doc/arm/man.dnssec-keygen.html

	man.dnssec-keygen.html revision a53c45b2b8e778663ea51834272169dc946b6672
568de8123acb1a94e2d7bfe9cc5eb5d099f6c1f5Mark Andrews<!--
568de8123acb1a94e2d7bfe9cc5eb5d099f6c1f5Mark Andrews - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
51e6164fd6b47121040f79b6330edf6258418a0bMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
51e6164fd6b47121040f79b6330edf6258418a0bMark Andrews -
ef9334d745a759b02821950230260c1941d066d3Mukund Sivaraman - Permission to use, copy, modify, and distribute this software for any
ef9334d745a759b02821950230260c1941d066d3Mukund Sivaraman - purpose with or without fee is hereby granted, provided that the above
ef9334d745a759b02821950230260c1941d066d3Mukund Sivaraman - copyright notice and this permission notice appear in all copies.
6ffa8fcf764121bbe3b9eb116ddade5778608375Mark Andrews -
6ffa8fcf764121bbe3b9eb116ddade5778608375Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
bbd5c0ab33b7c76058a4b17bd1f9ce443aa90c7fEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
bbd5c0ab33b7c76058a4b17bd1f9ce443aa90c7fEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bbd5c0ab33b7c76058a4b17bd1f9ce443aa90c7fEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c73a7e127fd3d2b2d3257f67d7a0b94441797f3aMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c73a7e127fd3d2b2d3257f67d7a0b94441797f3aMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c73a7e127fd3d2b2d3257f67d7a0b94441797f3aMark Andrews - PERFORMANCE OF THIS SOFTWARE.
bad82a46c420eaa5ca62a319923472fba7e391f1Mark Andrews-->
bad82a46c420eaa5ca62a319923472fba7e391f1Mark Andrews<!-- $Id: man.dnssec-keygen.html,v 1.64 2008/01/18 07:19:52 marka Exp $ -->
09ab38c151751b76b8043275422239463eb70cbdMark Andrews<html>
09ab38c151751b76b8043275422239463eb70cbdMark Andrews<head>
09ab38c151751b76b8043275422239463eb70cbdMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
09ab38c151751b76b8043275422239463eb70cbdMark Andrews<title>dnssec-keygen</title>
adbb48b4a0c6216f96d8b40712f23da893444f1cMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
adbb48b4a0c6216f96d8b40712f23da893444f1cMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
61cfadb50e2ddce1073760e77880de73eb6e65daMark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
61cfadb50e2ddce1073760e77880de73eb6e65daMark Andrews<link rel="prev" href="man.host.html" title="host">
61cfadb50e2ddce1073760e77880de73eb6e65daMark Andrews<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
9896a01aebb4201459079f8926dcd8045514b73aEvan Hunt</head>
9896a01aebb4201459079f8926dcd8045514b73aEvan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
22e29471c784acd09619841926c4f765e36ac74aEvan Hunt<div class="navheader">
22e29471c784acd09619841926c4f765e36ac74aEvan Hunt<table width="100%" summary="Navigation header">
22e29471c784acd09619841926c4f765e36ac74aEvan Hunt<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
22e29471c784acd09619841926c4f765e36ac74aEvan Hunt<tr>
acbb301e648b82fcc38b876a44403cf0fe539cc9Evan Hunt<td width="20%" align="left">
acbb301e648b82fcc38b876a44403cf0fe539cc9Evan Hunt<a accesskey="p" href="man.host.html">Prev</a>�</td>
acbb301e648b82fcc38b876a44403cf0fe539cc9Evan Hunt<th width="60%" align="center">Manual pages</th>
9823d3d0fa2995a90f577a5801b1e5f7288a1facJeremy C. Reed<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
acbb301e648b82fcc38b876a44403cf0fe539cc9Evan Hunt</td>
9823d3d0fa2995a90f577a5801b1e5f7288a1facJeremy C. Reed</tr>
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews</table>
3911e7610f29dc664cbe8336f35c0652cd74652eMark Andrews<hr>
89740699cd2191d9b84e67716c281b2dfeba5e56Evan Hunt</div>
89740699cd2191d9b84e67716c281b2dfeba5e56Evan Hunt<div class="refentry" lang="en">
89740699cd2191d9b84e67716c281b2dfeba5e56Evan Hunt<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
