2 - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2001 Internet Software Consortium.
5 - Permission to use, copy, modify, and distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
18 <!-- $Id: dnssec-keygen.html,v 1.5.2.3 2004/06/03 05:21:10 marka Exp $ -->
26 CONTENT="Modular DocBook HTML Stylesheet Version 1.73
53 > -- DNSSEC key generation tool</DIV
55 CLASS="REFSYNOPSISDIV"
155 > generates keys for DNSSEC
156 (Secure DNS), as defined in RFC 2535. It can also generate
157 keys for use with TSIG (Transaction Signatures), as
182 > Selects the cryptographic algorithm. The value of
186 > must be one of RSAMD5 or RSA,
187 DSA, DH (Diffie Hellman), or HMAC-MD5. These values
188 are case insensitive.
191 > Note that for DNSSEC, DSA is a mandatory to implement algorithm,
192 and RSA is recommended. For TSIG, HMAC-MD5 is mandatory.
204 > Specifies the number of bits in the key. The choice of key
205 size depends on the algorithm used. RSA keys must be between
206 512 and 2048 bits. Diffie Hellman keys must be between
207 128 and 4096 bits. DSA keys must be between 512 and 1024
208 bits and an exact multiple of 64. HMAC-MD5 keys must be
209 between 1 and 512 bits.
221 > Specifies the owner type of the key. The value of
225 > must either be ZONE (for a DNSSEC
226 zone key), HOST or ENTITY (for a key associated with a host),
227 or USER (for a key associated with a user). These values are
240 > Indicates that the DNS record containing the key should have
241 the specified class. If not specified, class IN is used.
248 > If generating an RSA key, use a large exponent.
260 > If generating a Diffie Hellman key, use this generator.
261 Allowed values are 2 and 5. If no generator
262 is specified, a known prime from RFC 2539 will be used
263 if possible; otherwise the default is 2.
270 > Prints a short summary of the options and arguments to
286 > Sets the protocol value for the generated key. The protocol
287 is a number between 0 and 255. The default is 2 (email) for
288 keys of type USER and 3 (DNSSEC) for all other key types.
289 Other possible values for this argument are listed in
290 RFC 2535 and its successors.
302 > Specifies the source of randomness. If the operating
303 system does not provide a <TT
307 or equivalent device, the default source of randomness
308 is keyboard input. <TT
312 the name of a character device or file containing random
313 data to be used instead of the default. The special value
317 > indicates that keyboard
318 input should be used.
330 > Specifies the strength value of the key. The strength is
331 a number between 0 and 15, and currently has no defined
344 > Indicates the use of the key. <TT
348 one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
349 is AUTHCONF. AUTH refers to the ability to authenticate
350 data, and CONF the ability to encrypt data.
362 > Sets the debugging level.
379 > completes successfully,
380 it prints a string of the form <TT
382 >Knnnn.+aaa+iiiii</TT
384 to the standard output. This is an identification string for
385 the key it has generated. These strings can be used as arguments
388 >dnssec-makekeyset</B
407 > is the numeric representation of the
416 > is the key identifier (or footprint).
424 > creates two file, with names based
425 on the printed string. <TT
427 >Knnnn.+aaa+iiiii.key</TT
429 contains the public key, and
432 >Knnnn.+aaa+iiiii.private</TT
433 > contains the private
440 > file contains a DNS KEY record that
441 can be inserted into a zone file (directly or with a $INCLUDE
448 > file contains algorithm specific
449 fields. For obvious security reasons, this file does not have
450 general read permission.
460 files are generated for symmetric encryption algorithm such as
461 HMAC-MD5, even though the public and private key are equivalent.
472 > To generate a 768-bit DSA key for the domain
478 >, the following command would be
485 >dnssec-keygen -a DSA -b 768 -n ZONE example.com</B
490 > The command would print a string of the form:
496 >Kexample.com.+003+26160</B
501 > In this example, <B
507 >Kexample.com.+003+26160.key</TT
511 >Kexample.com.+003+26160.private</TT
526 CLASS="REFENTRYTITLE"
527 >dnssec-makekeyset</SPAN
533 CLASS="REFENTRYTITLE"
534 >dnssec-signkey</SPAN
540 CLASS="REFENTRYTITLE"
541 >dnssec-signzone</SPAN
546 >BIND 9 Administrator Reference Manual</I
570 > Internet Systems Consortium