man.dnssec-keygen.html revision d9f0b06dc2bba47e3fe63afdf41c638d3517ceff
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
aa7b16ec2a5dacda1d65b64e0f7af434d02cbba4Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - purpose with or without fee is hereby granted, provided that the above
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - copyright notice and this permission notice appear in all copies.
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
bf8267aa453e5d2a735ed732a043b77a0b355b20Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<!-- $Id$ -->
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
30a60d2aff0ec1810262a8b8efc532e28b32bd57Evan Hunt<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
30a60d2aff0ec1810262a8b8efc532e28b32bd57Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
30a60d2aff0ec1810262a8b8efc532e28b32bd57Evan Hunt<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
30a60d2aff0ec1810262a8b8efc532e28b32bd57Evan Hunt<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
30a60d2aff0ec1810262a8b8efc532e28b32bd57Evan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
30a60d2aff0ec1810262a8b8efc532e28b32bd57Evan Hunt<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
222d38735f97f771054e223b03f84c5858252332Evan Hunt<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
222d38735f97f771054e223b03f84c5858252332Evan Hunt<p><span><strong class="command">dnssec-keygen</strong></span>
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
222d38735f97f771054e223b03f84c5858252332Evan Hunt and RFC 4034. It can also generate keys for use with
c634c94d673f1bab17e7f65d332f989b683e712cDavid Lawrence TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
222d38735f97f771054e223b03f84c5858252332Evan Hunt (Transaction Key) as defined in RFC 2930.
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer The <code class="option">name</code> of the key is specified on the command
222d38735f97f771054e223b03f84c5858252332Evan Hunt line. For DNSSEC keys, this must match the name of the zone for
c634c94d673f1bab17e7f65d332f989b683e712cDavid Lawrence which the key is being generated.
1d32b1df372d6be6bac6450739b9e5ea23819995Evan Hunt<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
222d38735f97f771054e223b03f84c5858252332Evan Hunt Selects the cryptographic algorithm. For DNSSEC keys, the value
222d38735f97f771054e223b03f84c5858252332Evan Hunt of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt ECDSAP256SHA256 or ECDSAP384SHA384.
222d38735f97f771054e223b03f84c5858252332Evan Hunt be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
c634c94d673f1bab17e7f65d332f989b683e712cDavid Lawrence HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer case insensitive.
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer If no algorithm is specified, then RSASHA1 will be used by
222d38735f97f771054e223b03f84c5858252332Evan Hunt default, unless the <code class="option">-3</code> option is specified,
c634c94d673f1bab17e7f65d332f989b683e712cDavid Lawrence in which case NSEC3RSASHA1 will be used instead. (If
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer <code class="option">-3</code> is used and an algorithm is specified,
222d38735f97f771054e223b03f84c5858252332Evan Hunt that algorithm will be checked for compatibility with NSEC3.)
222d38735f97f771054e223b03f84c5858252332Evan Hunt Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
c634c94d673f1bab17e7f65d332f989b683e712cDavid Lawrence algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
c3c6770e537ea916265c78d0294ad108233e17c1Michael Sawyer Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
222d38735f97f771054e223b03f84c5858252332Evan Hunt automatically set the -T KEY option.
222d38735f97f771054e223b03f84c5858252332Evan Hunt<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
222d38735f97f771054e223b03f84c5858252332Evan Hunt Specifies the number of bits in the key. The choice of key
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt size depends on the algorithm used. RSA keys must be
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt between 512 and 2048 bits. Diffie Hellman keys must be between
222d38735f97f771054e223b03f84c5858252332Evan Hunt 128 and 4096 bits. DSA keys must be between 512 and 1024
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt bits and an exact multiple of 64. HMAC keys must be
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt between 1 and 512 bits. Elliptic curve algorithms don't need
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt this parameter.
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt The key size does not need to be specified if using a default
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt algorithm. The default key size is 1024 bits for zone signing
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt keys (ZSK's) and 2048 bits for key signing keys (KSK's,
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt generated with <code class="option">-f KSK</code>). However, if an
222d38735f97f771054e223b03f84c5858252332Evan Hunt algorithm is explicitly specified with the <code class="option">-a</code>,
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt then there is no default key size, and the <code class="option">-b</code>
222d38735f97f771054e223b03f84c5858252332Evan Hunt must be used.
