man.dnssec-keygen.html revision e21a2904f02a03fa06b6db04d348f65fe9c67b2b
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
d1fff80640050631b06bfab904a34b2ad24601e8Timo Sirainen - Permission to use, copy, modify, and distribute this software for any
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen - purpose with or without fee is hereby granted, provided that the above
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen - copyright notice and this permission notice appear in all copies.
38f227941bcf673e0e523c1ac7267bca9cbcd2c4Timo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
38f227941bcf673e0e523c1ac7267bca9cbcd2c4Timo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
3e564425db51f3921ce4de11859777135fdedd15Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
3e564425db51f3921ce4de11859777135fdedd15Timo Sirainen - PERFORMANCE OF THIS SOFTWARE.
3e564425db51f3921ce4de11859777135fdedd15Timo Sirainen<!-- $Id: man.dnssec-keygen.html,v 1.36 2006/12/12 01:45:21 marka Exp $ -->
02a6291366caff79793db35d479e2a062bec2af4Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8f5b34c22e4c3bfb35ca13c4744867eb5ddbd3d6Timo Sirainen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
95d9395d15540b3a96f75c7f9fd73e6d8ad5e897Timo Sirainen<link rel="prev" href="man.host.html" title="host">
95d9395d15540b3a96f75c7f9fd73e6d8ad5e897Timo Sirainen<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
705f6fbad395e6f014838e797b7dbcaceafd2f1dTimo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
705f6fbad395e6f014838e797b7dbcaceafd2f1dTimo Sirainen<table width="100%" summary="Navigation header">
c5a6a6565be93224fc26522eda855b0990f256e8Timo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
303e375b7e76278f4ec541f49af0476d3e4ee710Timo Sirainen<a accesskey="p" href="man.host.html">Prev</a>�</td>
303e375b7e76278f4ec541f49af0476d3e4ee710Timo Sirainen<th width="60%" align="center">Manual pages</th>
8cca3b43b28365cfee4dc733c00caaeab8ecd2adTimo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
1358e2c58ce29231485a5cfa454756d429ad3d2cTimo Sirainen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
b55f914c0ade77252cfd798ea8eb9a84bda56315Timo Sirainen<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
a020eb653b2620a989e4795adceb6136037327b2Timo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
d1fff80640050631b06bfab904a34b2ad24601e8Timo Sirainen<p><span><strong class="command">dnssec-keygen</strong></span>
009217abb57a24a4076092e8e4e165545747839eStephan Bosch generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen and RFC <TBA\>. It can also generate keys for use with
cf0ad1a0bddb0787f3d7b408a96d721a8b2a98a3Timo Sirainen TSIG (Transaction Signatures), as defined in RFC 2845.
762e17079d29d9f1838114ff5fec9ceaba8eb6a8Timo Sirainen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
0dffa25d211be541ee3c953b23566a1a990789dfTimo Sirainen Selects the cryptographic algorithm. The value of
211caf3c233d562b0c8137e5eefae3cb1ef13003Stephan Bosch <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
211caf3c233d562b0c8137e5eefae3cb1ef13003Stephan Bosch DSA, DH (Diffie Hellman), or HMAC-MD5. These values
211caf3c233d562b0c8137e5eefae3cb1ef13003Stephan Bosch are case insensitive.
d1fff80640050631b06bfab904a34b2ad24601e8Timo Sirainen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen Note 2: HMAC-MD5 and DH automatically set the -k flag.
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
50b9773bebe5c66485728e21e4da6e99db388c92Timo Sirainen Specifies the number of bits in the key. The choice of key
50b9773bebe5c66485728e21e4da6e99db388c92Timo Sirainen size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
2fb9ae42f9e36388ec6db24188b9108434043fd0Timo Sirainen 512 and 2048 bits. Diffie Hellman keys must be between
2fb9ae42f9e36388ec6db24188b9108434043fd0Timo Sirainen 128 and 4096 bits. DSA keys must be between 512 and 1024
2fb9ae42f9e36388ec6db24188b9108434043fd0Timo Sirainen bits and an exact multiple of 64. HMAC-MD5 keys must be
5d03d9f439e41c90215a3c938ffebe4c2a8ae257Timo Sirainen between 1 and 512 bits.
