man.dnssec-keygen.html revision b49958b502ee45022010a0b1bed3968f598895a4
cd348e325366620fe047edcc849e3c9424828599Peter Bray - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco - Copyright (C) 2000-2003 Internet Software Consortium.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - Permission to use, copy, modify, and distribute this software for any
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal - purpose with or without fee is hereby granted, provided that the above
983523cf73bc85cce6282cb5aa78b60f6bcd959fLubos Kosco - copyright notice and this permission notice appear in all copies.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d20bb899e2e6c692130af57903cb0f909e7bec2aGerbrand van Dieijen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
983523cf73bc85cce6282cb5aa78b60f6bcd959fLubos Kosco - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - PERFORMANCE OF THIS SOFTWARE.
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<!-- $Id: man.dnssec-keygen.html,v 1.88 2008/10/03 01:11:33 tbox Exp $ -->
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
d961aa46ea0d50fed47802497e45226b1965b12dVladimir Kotal<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
d961aa46ea0d50fed47802497e45226b1965b12dVladimir Kotal<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
983523cf73bc85cce6282cb5aa78b60f6bcd959fLubos Kosco<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
03c01ac563d31955fc2b21cd540423434509a494Matt Lewandowsky<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
9dc24f2da404ab474e38fc4d428e5717dc9bcee4Vladimir Kotal<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
9dc24f2da404ab474e38fc4d428e5717dc9bcee4Vladimir Kotal<p><span><strong class="command">dnssec-keygen</strong></span>
9dc24f2da404ab474e38fc4d428e5717dc9bcee4Vladimir Kotal generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
9dc24f2da404ab474e38fc4d428e5717dc9bcee4Vladimir Kotal and RFC 4034. It can also generate keys for use with
25d3d16c420712ddaa22503d2b9d1135b7c5eed2Kryštof Tulinger TSIG (Transaction Signatures), as defined in RFC 2845.
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
6ce0623fa4ef95af9d77700a1c9c19ec1a919326Guillaume Smet Selects the cryptographic algorithm. The value of
56c25decc0427c204cd35856e521ddf28337e75dLubos Kosco <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
56c25decc0427c204cd35856e521ddf28337e75dLubos Kosco DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal These values are case insensitive.
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
3ba66fbb56ef22f183da783a1b2718280c357a4eStanislav Kozina Note 2: HMAC-MD5 and DH automatically set the -k flag.
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
983523cf73bc85cce6282cb5aa78b60f6bcd959fLubos Kosco Specifies the number of bits in the key. The choice of key
983523cf73bc85cce6282cb5aa78b60f6bcd959fLubos Kosco size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
983523cf73bc85cce6282cb5aa78b60f6bcd959fLubos Kosco 512 and 2048 bits. Diffie Hellman keys must be between
bc5565fc58603964988b42b6aee40e246f35d94fVladimir Kotal 128 and 4096 bits. DSA keys must be between 512 and 1024
9132ad6a7ba5525fd1a6ccd4f4bcb497385c8597ralphmayr bits and an exact multiple of 64. HMAC-MD5 keys must be
9132ad6a7ba5525fd1a6ccd4f4bcb497385c8597ralphmayr between 1 and 512 bits.
9132ad6a7ba5525fd1a6ccd4f4bcb497385c8597ralphmayr<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray Specifies the owner type of the key. The value of
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray <code class="option">nametype</code> must either be ZONE (for a DNSSEC
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco a host (KEY)),
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
425278cfacbc73f1e955ab6016f206fc5ed93ccbVladimir Kotal These values are case insensitive. Defaults to ZONE for DNSKEY
3b0448fdd830b8d04c6a71511e5d26a4fc3b5b80Lubos Kosco<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
cd348e325366620fe047edcc849e3c9424828599Peter Bray Indicates that the DNS record containing the key should have
cd348e325366620fe047edcc849e3c9424828599Peter Bray the specified class. If not specified, class IN is used.
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco If generating an RSAMD5/RSASHA1 key, use a large exponent.
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
527d116ec0f031818982101f4475298b930d515bVladimir Kotal Set the specified flag in the flag field of the KEY/DNSKEY record.
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco The only recognized flag is KSK (Key Signing Key) DNSKEY.
