man.dnssec-keygen.html revision fdd80e9a55c70b36a3bf3e409b86897301c44ff8
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - Permission to use, copy, modify, and/or distribute this software for any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - purpose with or without fee is hereby granted, provided that the above
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - copyright notice and this permission notice appear in all copies.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - PERFORMANCE OF THIS SOFTWARE.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<!-- $Id: man.dnssec-keygen.html,v 1.154 2010/01/08 01:14:07 tbox Exp $ -->
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation header">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<th width="60%" align="center">Manual pages</th>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span><strong class="command">dnssec-keygen</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and RFC 4034. It can also generate keys for use with
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (Transaction Key) as defined in RFC 2930.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The <code class="option">name</code> of the key is specified on the command
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence line. For DNSSEC keys, this must match the name of the zone for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence which the key is being generated.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Selects the cryptographic algorithm. For DNSSEC keys, the value
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence case insensitive.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If no algorithm is specified, then RSASHA1 will be used by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default, unless the <code class="option">-3</code> option is specified,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in which case NSEC3RSASHA1 will be used instead. (If
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">-3</code> is used and an algorithm is specified,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence that algorithm will be checked for compatibility with NSEC3.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence automatically set the -T KEY option.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the number of bits in the key. The choice of key
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence size depends on the algorithm used. RSA keys must be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence between 512 and 2048 bits. Diffie Hellman keys must be between
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence 128 and 4096 bits. DSA keys must be between 512 and 1024
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence bits and an exact multiple of 64. HMAC keys must be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence between 1 and 512 bits.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The key size does not need to be specified if using a default
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence algorithm. The default key size is 1024 bits for zone signing
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence keys (ZSK's) and 2048 bits for key signing keys (KSK's,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence generated with <code class="option">-f KSK</code>). However, if an
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence algorithm is explicitly specified with the <code class="option">-a</code>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence then there is no default key size, and the <code class="option">-b</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence must be used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the owner type of the key. The value of
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">nametype</code> must either be ZONE (for a DNSSEC
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a host (KEY)),
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence These values are case insensitive. Defaults to ZONE for DNSKEY
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Use an NSEC3-capable algorithm to generate a DNSSEC key.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If this option is used and no algorithm is explicitly
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence set on the command line, NSEC3RSASHA1 will be used by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default. Note that RSASHA256 and RSASHA512 algorithms
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence are NSEC3-capable.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Compatibility mode: generates an old-style key, without
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence will include the key's creation date in the metadata stored
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence with the private key, and other dates may be set there as well
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (publication date, activation date, etc). Keys that include
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence this data may be incompatible with older versions of BIND; the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">-C</code> option suppresses them.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Indicates that the DNS record containing the key should have
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the specified class. If not specified, class IN is used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Uses a crypto hardware (OpenSSL engine) for random number
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence and, when supported, key generation. When compiled with PKCS#11
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence support it defaults to pkcs11; the empty name resets it to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If generating an RSAMD5/RSASHA1 key, use a large exponent.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Set the specified flag in the flag field of the KEY/DNSKEY record.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The only recognized flags are KSK (Key Signing Key) and REVOKE.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Generate a key, but do not publish it or sign with it. This
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence option is incompatible with -P and -A.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If generating a Diffie Hellman key, use this generator.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Allowed values are 2 and 5. If no generator
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is specified, a known prime from RFC 2539 will be used
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence if possible; otherwise the default is 2.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Prints a short summary of the options and arguments to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">dnssec-keygen</strong></span>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the directory in which the key files are to be written.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Deprecated in favor of -T KEY.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the protocol value for the generated key. The protocol
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is a number between 0 and 255. The default is 3 (DNSSEC).