89740699cd2191d9b84e67716c281b2dfeba5e56Evan Hunt<div class="refnamediv">
89740699cd2191d9b84e67716c281b2dfeba5e56Evan Hunt<h2>Name</h2>
46bc64f4b1a0e84ab0397943453fe83a17baf2c4Evan Hunt<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
46bc64f4b1a0e84ab0397943453fe83a17baf2c4Evan Hunt</div>
46bc64f4b1a0e84ab0397943453fe83a17baf2c4Evan Hunt<div class="refsynopsisdiv">
46bc64f4b1a0e84ab0397943453fe83a17baf2c4Evan Hunt<h2>Synopsis</h2>
46bc64f4b1a0e84ab0397943453fe83a17baf2c4Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
1cf8e9c0b7e75fcd2bfd10367ff362c674972a0dMark Andrews</div>
62258ada486dfe76afc3f0f3835d3a45d2d8105cEvan Hunt<div class="refsect1" lang="en">
62258ada486dfe76afc3f0f3835d3a45d2d8105cEvan Hunt<a name="id2598954"></a><h2>DESCRIPTION</h2>
62258ada486dfe76afc3f0f3835d3a45d2d8105cEvan Hunt<p><span><strong class="command">dnssec-keygen</strong></span>
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunt      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunt      and RFC 4034.  It can also generate keys for use with
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunt      TSIG (Transaction Signatures), as defined in RFC 2845.
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunt    </p>
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunt</div>
7bd455641455950eff7d21be652c8142b134d32fTinderbox User<div class="refsect1" lang="en">
7b46a4aa418de3e1f2df63b9353b7148584afe64Evan Hunt<a name="id2598968"></a><h2>OPTIONS</h2>
7b46a4aa418de3e1f2df63b9353b7148584afe64Evan Hunt<div class="variablelist"><dl>
9ba2cef72dacb1dc1105415956e1c311ac25d02cEvan Hunt<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
9ba2cef72dacb1dc1105415956e1c311ac25d02cEvan Hunt<dd>
9ba2cef72dacb1dc1105415956e1c311ac25d02cEvan Hunt<p>
78f79084fcfc40f1237c99e2d4325b24b750d012Evan Hunt            Selects the cryptographic algorithm.  The value of
78f79084fcfc40f1237c99e2d4325b24b750d012Evan Hunt            <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
78f79084fcfc40f1237c99e2d4325b24b750d012Evan Hunt                      DSA, DH (Diffie Hellman), or HMAC-MD5.  These values
a2fd1de97d9ff685697aadba7f67a450557b0a06Evan Hunt            are case insensitive.
a2fd1de97d9ff685697aadba7f67a450557b0a06Evan Hunt          </p>
a2fd1de97d9ff685697aadba7f67a450557b0a06Evan Hunt<p>
def8172275039dd667d2c54afa51af80fef9c2abEvan Hunt            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt            algorithm,
cc2a5156841ec6dfe1e90eed40c65fa8cdec246dTinderbox User            and DSA is recommended.  For TSIG, HMAC-MD5 is mandatory.
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt          </p>
d51456e4537729c2263303350abeff45379b1105Evan Hunt<p>
d51456e4537729c2263303350abeff45379b1105Evan Hunt            Note 2: HMAC-MD5 and DH automatically set the -k flag.
d51456e4537729c2263303350abeff45379b1105Evan Hunt          </p>
d51456e4537729c2263303350abeff45379b1105Evan Hunt</dd>
e69790ac0067c0034f57e070d513833550786a93Evan Hunt<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
e69790ac0067c0034f57e070d513833550786a93Evan Hunt<dd><p>
e69790ac0067c0034f57e070d513833550786a93Evan Hunt            Specifies the number of bits in the key.  The choice of key
67d01dcacb2051a03377c8ec5c0e36604c17aea5Evan Hunt            size depends on the algorithm used.  RSAMD5 / RSASHA1 keys must be
67d01dcacb2051a03377c8ec5c0e36604c17aea5Evan Hunt            between
67d01dcacb2051a03377c8ec5c0e36604c17aea5Evan Hunt            512 and 2048 bits.  Diffie Hellman keys must be between
67d01dcacb2051a03377c8ec5c0e36604c17aea5Evan Hunt            128 and 4096 bits.  DSA keys must be between 512 and 1024
6be12fa63b38fe7648811e042c9aad58cee2ead7Evan Hunt            bits and an exact multiple of 64.  HMAC-MD5 keys must be
6be12fa63b38fe7648811e042c9aad58cee2ead7Evan Hunt            between 1 and 512 bits.
