between 0 and 15, and currently has no defined
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding purpose in DNSSEC.
b4c8a80f7dbfc9b56dbe03bdc28f0b5eb5f23697rbb<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
0f081398cf0eef8cc7c66a535d450110a92dc8aefielding Specifies the resource record type to use for the key.