man.dnssec-keygen.html revision b55ce50367d22a965bbeb460a9a1ffdb83fe4bc5
4848fe4ad2c0ba6e2e69e4a2617727f8556d79a0Andreas Gustafsson - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews - purpose with or without fee is hereby granted, provided that the above
4848fe4ad2c0ba6e2e69e4a2617727f8556d79a0Andreas Gustafsson - copyright notice and this permission notice appear in all copies.
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 - PERFORMANCE OF THIS SOFTWARE.
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉<!-- $Id: man.dnssec-keygen.html,v 1.145 2009/11/05 01:15:15 tbox Exp $ -->
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<table width="100%" summary="Navigation header">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<th width="60%" align="center">Manual pages</th>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉<a name="id2608261"></a><h2>DESCRIPTION</h2>
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews<p><span><strong class="command">dnssec-keygen</strong></span>
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 and RFC 4034. It can also generate keys for use with
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 (Transaction Key) as defined in RFC 2930.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews The <code class="option">name</code> of the key is specified on the command
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews line. For DNSSEC keys, this must match the name of the zone for
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews which the key is being generated.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Selects the cryptographic algorithm. For DNSSEC keys, the value
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews case insensitive.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews If no algorithm is specified, then RSASHA1 will be used by
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews default, unless the <code class="option">-3</code> option is specified,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews in which case NSEC3RSASHA1 will be used instead. (If
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <code class="option">-3</code> is used and an algorithm is specified,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews that algorithm will be checked for compatibility with NSEC3.)
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews automatically set the -T KEY option.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews Specifies the number of bits in the key. The choice of key
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews size depends on the algorithm used. RSA keys must be
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews between 512 and 2048 bits. Diffie Hellman keys must be between
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews 128 and 4096 bits. DSA keys must be between 512 and 1024
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews bits and an exact multiple of 64. HMAC keys must be
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews between 1 and 512 bits.
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews The key size does not need to be specified if using a default
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews algorithm. The default key size is 1024 bits for zone signing
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews keys (ZSK's) and 2048 bits for key signing keys (KSK's,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews generated with <code class="option">-f KSK</code>). However, if an
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews algorithm is explicitly specified with the <code class="option">-a</code>,
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews then there is no default key size, and the <code class="option">-b</code>
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews must be used.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews Specifies the owner type of the key. The value of
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews a host (KEY)),
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews These values are case insensitive. Defaults to ZONE for DNSKEY
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 Use an NSEC3-capable algorithm to generate a DNSSEC key.
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 If this option is used and no algorithm is explicitly
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews set on the command line, NSEC3RSASHA1 will be used by
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 default. Note that RSASHA256 and RSASHA512 algorithms
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 are NSEC3-capable.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Compatibility mode: generates an old-style key, without
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews will include the key's creation date in the metadata stored
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews with the private key, and other dates may be set there as well
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews (publication date, activation date, etc). Keys that include
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews this data may be incompatible with older versions of BIND; the
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <code class="option">-C</code> option suppresses them.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Indicates that the DNS record containing the key should have
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews the specified class. If not specified, class IN is used.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
ab6e5af4cd644b174709f95c2702ec4c442aa755Mark Andrews Uses a crypto hardware (OpenSSL engine) for random number
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 and, when supported, key generation. When compiled with PKCS#11
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews support it defaults to pkcs11; the empty name resets it to
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 If generating an RSAMD5/RSASHA1 key, use a large exponent.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Generate a key, but do not publish it or sign with it. This
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews option is incompatible with -P and -A.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews If generating a Diffie Hellman key, use this generator.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Allowed values are 2 and 5. If no generator
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews is specified, a known prime from RFC 2539 will be used
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews if possible; otherwise the default is 2.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Prints a short summary of the options and arguments to
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <span><strong class="command">dnssec-keygen</strong></span>.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 Sets the directory in which the key files are to be written.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Deprecated in favor of -T KEY.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Sets the protocol value for the generated key. The protocol
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Other possible values for this argument are listed in
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews RFC 2535 and its successors.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Quiet mode: Suppresses unnecessary output, including
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews progress indication. Without this option, when
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <span><strong class="command">dnssec-keygen</strong></span> is run interactively
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews to generate an RSA or DSA key pair, it will print a string
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews of symbols to <code class="filename">stderr</code> indicating the
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews progress of the key generation. A '.' indicates that a
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews random number has been found which passed an initial
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews sieve test; '+' means a number has passed a single
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews round of the Miller-Rabin primality test; a space
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews means that the number has passed all the tests and is
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews a satisfactory key.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Specifies the source of randomness. If the operating
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews system does not provide a <code class="filename">/dev/random</code>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews or equivalent device, the default source of randomness
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews is keyboard input. <code class="filename">randomdev</code>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews the name of a character device or file containing random
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews data to be used instead of the default. The special value
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 <code class="filename">keyboard</code> indicates that keyboard
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 input should be used.