97180ea9c26c4de0807daaad21e03c80643b09fdTimo Sirainen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
97180ea9c26c4de0807daaad21e03c80643b09fdTimo Sirainen Specifies the owner type of the key. The value of
97180ea9c26c4de0807daaad21e03c80643b09fdTimo Sirainen <code class="option">nametype</code> must either be ZONE (for a DNSSEC
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a10ed8c47534b4c6b6bf2711ccfe577e720a47b4Timo Sirainen a host (KEY)),
57ff998a443881c8959a8e65f6325cf19fefc1d0Timo Sirainen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
6dc2060d6e0261e4bfd453f1eb1c165cc8d905c1Timo Sirainen These values are
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen case insensitive.
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
3482fee0e3733456512ba110780824e6daa7ff9fTimo Sirainen Indicates that the DNS record containing the key should have
3482fee0e3733456512ba110780824e6daa7ff9fTimo Sirainen the specified class. If not specified, class IN is used.
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen If generating an RSAMD5/RSASHA1 key, use a large exponent.
61d3fd14828b68d789f3df73d1dbed56e37b7931Timo Sirainen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov Set the specified flag in the flag field of the KEY/DNSKEY record.
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov The only recognized flag is KSK (Key Signing Key) DNSKEY.
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
2092da86f3a332e8d7eae1300a3b9852fed8f2f8Sergey Kitov If generating a Diffie Hellman key, use this generator.
62fc2fe221eccc834ac6b11b94b55335d5027cd1Timo Sirainen Allowed values are 2 and 5. If no generator
62fc2fe221eccc834ac6b11b94b55335d5027cd1Timo Sirainen is specified, a known prime from RFC 2539 will be used
3b22894b8805b186c73d8b754001e8d7e944be85Timo Sirainen if possible; otherwise the default is 2.
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen Prints a short summary of the options and arguments to
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen <span><strong class="command">dnssec-keygen</strong></span>.
4dc81fe17cc3aca2e8e9ccb988f90bae12ca2ad0Timo Sirainen Generate KEY records rather than DNSKEY records.
55e04e5659b27c520633835d3f04e2eca7f21117Timo Sirainen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
55e04e5659b27c520633835d3f04e2eca7f21117Timo Sirainen Sets the protocol value for the generated key. The protocol
55e04e5659b27c520633835d3f04e2eca7f21117Timo Sirainen is a number between 0 and 255. The default is 3 (DNSSEC).
fa2433aebcf3fccfa30ca9eed9b1a9166cf92ee2Timo Sirainen Other possible values for this argument are listed in
fa2433aebcf3fccfa30ca9eed9b1a9166cf92ee2Timo Sirainen RFC 2535 and its successors.
4da8c6cdefabd31262318c32da3c13de1d9ea953Timo Sirainen<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen Specifies the source of randomness. If the operating
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen system does not provide a <code class="filename">/dev/random</code>
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen or equivalent device, the default source of randomness
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen is keyboard input. <code class="filename">randomdev</code>
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen the name of a character device or file containing random
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen data to be used instead of the default. The special value
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen <code class="filename">keyboard</code> indicates that keyboard
85779ec11f23eb8efeb8993b1e0b9aad62c4122aTimo Sirainen input should be used.
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
544a946df4de398125bafb51f26d5e3697bde649Timo Sirainen Specifies the strength value of the key. The strength is
544a946df4de398125bafb51f26d5e3697bde649Timo Sirainen a number between 0 and 15, and currently has no defined
7e95ba7f38b9b421287d36c6152f8a9e6b9f225bTimo Sirainen purpose in DNSSEC.
608bdb7f008cd5cd332d727018a9e8173abec998Timo Sirainen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
95dcc0f8e80cc8c9278c904c3cd06dcc4a6d2d33Timo Sirainen Indicates the use of the key. <code class="option">type</code> must be
95dcc0f8e80cc8c9278c904c3cd06dcc4a6d2d33Timo Sirainen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
30b849c26358317b4e25b19ced4b7deb55f59c0aTimo Sirainen is AUTHCONF. AUTH refers to the ability to authenticate
47e9fdee55c2074425cf0316f4f64fbbb790301cTimo Sirainen data, and CONF the ability to encrypt data.
19cadcc25c26af7afea1355d78e20ad64eaad263Timo Sirainen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
d23dfc385f22d7a2c466d29501c9e0ce5a243deeTimo Sirainen Sets the debugging level.
24ff040448e018738515f7bfcc6f1a6e5d08c10dSergey Kitov When <span><strong class="command">dnssec-keygen</strong></span> completes
24ff040448e018738515f7bfcc6f1a6e5d08c10dSergey Kitov successfully,
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
8d3278a82b964217d95c340ec6f82037cdc59d19Timo Sirainen to the standard output. This is an identification string for