dnssec-keygen(1)					      General Commands Manual						  dnssec-keygen(1)

NAME

       dnssec-keygen - key generation tool for DNSSEC

SYNOPSIS

       algorithm] keysize] class] flag] generator] nametype] protocol-value] randomdev] strength-value] type] level] name

DESCRIPTION

       generates  keys for Secure DNS (DNSSEC) as defined in RFC 2535.	It also generates keys for use in Transaction Signatures (TSIG), which are
       defined in RFC 2845.

   Options
       recognizes the following options:

       Specify the encryption algorithm.
		 The algorithm can be (RSA), or algorithm is case-insensitive.

		 DNSSEC specifies as a mandatory algorithm and as a recommended one.  Implementations of TSIG must support

       Determine the number of bits in the key.
		 The choice of key size depends on the algorithm that is used.

		 For the or algorithm, keysize must be between 512 and 2048 bits.

		 For the (Diffie-Hellman) algorithm, keysize must be between 128 and 4096 bits.

		 For the (Digital Signature) algorithm, keysize must be between 512 and 1024 bits and a multiple of 64.

		 For the algorithm, keysize must be between 1 and 512 bits.

       Set the class for the DNS record containing the key.
		 The default class is (Internet).  Other values for class are (Chaosnet) and (Hesiod).

       Generate  and keys with a large exponent value.

       Set the specified
		 flag in the flag field of the KEY or DNSKEY record.  The only recognized flag is (Key Signing Key) for DNSKEY.

       Select the generator to be used when creating Diffie-Hellman keys.
		 The only supported values for generator are and If no Diffie-Hellman generator is supplied, a known prime from RFC 2539 is  used,
		 if possible; otherwise, is used as the generator.

       Print a summary of the
		 options and operands.

       Generate KEY records rather than DNSKEY records.

       Specify how the generated key will be used.

		 nametype can be either or to indicate that the key will be used for signing a zone, host, entity, or user, respectively.  In this
		 context, and are equivalent.  nametype is case-insensitive.

       Set the protocol value for the generated key to
		 protocol-value.  The default is (DNSSEC).  Other possible values for this argument are listed in RFC 2535 and its successors.

       Override the behavior of
		 to use random numbers to seed the process of generating keys when the system does not have a device to generate  random  numbers.
		 The  program  prompts for keyboard input and uses the time intervals between keystrokes to provide randomness.  With this option,
		 it uses randomdev as a source of random data.

       Set the key's strength value.
		 The generated key will sign DNS resource records with a strength value of strength-value.  It should be a number in the range The
		 default strength is The key strength field currently has no defined purpose in DNSSEC.

       Indicate if the key is used for authentication or confidentiality.
		 type can be one of

		 The key can be used for authentication and confidentiality.

		 The key cannot be used for authentication or confidentiality.

		 The key can be used for confidentiality but not for authentication.

		 The key cannot be used for confidentiality, although it can be used for authentication.

		 The default is

       Set the verbosity level.
		 As  the  debugging/tracing level increases, generates increasingly detailed reports about what it is doing.  The default level is
		 0.

   Operands
	      name	The domain name for which the key is to be generated.

   Generated Keys
       When completes, it prints an identification string on standard output for the key it has generated, in the form

       The fields are:

	      nnnn	The dot-terminated domain name given by name.

	      aaa	The DNSSEC algorithm identifier.

	      iiiii	A five-digit number identifying the key.

       creates two files.  The file names are adapted from the key identification string above, in the form:

       These contain the public and private parts of the key respectively.  The files generated by follow this naming convention to make  it  easy
       for the signing tool to identify which files have to be read to find the necessary keys for generating or validating signatures.

       The  file  contains  a resource record that can be inserted into a zone file with a statement.  The private part of the key is in the file.
       It contains details of the encryption algorithm that was used and any relevant parameters.  For obvious security reasons, the file does not
       have  general  read  permission.   Both and key files are generated by a symmetric encryption algorithm, such as even though the public and
       private key are equivalent.

EXAMPLES

       To generate a 768-bit DSA key for the domain issue the command:

       prints the key identification string

       indicating a DSA key with identifier 26160.  It creates the files

       which contain the public and private keys, respectively, for the generated DSA key.

AUTHOR

       was developed by the Internet Systems Consortium (ISC).

FILES

SEE ALSO

       dnssec-signzone(1).

       Requests for Comments (RFC): 2535, 2539, and 2845, available online at

       available online at

       available from the Internet Systems Consortium at

								     BIND 9.3							  dnssec-keygen(1)