6be12fa63b38fe7648811e042c9aad58cee2ead7Evan Hunt          </p></dd>
6be12fa63b38fe7648811e042c9aad58cee2ead7Evan Hunt<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
262fea66373a062cac1a0e99b5a4675987bb61ffEvan Hunt<dd><p>
262fea66373a062cac1a0e99b5a4675987bb61ffEvan Hunt            Specifies the owner type of the key.  The value of
262fea66373a062cac1a0e99b5a4675987bb61ffEvan Hunt            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
084ba95b083dc55fd10631ad43fa8fff48707648Evan Hunt            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
084ba95b083dc55fd10631ad43fa8fff48707648Evan Hunt            a host (KEY)),
084ba95b083dc55fd10631ad43fa8fff48707648Evan Hunt            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
084ba95b083dc55fd10631ad43fa8fff48707648Evan Hunt            These values are case insensitive.  Defaults to ZONE for DNSKEY
3ef4b7383ab4310df48ee5143e361ab1cfa3c8e8Evan Hunt        generation.
3ef4b7383ab4310df48ee5143e361ab1cfa3c8e8Evan Hunt          </p></dd>
3ef4b7383ab4310df48ee5143e361ab1cfa3c8e8Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
72aa3b2a4e33a1b9b3521fddce383002b7201ab7Evan Hunt<dd><p>
72aa3b2a4e33a1b9b3521fddce383002b7201ab7Evan Hunt            Indicates that the DNS record containing the key should have
72aa3b2a4e33a1b9b3521fddce383002b7201ab7Evan Hunt            the specified class.  If not specified, class IN is used.
368aedf188d7c7782cae8a5ce2a978be47b5a764Evan Hunt          </p></dd>
368aedf188d7c7782cae8a5ce2a978be47b5a764Evan Hunt<dt><span class="term">-e</span></dt>
368aedf188d7c7782cae8a5ce2a978be47b5a764Evan Hunt<dd><p>
e71905610c72f474a2943934a48f43121c79c939Evan Hunt            If generating an RSAMD5/RSASHA1 key, use a large exponent.
e71905610c72f474a2943934a48f43121c79c939Evan Hunt          </p></dd>
e71905610c72f474a2943934a48f43121c79c939Evan Hunt<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
1aced7b8702288f656ded594cd5bd7678bb4fe70Evan Hunt<dd><p>
1aced7b8702288f656ded594cd5bd7678bb4fe70Evan Hunt            Set the specified flag in the flag field of the KEY/DNSKEY record.
1aced7b8702288f656ded594cd5bd7678bb4fe70Evan Hunt                    The only recognized flag is KSK (Key Signing Key) DNSKEY.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt          </p></dd>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt<dd><p>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            If generating a Diffie Hellman key, use this generator.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            Allowed values are 2 and 5.  If no generator
f79ee00c69259b9a27f9f0d12afa6c7b64005dedEvan Hunt            is specified, a known prime from RFC 2539 will be used
f79ee00c69259b9a27f9f0d12afa6c7b64005dedEvan Hunt            if possible; otherwise the default is 2.
f79ee00c69259b9a27f9f0d12afa6c7b64005dedEvan Hunt          </p></dd>
7fbbc9bfd34f47aab843de668d5f5ffbc53d6e45Mark Andrews<dt><span class="term">-h</span></dt>
7fbbc9bfd34f47aab843de668d5f5ffbc53d6e45Mark Andrews<dd><p>
7fbbc9bfd34f47aab843de668d5f5ffbc53d6e45Mark Andrews            Prints a short summary of the options and arguments to
96c17c5ecb012028ad9d66f93a252994c6ed035cMark Andrews            <span><strong class="command">dnssec-keygen</strong></span>.
