man.dnssec-keygen.html revision f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1d
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - Copyright (C) 2000-2003 Internet Software Consortium.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - Permission to use, copy, modify, and distribute this software for any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - purpose with or without fee is hereby granted, provided that the above
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - copyright notice and this permission notice appear in all copies.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - PERFORMANCE OF THIS SOFTWARE.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<!-- $Id: man.dnssec-keygen.html,v 1.48 2007/05/21 04:09:03 marka Exp $ -->
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="prev" href="man.host.html" title="host">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<table width="100%" summary="Navigation header">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a accesskey="p" href="man.host.html">Prev</a>�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<th width="60%" align="center">Manual pages</th>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span><strong class="command">dnssec-keygen</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster and RFC 4034. It can also generate keys for use with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster TSIG (Transaction Signatures), as defined in RFC 2845.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Selects the cryptographic algorithm. The value of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DSA, DH (Diffie Hellman), or HMAC-MD5. These values
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster are case insensitive.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Note 2: HMAC-MD5 and DH automatically set the -k flag.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Specifies the number of bits in the key. The choice of key
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster 512 and 2048 bits. Diffie Hellman keys must be between
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster 128 and 4096 bits. DSA keys must be between 512 and 1024
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster bits and an exact multiple of 64. HMAC-MD5 keys must be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster between 1 and 512 bits.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Specifies the owner type of the key. The value of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">nametype</code> must either be ZONE (for a DNSSEC
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster a host (KEY)),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster These values are
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster case insensitive.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Indicates that the DNS record containing the key should have
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the specified class. If not specified, class IN is used.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If generating an RSAMD5/RSASHA1 key, use a large exponent.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set the specified flag in the flag field of the KEY/DNSKEY record.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The only recognized flag is KSK (Key Signing Key) DNSKEY.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If generating a Diffie Hellman key, use this generator.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Allowed values are 2 and 5. If no generator
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is specified, a known prime from RFC 2539 will be used
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster if possible; otherwise the default is 2.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Prints a short summary of the options and arguments to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span><strong class="command">dnssec-keygen</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Generate KEY records rather than DNSKEY records.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the protocol value for the generated key. The protocol
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is a number between 0 and 255. The default is 3 (DNSSEC).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Other possible values for this argument are listed in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster RFC 2535 and its successors.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Specifies the source of randomness. If the operating
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster system does not provide a <code class="filename">/dev/random</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster or equivalent device, the default source of randomness
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is keyboard input. <code class="filename">randomdev</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the name of a character device or file containing random
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster data to be used instead of the default. The special value
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename">keyboard</code> indicates that keyboard
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster input should be used.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Specifies the strength value of the key. The strength is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster a number between 0 and 15, and currently has no defined
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster purpose in DNSSEC.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Indicates the use of the key. <code class="option">type</code> must be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is AUTHCONF. AUTH refers to the ability to authenticate
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster data, and CONF the ability to encrypt data.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the debugging level.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster When <span><strong class="command">dnssec-keygen</strong></span> completes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster successfully,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster to the standard output. This is an identification string for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the key it has generated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<li><p><code class="filename">nnnn</code> is the key name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<li><p><code class="filename">aaa</code> is the numeric representation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<li><p><code class="filename">iiiii</code> is the key identifier (or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span><strong class="command">dnssec-keygen</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster creates two files, with names based
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster contains the public key, and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The <code class="filename">.key</code> file contains a DNS KEY record
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster can be inserted into a zone file (directly or with a $INCLUDE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The <code class="filename">.private</code> file contains
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster algorithm-specific
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster fields. For obvious security reasons, this file does not have
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster general read permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Both <code class="filename">.key</code> and <code class="filename">.private</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster files are generated for symmetric encryption algorithms such as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster HMAC-MD5, even though the public and private key are equivalent.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster To generate a 768-bit DSA key for the domain
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <strong class="userinput"><code>example.com</code></strong>, the following command would be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The command would print a string of the form:
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the files <code class="filename">Kexample.com.+003+26160.key</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename">Kexample.com.+003+26160.private</code>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span class="corpauthor">Internet Systems Consortium</span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<table width="100%" summary="Navigation footer">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a accesskey="p" href="man.host.html">Prev</a>�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="40%" align="left" valign="top">host�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>