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Specifies the strength value of the key. The strength is
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 a number between 0 and 15, and currently has no defined
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews purpose in DNSSEC.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Specifies the resource record type to use for the key.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <code class="option">rrtype</code> must be either DNSKEY or KEY. The
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews default is DNSKEY when using a DNSSEC algorithm, but it can be
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews overridden to KEY for use with SIG(0).
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Using any TSIG algorithm (HMAC-* or DH) forces this option
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Indicates the use of the key. <code class="option">type</code> must be
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews data, and CONF the ability to encrypt data.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Sets the debugging level.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews If the argument begins with a '+' or '-', it is interpreted as
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews an offset from the present time. For convenience, if such an offset
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews then the offset is computed in years (defined as 365 24-hour days,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews is computed in seconds.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Sets the date on which a key is to be published to the zone.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews After that date, the key will be included in the zone but will
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews not be used to sign it. If not set, and if the -G option has
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews not been used, the default is "now".
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Sets the date on which the key is to be activated. After that
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews date, the key will be included in the zone and used to sign
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews it. If not set, and if the -G option has not been used, the
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews default is "now".
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Sets the date on which the key is to be revoked. After that
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews date, the key will be flagged as revoked. It will be included
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews in the zone and will be used to sign it.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Sets the date on which the key is to be retired. After that
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews date, the key will still be included in the zone, but it
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews will not be used to sign it.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Sets the date on which the key is to be deleted. After that
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews date, the key will no longer be included in the zone. (It
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews may remain in the key repository, however.)
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews When <span><strong class="command">dnssec-keygen</strong></span> completes
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews successfully,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews to the standard output. This is an identification string for
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews the key it has generated.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<li><p><code class="filename">nnnn</code> is the key name.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<li><p><code class="filename">aaa</code> is the numeric representation
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<li><p><code class="filename">iiiii</code> is the key identifier (or
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<p><span><strong class="command">dnssec-keygen</strong></span>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews creates two files, with names based
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 contains the public key, and
f620c5e527746a2ec3d90a11d21abd8a114746dfTatuya JINMEI 神明達哉 <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews can be inserted into a zone file (directly or with a $INCLUDE
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews The <code class="filename">.private</code> file contains
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews algorithm-specific
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews fields. For obvious security reasons, this file does not have
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews general read permission.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews Both <code class="filename">.key</code> and <code class="filename">.private</code>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews files are generated for symmetric encryption algorithms such as
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews HMAC-MD5, even though the public and private key are equivalent.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews To generate a 768-bit DSA key for the domain
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <strong class="userinput"><code>example.com</code></strong>, the following command would be
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews The command would print a string of the form:
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews the files <code class="filename">Kexample.com.+003+26160.key</code>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <code class="filename">Kexample.com.+003+26160.private</code>.
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<table width="100%" summary="Navigation footer">
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<span class="application">dnssec-keyfromlabel</span>�</td>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
30d6e6e907dfd7a254796c70f49ed11979c0cc3bMark Andrews<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>