96c17c5ecb012028ad9d66f93a252994c6ed035cMark Andrews          </p></dd>
96c17c5ecb012028ad9d66f93a252994c6ed035cMark Andrews<dt><span class="term">-k</span></dt>
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt<dd><p>
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt            Generate KEY records rather than DNSKEY records.
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt          </p></dd>
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt<dd><p>
1eb5e1b4d7ea98dea07000edef15148d3d714b9dEvan Hunt            Sets the protocol value for the generated key.  The protocol
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt            is a number between 0 and 255.  The default is 3 (DNSSEC).
3a01ded15da064de23124e5d1a89143eceec5523Evan Hunt            Other possible values for this argument are listed in
3a01ded15da064de23124e5d1a89143eceec5523Evan Hunt            RFC 2535 and its successors.
3a01ded15da064de23124e5d1a89143eceec5523Evan Hunt          </p></dd>
0072ae822d966550f7c0956ed22184ec20e98f34Mark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
0072ae822d966550f7c0956ed22184ec20e98f34Mark Andrews<dd><p>
0072ae822d966550f7c0956ed22184ec20e98f34Mark Andrews            Specifies the source of randomness.  If the operating
0072ae822d966550f7c0956ed22184ec20e98f34Mark Andrews            system does not provide a <code class="filename">/dev/random</code>
9e39bafd2ef3e52719b5f16aec077c7885e7e1f1Mark Andrews            or equivalent device, the default source of randomness
9e39bafd2ef3e52719b5f16aec077c7885e7e1f1Mark Andrews            is keyboard input.  <code class="filename">randomdev</code>
02a5e3ed85cbfc099874bb34e5901537399b5e24Mark Andrews            specifies
02a5e3ed85cbfc099874bb34e5901537399b5e24Mark Andrews            the name of a character device or file containing random
02a5e3ed85cbfc099874bb34e5901537399b5e24Mark Andrews            data to be used instead of the default.  The special value
bce9696c7ac65792469b29ce0ad13564953b62caEvan Hunt            <code class="filename">keyboard</code> indicates that keyboard
bce9696c7ac65792469b29ce0ad13564953b62caEvan Hunt            input should be used.
bce9696c7ac65792469b29ce0ad13564953b62caEvan Hunt          </p></dd>
bce9696c7ac65792469b29ce0ad13564953b62caEvan Hunt<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
edd82b2ce275d513fb2799b90ec464f434880e87Mark Andrews<dd><p>
edd82b2ce275d513fb2799b90ec464f434880e87Mark Andrews            Specifies the strength value of the key.  The strength is
86856f4f3069bb2d75851b56401ffde18f41198fMark Andrews            a number between 0 and 15, and currently has no defined
86856f4f3069bb2d75851b56401ffde18f41198fMark Andrews            purpose in DNSSEC.
86856f4f3069bb2d75851b56401ffde18f41198fMark Andrews          </p></dd>
86856f4f3069bb2d75851b56401ffde18f41198fMark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
83eecff731c1a049b12f01fb699fa15ab7ddac2eEvan Hunt<dd><p>
83eecff731c1a049b12f01fb699fa15ab7ddac2eEvan Hunt            Indicates the use of the key.  <code class="option">type</code> must be
83eecff731c1a049b12f01fb699fa15ab7ddac2eEvan Hunt            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
83eecff731c1a049b12f01fb699fa15ab7ddac2eEvan Hunt            is AUTHCONF.  AUTH refers to the ability to authenticate
16134801ce8fffbb6c42bb54d544c3397a45ad06Mark Andrews            data, and CONF the ability to encrypt data.
7da74ea46df30a7431441a3b8adf5134dab5067eJeremy C. Reed          </p></dd>
64584aa0980625f834fa148dc3c95ab714efe703Evan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
64584aa0980625f834fa148dc3c95ab714efe703Evan Hunt<dd><p>
16134801ce8fffbb6c42bb54d544c3397a45ad06Mark Andrews            Sets the debugging level.