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Other possible values for this argument are listed in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence RFC 2535 and its successors.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Quiet mode: Suppresses unnecessary output, including
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence progress indication. Without this option, when
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">dnssec-keygen</strong></span> is run interactively
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to generate an RSA or DSA key pair, it will print a string
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence of symbols to <code class="filename">stderr</code> indicating the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence progress of the key generation. A '.' indicates that a
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence random number has been found which passed an initial
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence sieve test; '+' means a number has passed a single
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence round of the Miller-Rabin primality test; a space
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence means that the number has passed all the tests and is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a satisfactory key.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the source of randomness. If the operating
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence system does not provide a <code class="filename">/dev/random</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence or equivalent device, the default source of randomness
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is keyboard input. <code class="filename">randomdev</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the name of a character device or file containing random
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence data to be used instead of the default. The special value
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">keyboard</code> indicates that keyboard
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence input should be used.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the strength value of the key. The strength is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a number between 0 and 15, and currently has no defined
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence purpose in DNSSEC.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Specifies the resource record type to use for the key.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="option">rrtype</code> must be either DNSKEY or KEY. The
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default is DNSKEY when using a DNSSEC algorithm, but it can be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence overridden to KEY for use with SIG(0).
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Using any TSIG algorithm (HMAC-* or DH) forces this option
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Indicates the use of the key. <code class="option">type</code> must be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is AUTHCONF. AUTH refers to the ability to authenticate
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence data, and CONF the ability to encrypt data.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the debugging level.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2661687"></a><h2>TIMING OPTIONS</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence If the argument begins with a '+' or '-', it is interpreted as
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence an offset from the present time. For convenience, if such an offset
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence then the offset is computed in years (defined as 365 24-hour days,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ignoring leap years), months (defined as 30 24-hour days), weeks,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence days, hours, or minutes, respectively. Without a suffix, the offset
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence is computed in seconds.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the date on which a key is to be published to the zone.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence After that date, the key will be included in the zone but will
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence not be used to sign it. If not set, and if the -G option has
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence not been used, the default is "now".
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the date on which the key is to be activated. After that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence date, the key will be included in the zone and used to sign
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence it. If not set, and if the -G option has not been used, the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence default is "now".
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the date on which the key is to be revoked. After that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence date, the key will be flagged as revoked. It will be included
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in the zone and will be used to sign it.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the date on which the key is to be retired. After that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence date, the key will still be included in the zone, but it
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence will not be used to sign it.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Sets the date on which the key is to be deleted. After that
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence date, the key will no longer be included in the zone. (It
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence may remain in the key repository, however.)
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2661990"></a><h2>GENERATED KEYS</h2>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence When <span><strong class="command">dnssec-keygen</strong></span> completes
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence successfully,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to the standard output. This is an identification string for
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the key it has generated.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<li><p><code class="filename">nnnn</code> is the key name.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<li><p><code class="filename">aaa</code> is the numeric representation
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<li><p><code class="filename">iiiii</code> is the key identifier (or
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span><strong class="command">dnssec-keygen</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence creates two files, with names based
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence contains the public key, and
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The <code class="filename">.key</code> file contains a DNS KEY record
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence can be inserted into a zone file (directly or with a $INCLUDE
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The <code class="filename">.private</code> file contains
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence algorithm-specific
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence fields. For obvious security reasons, this file does not have
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence general read permission.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Both <code class="filename">.key</code> and <code class="filename">.private</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence files are generated for symmetric encryption algorithms such as
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence HMAC-MD5, even though the public and private key are equivalent.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence To generate a 768-bit DSA key for the domain
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <strong class="userinput"><code>example.com</code></strong>, the following command would be
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence The command would print a string of the form:
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence In this example, <span><strong class="command">dnssec-keygen</strong></span> creates
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence the files <code class="filename">Kexample.com.+003+26160.key</code>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">Kexample.com.+003+26160.private</code>.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<p><span class="corpauthor">Internet Systems Consortium</span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation footer">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<span class="application">dnssec-keyfromlabel</span>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="right" valign="top">�<span class="application">dnssec-revoke</span>