| blob | ef20fcd3109bdb6f690852cda027201b8b4f047f |
1 <!--
2 - Copyright (C) 2004, 2005, 2007, 2008 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16 -->
17 <!-- $Id: dnssec-keygen.html,v 1.30.130.3 2009/07/11 01:43:27 tbox Exp $ -->
18 <html>
19 <head>
23 </head>
24 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
29 </div>
32 <div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-b <em class="replaceable"><code>keysize</code></em>} {-n <em class="replaceable"><code>nametype</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
33 </div>
37 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
38 and RFC 4034. It can also generate keys for use with
39 TSIG (Transaction Signatures), as defined in RFC 2845.
40 </p>
41 </div>
46 <dd>
47 <p>
48 Selects the cryptographic algorithm. The value of
50 DSA, DH (Diffie Hellman), or HMAC-MD5. These values
51 are case insensitive.
52 </p>
53 <p>
54 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
55 algorithm,
56 and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
57 </p>
58 <p>
59 Note 2: HMAC-MD5 and DH automatically set the -k flag.
60 </p>
61 </dd>
63 <dd><p>
64 Specifies the number of bits in the key. The choice of key
65 size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
66 between
69 bits and an exact multiple of 64. HMAC-MD5 keys must be
71 </p></dd>
73 <dd><p>
74 Specifies the owner type of the key. The value of
76 zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
77 a host (KEY)),
78 USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
79 These values are case insensitive. Defaults to ZONE for DNSKEY
80 generation.
81 </p></dd>
83 <dd><p>
84 Indicates that the DNS record containing the key should have
85 the specified class. If not specified, class IN is used.
86 </p></dd>
88 <dd><p>
89 If generating an RSAMD5/RSASHA1 key, use a large exponent.
90 </p></dd>
92 <dd><p>
93 Set the specified flag in the flag field of the KEY/DNSKEY record.
94 The only recognized flag is KSK (Key Signing Key) DNSKEY.
95 </p></dd>
97 <dd><p>
98 If generating a Diffie Hellman key, use this generator.
100 is specified, a known prime from RFC 2539 will be used
101 if possible; otherwise the default is 2.
102 </p></dd>
104 <dd><p>
105 Prints a short summary of the options and arguments to
107 </p></dd>
109 <dd><p>
110 Generate KEY records rather than DNSKEY records.
111 </p></dd>
113 <dd><p>
114 Sets the protocol value for the generated key. The protocol
116 Other possible values for this argument are listed in
117 RFC 2535 and its successors.
118 </p></dd>
120 <dd><p>
121 Specifies the source of randomness. If the operating
123 or equivalent device, the default source of randomness
125 specifies
126 the name of a character device or file containing random
127 data to be used instead of the default. The special value
129 input should be used.
130 </p></dd>
132 <dd><p>
133 Specifies the strength value of the key. The strength is
135 purpose in DNSSEC.
136 </p></dd>
138 <dd><p>
140 one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
141 is AUTHCONF. AUTH refers to the ability to authenticate
142 data, and CONF the ability to encrypt data.
143 </p></dd>
145 <dd><p>
146 Sets the debugging level.
147 </p></dd>
148 </dl></div>
149 </div>
152 <p>
154 successfully,
156 to the standard output. This is an identification string for
157 the key it has generated.
158 </p>
161 </p></li>
163 of the
164 algorithm.
165 </p></li>
167 footprint).
168 </p></li>
169 </ul></div>
171 creates two files, with names based
173 contains the public key, and
175 private
176 key.
177 </p>
178 <p>
180 that
181 can be inserted into a zone file (directly or with a $INCLUDE
182 statement).
183 </p>
184 <p>
186 algorithm-specific
187 fields. For obvious security reasons, this file does not have
188 general read permission.
189 </p>
190 <p>
192 files are generated for symmetric encryption algorithms such as
193 HMAC-MD5, even though the public and private key are equivalent.
194 </p>
195 </div>
198 <p>
199 To generate a 768-bit DSA key for the domain
201 issued:
202 </p>
203 <p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
204 </p>
205 <p>
206 The command would print a string of the form:
207 </p>
209 </p>
210 <p>
213 and
215 </p>
216 </div>
224 </p>
225 </div>
229 </p>
230 </div>
231 </div></body>
232 </html>