64584aa0980625f834fa148dc3c95ab714efe703Evan Hunt          </p></dd>
64584aa0980625f834fa148dc3c95ab714efe703Evan Hunt</dl></div>
16134801ce8fffbb6c42bb54d544c3397a45ad06Mark Andrews</div>
d7b9756a214030b0022ce791b67b12fb7bceeea0Evan Hunt<div class="refsect1" lang="en">
d7b9756a214030b0022ce791b67b12fb7bceeea0Evan Hunt<a name="id2599448"></a><h2>GENERATED KEYS</h2>
4357e13a4bc2e175d73b20f9ef3e809b3e269ee4Evan Hunt<p>
4357e13a4bc2e175d73b20f9ef3e809b3e269ee4Evan Hunt      When <span><strong class="command">dnssec-keygen</strong></span> completes
d7b9756a214030b0022ce791b67b12fb7bceeea0Evan Hunt      successfully,
fd75aaa2b9816703fda5e8b2cd071a3ec7387a08Evan Hunt      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
7e2e41df676e1e19186242afd88a6794e37a9becMark Andrews      to the standard output.  This is an identification string for
7f5bdf7f4063c2fefb18900468d2c851f8de7816Evan Hunt      the key it has generated.
7f5bdf7f4063c2fefb18900468d2c851f8de7816Evan Hunt    </p>
7f5bdf7f4063c2fefb18900468d2c851f8de7816Evan Hunt<div class="itemizedlist"><ul type="disc">
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt<li><p><code class="filename">nnnn</code> is the key name.
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt        </p></li>
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt<li><p><code class="filename">aaa</code> is the numeric representation
1361e038900701e126213261c0a1178025ae5a72Tinderbox User          of the
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt          algorithm.
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt        </p></li>
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt<li><p><code class="filename">iiiii</code> is the key identifier (or
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt          footprint).
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt        </p></li>
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt</ul></div>
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt<p><span><strong class="command">dnssec-keygen</strong></span>
6a3fa181d1253db5191139e20231512eebaddeebEvan Hunt      creates two files, with names based
b5f6271f4daf1e54501af2cb7dd278d7e8003d65Mark Andrews      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
0a5927a14f055f5550c76c818119f4811984272cMark Andrews      contains the public key, and
96a35905057eb2ba7d977460776b06ae0911c8a7Evan Hunt      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
96a35905057eb2ba7d977460776b06ae0911c8a7Evan Hunt      private
1361e038900701e126213261c0a1178025ae5a72Tinderbox User      key.
b5f6271f4daf1e54501af2cb7dd278d7e8003d65Mark Andrews    </p>
64584aa0980625f834fa148dc3c95ab714efe703Evan Hunt<p>
7da74ea46df30a7431441a3b8adf5134dab5067eJeremy C. Reed      The <code class="filename">.key</code> file contains a DNS KEY record
64584aa0980625f834fa148dc3c95ab714efe703Evan Hunt      that
b5f6271f4daf1e54501af2cb7dd278d7e8003d65Mark Andrews      can be inserted into a zone file (directly or with a $INCLUDE
96a35905057eb2ba7d977460776b06ae0911c8a7Evan Hunt      statement).
96a35905057eb2ba7d977460776b06ae0911c8a7Evan Hunt    </p>
1361e038900701e126213261c0a1178025ae5a72Tinderbox User<p>
1361e038900701e126213261c0a1178025ae5a72Tinderbox User      The <code class="filename">.private</code> file contains
1361e038900701e126213261c0a1178025ae5a72Tinderbox User      algorithm-specific
1361e038900701e126213261c0a1178025ae5a72Tinderbox User      fields.  For obvious security reasons, this file does not have
1361e038900701e126213261c0a1178025ae5a72Tinderbox User      general read permission.
1361e038900701e126213261c0a1178025ae5a72Tinderbox User    </p>
1361e038900701e126213261c0a1178025ae5a72Tinderbox User<p>
1361e038900701e126213261c0a1178025ae5a72Tinderbox User      Both <code class="filename">.key</code> and <code class="filename">.private</code>
38eabfcee7a9f206c268834ab9cb6d3408a31380Mark Andrews      files are generated for symmetric encryption algorithms such as
38eabfcee7a9f206c268834ab9cb6d3408a31380Mark Andrews      HMAC-MD5, even though the public and private key are equivalent.
