dnssec-keygen(1) General Commands Manual dnssec-keygen(1)
NAME
dnssec-keygen - key generation tool for DNSSEC
SYNOPSIS
algorithm] keysize] class] flag] generator] nametype] protocol-value] randomdev] strength-value] type] level] name
DESCRIPTION
generates keys for Secure DNS (DNSSEC) as defined in RFC 2535. It also generates keys for use in Transaction Signatures (TSIG), which are
defined in RFC 2845.
Options
recognizes the following options:
Specify the encryption algorithm.
The algorithm can be (RSA), or algorithm is case-insensitive.
DNSSEC specifies as a mandatory algorithm and as a recommended one. Implementations of TSIG must support
Determine the number of bits in the key.
The choice of key size depends on the algorithm that is used.
For the or algorithm, keysize must be between 512 and 2048 bits.
For the (Diffie-Hellman) algorithm, keysize must be between 128 and 4096 bits.
For the (Digital Signature) algorithm, keysize must be between 512 and 1024 bits and a multiple of 64.
For the algorithm, keysize must be between 1 and 512 bits.
Set the class for the DNS record containing the key.
The default class is (Internet). Other values for class are (Chaosnet) and (Hesiod).
Generate and keys with a large exponent value.
Set the specified
flag in the flag field of the KEY or DNSKEY record. The only recognized flag is (Key Signing Key) for DNSKEY.
Select the generator to be used when creating Diffie-Hellman keys.
The only supported values for generator are and If no Diffie-Hellman generator is supplied, a known prime from RFC 2539 is used,
if possible; otherwise, is used as the generator.
Print a summary of the
options and operands.
Generate KEY records rather than DNSKEY records.
Specify how the generated key will be used.
nametype can be either or to indicate that the key will be used for signing a zone, host, entity, or user, respectively. In this
context, and are equivalent. nametype is case-insensitive.
Set the protocol value for the generated key to
protocol-value. The default is (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
Override the behavior of
to use random numbers to seed the process of generating keys when the system does not have a device to generate random numbers.
The program prompts for keyboard input and uses the time intervals between keystrokes to provide randomness. With this option,
it uses randomdev as a source of random data.
Set the key's strength value.
The generated key will sign DNS resource records with a strength value of strength-value. It should be a number in the range The
default strength is The key strength field currently has no defined purpose in DNSSEC.
Indicate if the key is used for authentication or confidentiality.
type can be one of
The key can be used for authentication and confidentiality.
The key cannot be used for authentication or confidentiality.
The key can be used for confidentiality but not for authentication.
The key cannot be used for confidentiality, although it can be used for authentication.
The default is
Set the verbosity level.
As the debugging/tracing level increases, generates increasingly detailed reports about what it is doing. The default level is
0.
Operands
name The domain name for which the key is to be generated.
Generated Keys
When completes, it prints an identification string on standard output for the key it has generated, in the form
The fields are:
nnnn The dot-terminated domain name given by name.
aaa The DNSSEC algorithm identifier.
iiiii A five-digit number identifying the key.
creates two files. The file names are adapted from the key identification string above, in the form:
These contain the public and private parts of the key respectively. The files generated by follow this naming convention to make it easy
for the signing tool to identify which files have to be read to find the necessary keys for generating or validating signatures.
The file contains a resource record that can be inserted into a zone file with a statement. The private part of the key is in the file.
It contains details of the encryption algorithm that was used and any relevant parameters. For obvious security reasons, the file does not
have general read permission. Both and key files are generated by a symmetric encryption algorithm, such as even though the public and
private key are equivalent.
EXAMPLES
To generate a 768-bit DSA key for the domain issue the command:
prints the key identification string
indicating a DSA key with identifier 26160. It creates the files
which contain the public and private keys, respectively, for the generated DSA key.
AUTHOR
was developed by the Internet Systems Consortium (ISC).
FILES
SEE ALSO
dnssec-signzone(1).
Requests for Comments (RFC): 2535, 2539, and 2845, available online at
available online at
available from the Internet Systems Consortium at
BIND 9.3 dnssec-keygen(1)