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco If generating a Diffie Hellman key, use this generator.
f21b682cd9b414738a4f5a38b56f6682e537e1d2Trond Norbye Allowed values are 2 and 5. If no generator
3b0448fdd830b8d04c6a71511e5d26a4fc3b5b80Lubos Kosco is specified, a known prime from RFC 2539 will be used
3b0448fdd830b8d04c6a71511e5d26a4fc3b5b80Lubos Kosco if possible; otherwise the default is 2.
cd348e325366620fe047edcc849e3c9424828599Peter Bray Prints a short summary of the options and arguments to
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray <span><strong class="command">dnssec-keygen</strong></span>.
c276b1ec9722ee95a86a4a381b39c5f405fc1cc4Vladimir Kotal Generate KEY records rather than DNSKEY records.
c276b1ec9722ee95a86a4a381b39c5f405fc1cc4Vladimir Kotal<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco Sets the protocol value for the generated key. The protocol
c276b1ec9722ee95a86a4a381b39c5f405fc1cc4Vladimir Kotal is a number between 0 and 255. The default is 3 (DNSSEC).
c276b1ec9722ee95a86a4a381b39c5f405fc1cc4Vladimir Kotal Other possible values for this argument are listed in
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco RFC 2535 and its successors.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
5a0ed1213a40c9ab7c990b442b77455ee27bc799Vladimir Kotal Specifies the source of randomness. If the operating
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray system does not provide a <code class="filename">/dev/random</code>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray or equivalent device, the default source of randomness
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray is keyboard input. <code class="filename">randomdev</code>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray the name of a character device or file containing random
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray data to be used instead of the default. The special value
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray <code class="filename">keyboard</code> indicates that keyboard
cd348e325366620fe047edcc849e3c9424828599Peter Bray input should be used.
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray Specifies the strength value of the key. The strength is
cd348e325366620fe047edcc849e3c9424828599Peter Bray a number between 0 and 15, and currently has no defined
cd348e325366620fe047edcc849e3c9424828599Peter Bray purpose in DNSSEC.
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
cd348e325366620fe047edcc849e3c9424828599Peter Bray Indicates the use of the key. <code class="option">type</code> must be
cd348e325366620fe047edcc849e3c9424828599Peter Bray one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray is AUTHCONF. AUTH refers to the ability to authenticate
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray data, and CONF the ability to encrypt data.
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco Sets the debugging level.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray When <span><strong class="command">dnssec-keygen</strong></span> completes
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray successfully,
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray to the standard output. This is an identification string for
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray the key it has generated.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<li><p><code class="filename">nnnn</code> is the key name.
c83dfde6b364917fa8ed28142d509a7c29a4da68Vladimir Kotal<li><p><code class="filename">aaa</code> is the numeric representation
cd348e325366620fe047edcc849e3c9424828599Peter Bray<li><p><code class="filename">iiiii</code> is the key identifier (or
cd348e325366620fe047edcc849e3c9424828599Peter Bray<p><span><strong class="command">dnssec-keygen</strong></span>
cd348e325366620fe047edcc849e3c9424828599Peter Bray creates two files, with names based
cd348e325366620fe047edcc849e3c9424828599Peter Bray on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
cd348e325366620fe047edcc849e3c9424828599Peter Bray contains the public key, and
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray The <code class="filename">.key</code> file contains a DNS KEY record
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray can be inserted into a zone file (directly or with a $INCLUDE
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco The <code class="filename">.private</code> file contains
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco algorithm-specific
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco fields. For obvious security reasons, this file does not have
d7c1415de39f4b07c85828f49cd1ee7a2a19eb9eLubos Kosco general read permission.
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco Both <code class="filename">.key</code> and <code class="filename">.private</code>
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray files are generated for symmetric encryption algorithms such as
bc5565fc58603964988b42b6aee40e246f35d94fVladimir Kotal HMAC-MD5, even though the public and private key are equivalent.
bc5565fc58603964988b42b6aee40e246f35d94fVladimir Kotal To generate a 768-bit DSA key for the domain
bc5565fc58603964988b42b6aee40e246f35d94fVladimir Kotal <strong class="userinput"><code>example.com</code></strong>, the following command would be
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray The command would print a string of the form:
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
cd348e325366620fe047edcc849e3c9424828599Peter Bray In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
cd348e325366620fe047edcc849e3c9424828599Peter Bray the files <code class="filename">Kexample.com.+003+26160.key</code>
cd348e325366620fe047edcc849e3c9424828599Peter Bray <code class="filename">Kexample.com.+003+26160.private</code>.
d961aa46ea0d50fed47802497e45226b1965b12dVladimir Kotal<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
d961aa46ea0d50fed47802497e45226b1965b12dVladimir Kotal <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
cd348e325366620fe047edcc849e3c9424828599Peter Bray<p><span class="corpauthor">Internet Systems Consortium</span>
17d95a647aba8c37d9ac34d97e4eed729aa46f67Naseer Ahmed<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
17d95a647aba8c37d9ac34d97e4eed729aa46f67Naseer Ahmed<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
5762c9f28c2246777be0e9d49cb29d9c0f49146dLubos Kosco<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
25d3d16c420712ddaa22503d2b9d1135b7c5eed2Kryštof Tulinger<span class="application">dnssec-keyfromlabel</span>�</td>
25d3d16c420712ddaa22503d2b9d1135b7c5eed2Kryštof Tulinger<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
25d3d16c420712ddaa22503d2b9d1135b7c5eed2Kryštof Tulinger<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>