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt Specifies the owner type of the key. The value of
222d38735f97f771054e223b03f84c5858252332Evan Hunt <code class="option">nametype</code> must either be ZONE (for a DNSSEC
222d38735f97f771054e223b03f84c5858252332Evan Hunt zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
9069215eac23e32f4ef1c8e44ad7ff2865cfcdacEvan Hunt a host (KEY)),
222d38735f97f771054e223b03f84c5858252332Evan Hunt USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt These values are case insensitive. Defaults to ZONE for DNSKEY
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt Use an NSEC3-capable algorithm to generate a DNSSEC key.
222d38735f97f771054e223b03f84c5858252332Evan Hunt If this option is used and no algorithm is explicitly
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt set on the command line, NSEC3RSASHA1 will be used by
222d38735f97f771054e223b03f84c5858252332Evan Hunt default. Note that RSASHA256, RSASHA512, ECCGOST,
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt are NSEC3-capable.
222d38735f97f771054e223b03f84c5858252332Evan Hunt Compatibility mode: generates an old-style key, without
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
222d38735f97f771054e223b03f84c5858252332Evan Hunt will include the key's creation date in the metadata stored
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt with the private key, and other dates may be set there as well
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt (publication date, activation date, etc). Keys that include
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt this data may be incompatible with older versions of BIND; the
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt <code class="option">-C</code> option suppresses them.
222d38735f97f771054e223b03f84c5858252332Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
222d38735f97f771054e223b03f84c5858252332Evan Hunt Indicates that the DNS record containing the key should have
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt the specified class. If not specified, class IN is used.
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
222d38735f97f771054e223b03f84c5858252332Evan Hunt Specifies the cryptographic hardware to use, when applicable.
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt to the string "pkcs11", which identifies an OpenSSL engine
222d38735f97f771054e223b03f84c5858252332Evan Hunt that can drive a cryptographic accelerator or hardware service
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt module. When BIND is built with native PKCS#11 cryptography
222d38735f97f771054e223b03f84c5858252332Evan Hunt (--enable-native-pkcs11), it defaults to the path of the PKCS#11
222d38735f97f771054e223b03f84c5858252332Evan Hunt provider library specified via "--with-pkcs11".
222d38735f97f771054e223b03f84c5858252332Evan Hunt<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt Set the specified flag in the flag field of the KEY/DNSKEY record.
47e70d820ed07895a25e5b3520adf953114ac01eEvan Hunt The only recognized flags are KSK (Key Signing Key) and REVOKE.
222d38735f97f771054e223b03f84c5858252332Evan Hunt Generate a key, but do not publish it or sign with it. This
b5b934a0bb46aded1552a17473652b5a7f4a3274Evan Hunt option is incompatible with -P and -A.
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt If generating a Diffie Hellman key, use this generator.
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt Allowed values are 2 and 5. If no generator
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt is specified, a known prime from RFC 2539 will be used
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt if possible; otherwise the default is 2.
222d38735f97f771054e223b03f84c5858252332Evan Hunt Prints a short summary of the options and arguments to
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt <span><strong class="command">dnssec-keygen</strong></span>.
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
2a6d60615cf07b164533dbb6bb1dce84ed2d037dEvan Hunt Sets the directory in which the key files are to be written.
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt Deprecated in favor of -T KEY.
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt Sets the default TTL to use for this key when it is converted
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt into a DNSKEY RR. If the key is imported into a zone,
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt this is the TTL that will be used for it, unless there was
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt already a DNSKEY RRset in place, in which case the existing TTL
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt would take precedence. Setting the default TTL to
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt <code class="literal">0</code> or <code class="literal">none</code> removes it.
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt Sets the protocol value for the generated key. The protocol
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt is a number between 0 and 255. The default is 3 (DNSSEC).
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt Other possible values for this argument are listed in
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt RFC 2535 and its successors.
222d38735f97f771054e223b03f84c5858252332Evan Hunt Quiet mode: Suppresses unnecessary output, including
6de9744cf9c64be2145f663e4051196a4eaa9d45Evan Hunt progress indication. Without this option, when
cba23be7ba724b527f6a60c14caaeca9502fbc79Evan Hunt <span><strong class="command">dnssec-keygen</strong></span> is run interactively
cba23be7ba724b527f6a60c14caaeca9502fbc79Evan Hunt to generate an RSA or DSA key pair, it will print a string
cba23be7ba724b527f6a60c14caaeca9502fbc79Evan Hunt of symbols to <code class="filename">stderr</code> indicating the
cba23be7ba724b527f6a60c14caaeca9502fbc79Evan Hunt progress of the key generation. A '.' indicates that a
cba23be7ba724b527f6a60c14caaeca9502fbc79Evan Hunt random number has been found which passed an initial
cba23be7ba724b527f6a60c14caaeca9502fbc79Evan Hunt sieve test; '+' means a number has passed a single
222d38735f97f771054e223b03f84c5858252332Evan Hunt round of the Miller-Rabin primality test; a space
cba23be7ba724b527f6a60c14caaeca9502fbc79Evan Hunt means that the number has passed all the tests and is
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt a satisfactory key.