38eabfcee7a9f206c268834ab9cb6d3408a31380Mark Andrews    </p>
38eabfcee7a9f206c268834ab9cb6d3408a31380Mark Andrews</div>
38eabfcee7a9f206c268834ab9cb6d3408a31380Mark Andrews<div class="refsect1" lang="en">
7b9cb698dd07644762c675b5f57446467b4d5663Mark Andrews<a name="id2600989"></a><h2>EXAMPLE</h2>
7b9cb698dd07644762c675b5f57446467b4d5663Mark Andrews<p>
51143259789034ac19e12984a8390b9f86ab368cMark Andrews      To generate a 768-bit DSA key for the domain
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt      <strong class="userinput"><code>example.com</code></strong>, the following command would be
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt      issued:
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt    </p>
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt    </p>
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt<p>
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt      The command would print a string of the form:
1d761cb453c76353deb8423c78e98d00c5f86ffaEvan Hunt    </p>
14bf4702f37cc707ede64a097f7d4aa671265492Evan Hunt<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
14bf4702f37cc707ede64a097f7d4aa671265492Evan Hunt    </p>
14bf4702f37cc707ede64a097f7d4aa671265492Evan Hunt<p>
31f6244cc25ab0f8937edc26dbb26ba4f6a01f19Evan Hunt      In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
31f6244cc25ab0f8937edc26dbb26ba4f6a01f19Evan Hunt      the files <code class="filename">Kexample.com.+003+26160.key</code>
31f6244cc25ab0f8937edc26dbb26ba4f6a01f19Evan Hunt      and
2729aea3c1a720269aaae92ce3a84af1ba0a75ebMark Andrews      <code class="filename">Kexample.com.+003+26160.private</code>.
2729aea3c1a720269aaae92ce3a84af1ba0a75ebMark Andrews    </p>
a1271e2404dd42fcc477974bd0a190224f34f5f7Mark Andrews</div>
a1271e2404dd42fcc477974bd0a190224f34f5f7Mark Andrews<div class="refsect1" lang="en">
a1271e2404dd42fcc477974bd0a190224f34f5f7Mark Andrews<a name="id2601046"></a><h2>SEE ALSO</h2>
842a3e6d0eb745e34a3cc3e19c8c39b9492ac739Evan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
842a3e6d0eb745e34a3cc3e19c8c39b9492ac739Evan Hunt      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
842a3e6d0eb745e34a3cc3e19c8c39b9492ac739Evan Hunt      <em class="citetitle">RFC 2535</em>,
1124950b35ae05a12e804e670607fe5ba775cb4aTinderbox User      <em class="citetitle">RFC 2845</em>,
dbb012765c735ee0d82dedb116cdc7cf18957814Evan Hunt      <em class="citetitle">RFC 2539</em>.
dbb012765c735ee0d82dedb116cdc7cf18957814Evan Hunt    </p>
dbb012765c735ee0d82dedb116cdc7cf18957814Evan Hunt</div>
d7729155dff87d3c7a2b9103bf6e5164ea4d7dd7Mark Andrews<div class="refsect1" lang="en">
d7729155dff87d3c7a2b9103bf6e5164ea4d7dd7Mark Andrews<a name="id2601077"></a><h2>AUTHOR</h2>
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews    </p>
850b5e80930907e4747347201dc41e4d04e036f8Mark Andrews</div>
850b5e80930907e4747347201dc41e4d04e036f8Mark Andrews</div>
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews<div class="navfooter">
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews<hr>
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews<table width="100%" summary="Navigation footer">
41e55d04032c0eefd39d74ffb73657b04fb821ecEvan Hunt<tr>
41e55d04032c0eefd39d74ffb73657b04fb821ecEvan Hunt<td width="40%" align="left">
41e55d04032c0eefd39d74ffb73657b04fb821ecEvan Hunt<a accesskey="p" href="man.host.html">Prev</a>�</td>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt</td>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt</tr>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt<tr>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt<td width="40%" align="left" valign="top">host�</td>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt</td>
166341d55424ca522eb456a1c7d0211e391f1ac8Evan Hunt</tr>
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt</table>
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt</div>
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt</body>
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt</html>
c41d8a22ab5f4a487f4c16b78f23792f78a3a851Francis Dupont