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt Specifies the source of randomness. If the operating
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt system does not provide a <code class="filename">/dev/random</code>
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt or equivalent device, the default source of randomness
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt is keyboard input. <code class="filename">randomdev</code>
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt the name of a character device or file containing random
ffff5d67926821d3db8df63bdd84a9cb1ce56739Evan Hunt data to be used instead of the default. The special value
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews <code class="filename">keyboard</code> indicates that keyboard
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews input should be used.
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews Create a new key which is an explicit successor to an
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews existing key. The name, algorithm, size, and type of the
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews key will be set to match the existing key. The activation
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews date of the new key will be set to the inactivation date of
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews the existing one. The publication date will be set to the
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews activation date minus the prepublication interval, which
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews defaults to 30 days.
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews Specifies the strength value of the key. The strength is
222d38735f97f771054e223b03f84c5858252332Evan Hunt a number between 0 and 15, and currently has no defined
a69070d8fab55dbc63ba9f96c9d3e34f0ea9119aMark Andrews purpose in DNSSEC.
c5272fb3303425f794dab68f734f6a2a45dce01eMichael Sawyer<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
c5272fb3303425f794dab68f734f6a2a45dce01eMichael Sawyer Specifies the resource record type to use for the key.
c5272fb3303425f794dab68f734f6a2a45dce01eMichael Sawyer <code class="option">rrtype</code> must be either DNSKEY or KEY. The
c5272fb3303425f794dab68f734f6a2a45dce01eMichael Sawyer default is DNSKEY when using a DNSSEC algorithm, but it can be
c5272fb3303425f794dab68f734f6a2a45dce01eMichael Sawyer overridden to KEY for use with SIG(0).
222d38735f97f771054e223b03f84c5858252332Evan Hunt Using any TSIG algorithm (HMAC-* or DH) forces this option
222d38735f97f771054e223b03f84c5858252332Evan Hunt<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
6b9c29ec578de7fda057bd3b893ccda176378b1bMichael Sawyer Indicates the use of the key. <code class="option">type</code> must be
222d38735f97f771054e223b03f84c5858252332Evan Hunt one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
6b9c29ec578de7fda057bd3b893ccda176378b1bMichael Sawyer is AUTHCONF. AUTH refers to the ability to authenticate
222d38735f97f771054e223b03f84c5858252332Evan Hunt data, and CONF the ability to encrypt data.
6b9c29ec578de7fda057bd3b893ccda176378b1bMichael Sawyer<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
1b003261c2dd3e32778337c7a2788e4829066bd9Andreas Gustafsson Sets the debugging level.
3ad7f12f7439471a0922ed3952221e93aef9db69Andreas Gustafsson Prints version information.
3ad7f12f7439471a0922ed3952221e93aef9db69Andreas Gustafsson<a name="id2673049"></a><h2>TIMING OPTIONS</h2>
3ad7f12f7439471a0922ed3952221e93aef9db69Andreas Gustafsson Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
3ad7f12f7439471a0922ed3952221e93aef9db69Andreas Gustafsson If the argument begins with a '+' or '-', it is interpreted as
0759eb6a0dab024873df528b0ffad804ea31615dMichael Sawyer an offset from the present time. For convenience, if such an offset
dc9c461b27df798ba7c3d9ba1446840c5f85553bMichael Sawyer is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
222d38735f97f771054e223b03f84c5858252332Evan Hunt then the offset is computed in years (defined as 365 24-hour days,
dc9c461b27df798ba7c3d9ba1446840c5f85553bMichael Sawyer ignoring leap years), months (defined as 30 24-hour days), weeks,
dc9c461b27df798ba7c3d9ba1446840c5f85553bMichael Sawyer days, hours, or minutes, respectively. Without a suffix, the offset
222d38735f97f771054e223b03f84c5858252332Evan Hunt is computed in seconds. To explicitly prevent a date from being
222d38735f97f771054e223b03f84c5858252332Evan Hunt set, use 'none' or 'never'.
dc9c461b27df798ba7c3d9ba1446840c5f85553bMichael Sawyer<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
222d38735f97f771054e223b03f84c5858252332Evan Hunt Sets the date on which a key is to be published to the zone.
dc9c461b27df798ba7c3d9ba1446840c5f85553bMichael Sawyer After that date, the key will be included in the zone but will
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson not be used to sign it. If not set, and if the -G option has
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson not been used, the default is "now".
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson Sets the date on which the key is to be activated. After that
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson date, the key will be included in the zone and used to sign
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson it. If not set, and if the -G option has not been used, the
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson default is "now". If set, if and -P is not set, then
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson the publication date will be set to the activation date
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson minus the prepublication interval.
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson Sets the date on which the key is to be revoked. After that
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson date, the key will be flagged as revoked. It will be included
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson in the zone and will be used to sign it.
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
222d38735f97f771054e223b03f84c5858252332Evan Hunt Sets the date on which the key is to be retired. After that
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson date, the key will still be included in the zone, but it
222d38735f97f771054e223b03f84c5858252332Evan Hunt will not be used to sign it.
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
1d32b1df372d6be6bac6450739b9e5ea23819995Evan Hunt Sets the date on which the key is to be deleted. After that
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson date, the key will no longer be included in the zone. (It
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson may remain in the key repository, however.)
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson Sets the prepublication interval for a key. If set, then
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson the publication and activation dates must be separated by at least
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson this much time. If the activation date is specified but the
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson publication date isn't, then the publication date will default
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson to this much time before the activation date; conversely, if
222d38735f97f771054e223b03f84c5858252332Evan Hunt the publication date is specified but activation date isn't,
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson then activation will be set to this much time after publication.
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson If the key is being created as an explicit successor to another
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson key, then the default prepublication interval is 30 days;
5337a9e53c7df1ef40d70528f2360c5e4cb9a7d1Andreas Gustafsson otherwise it is zero.
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews As with date offsets, if the argument is followed by one of
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
222d38735f97f771054e223b03f84c5858252332Evan Hunt interval is measured in years, months, weeks, days, hours,
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews or minutes, respectively. Without a suffix, the interval is
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews measured in seconds.
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews When <span><strong class="command">dnssec-keygen</strong></span> completes
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews successfully,
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews to the standard output. This is an identification string for
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews the key it has generated.
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews<li><p><code class="filename">nnnn</code> is the key name.
222d38735f97f771054e223b03f84c5858252332Evan Hunt<li><p><code class="filename">aaa</code> is the numeric representation
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews<li><p><code class="filename">iiiii</code> is the key identifier (or
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews<p><span><strong class="command">dnssec-keygen</strong></span>
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews creates two files, with names based
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews contains the public key, and
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews can be inserted into a zone file (directly or with a $INCLUDE
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews The <code class="filename">.private</code> file contains
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews algorithm-specific
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews fields. For obvious security reasons, this file does not have
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews general read permission.
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews Both <code class="filename">.key</code> and <code class="filename">.private</code>
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews files are generated for symmetric encryption algorithms such as
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews HMAC-MD5, even though the public and private key are equivalent.
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews To generate a 768-bit DSA key for the domain
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews <strong class="userinput"><code>example.com</code></strong>, the following command would be
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews The command would print a string of the form:
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews the files <code class="filename">Kexample.com.+003+26160.key</code>
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews <code class="filename">Kexample.com.+003+26160.private</code>.
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
8aee18709f238406719768b8a6b843a15c5075f8Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
e2f470bebb3a0c107bc4ac86c6920c21e50e83e0Brian Wellington<p><span class="corpauthor">Internet Systems Consortium</span>
f0a1134d331b2aa871306c73d2787960918eaab1Andreas Gustafsson<table width="100%" summary="Navigation footer">
e2f470bebb3a0c107bc4ac86c6920c21e50e83e0Brian Wellington<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
e2f470bebb3a0c107bc4ac86c6920c21e50e83e0Brian Wellington<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
222d38735f97f771054e223b03f84c5858252332Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
82f0630bae09598209cc37c1db00ff4356efee27Mark Andrews<span class="application">dnssec-keyfromlabel</span>�</td>
82f0630bae09598209cc37c1db00ff4356efee27Mark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
82f0630bae09598209cc37c1db00ff4356efee27Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>