1 |
<!-- |
2 |
- Copyright (C) 2004, 2005, 2007-2010, 2012, 2014 Internet Systems Consortium, Inc. ("ISC") |
3 |
- Copyright (C) 2000-2003 Internet Software Consortium. |
4 |
- |
5 |
- Permission to use, copy, modify, and/or distribute this software for any |
6 |
- purpose with or without fee is hereby granted, provided that the above |
7 |
- copyright notice and this permission notice appear in all copies. |
8 |
- |
9 |
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH |
10 |
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY |
11 |
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, |
12 |
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM |
13 |
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE |
14 |
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR |
15 |
- PERFORMANCE OF THIS SOFTWARE. |
16 |
--> |
17 |
<!-- $Id$ --> |
18 |
<html> |
19 |
<head> |
20 |
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> |
21 |
<title>dnssec-keygen</title> |
22 |
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> |
23 |
</head> |
24 |
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> |
25 |
<a name="man.dnssec-keygen"></a><div class="titlepage"></div> |
26 |
<div class="refnamediv"> |
27 |
<h2>Name</h2> |
28 |
<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p> |
29 |
</div> |
30 |
<div class="refsynopsisdiv"> |
31 |
<h2>Synopsis</h2> |
32 |
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div> |
33 |
</div> |
34 |
<div class="refsect1" lang="en"> |
35 |
<a name="id2543593"></a><h2>DESCRIPTION</h2> |
36 |
<p><span><strong class="command">dnssec-keygen</strong></span> |
37 |
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 |
38 |
and RFC 4034. It can also generate keys for use with |
39 |
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY |
40 |
(Transaction Key) as defined in RFC 2930. |
41 |
</p> |
42 |
<p> |
43 |
The <code class="option">name</code> of the key is specified on the command |
44 |
line. For DNSSEC keys, this must match the name of the zone for |
45 |
which the key is being generated. |
46 |
</p> |
47 |
</div> |
48 |
<div class="refsect1" lang="en"> |
49 |
<a name="id2543611"></a><h2>OPTIONS</h2> |
50 |
<div class="variablelist"><dl> |
51 |
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> |
52 |
<dd> |
53 |
<p> |
54 |
Selects the cryptographic algorithm. For DNSSEC keys, the value |
55 |
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, |
56 |
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, |
57 |
ECDSAP256SHA256 or ECDSAP384SHA384. |
58 |
For TSIG/TKEY, the value must |
59 |
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, |
60 |
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are |
61 |
case insensitive. |
62 |
</p> |
63 |
<p> |
64 |
If no algorithm is specified, then RSASHA1 will be used by |
65 |
default, unless the <code class="option">-3</code> option is specified, |
66 |
in which case NSEC3RSASHA1 will be used instead. (If |
67 |
<code class="option">-3</code> is used and an algorithm is specified, |
68 |
that algorithm will be checked for compatibility with NSEC3.) |
69 |
</p> |
70 |
<p> |
71 |
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement |
72 |
algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is |
73 |
mandatory. |
74 |
</p> |
75 |
<p> |
76 |
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 |
77 |
automatically set the -T KEY option. |
78 |
</p> |
79 |
</dd> |
80 |
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> |
81 |
<dd> |
82 |
<p> |
83 |
Specifies the number of bits in the key. The choice of key |
84 |
size depends on the algorithm used. RSA keys must be |
85 |
between 512 and 2048 bits. Diffie Hellman keys must be between |
86 |
128 and 4096 bits. DSA keys must be between 512 and 1024 |
87 |
bits and an exact multiple of 64. HMAC keys must be |
88 |
between 1 and 512 bits. Elliptic curve algorithms don't need |
89 |
this parameter. |
90 |
</p> |
91 |
<p> |
92 |
The key size does not need to be specified if using a default |
93 |
algorithm. The default key size is 1024 bits for zone signing |
94 |
keys (ZSK's) and 2048 bits for key signing keys (KSK's, |
95 |
generated with <code class="option">-f KSK</code>). However, if an |
96 |
algorithm is explicitly specified with the <code class="option">-a</code>, |
97 |
then there is no default key size, and the <code class="option">-b</code> |
98 |
must be used. |
99 |
</p> |
100 |
</dd> |
101 |
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> |
102 |
<dd><p> |
103 |
Specifies the owner type of the key. The value of |
104 |
<code class="option">nametype</code> must either be ZONE (for a DNSSEC |
105 |
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with |
106 |
a host (KEY)), |
107 |
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). |
108 |
These values are case insensitive. Defaults to ZONE for DNSKEY |
109 |
generation. |
110 |
</p></dd> |
111 |
<dt><span class="term">-3</span></dt> |
112 |
<dd><p> |
113 |
Use an NSEC3-capable algorithm to generate a DNSSEC key. |
114 |
If this option is used and no algorithm is explicitly |
115 |
set on the command line, NSEC3RSASHA1 will be used by |
116 |
default. Note that RSASHA256, RSASHA512, ECCGOST, |
117 |
ECDSAP256SHA256 and ECDSAP384SHA384 algorithms |
118 |
are NSEC3-capable. |
119 |
</p></dd> |
120 |
<dt><span class="term">-C</span></dt> |
121 |
<dd><p> |
122 |
Compatibility mode: generates an old-style key, without |
123 |
any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span> |
124 |
will include the key's creation date in the metadata stored |
125 |
with the private key, and other dates may be set there as well |
126 |
(publication date, activation date, etc). Keys that include |
127 |
this data may be incompatible with older versions of BIND; the |
128 |
<code class="option">-C</code> option suppresses them. |
129 |
</p></dd> |
130 |
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> |
131 |
<dd><p> |
132 |
Indicates that the DNS record containing the key should have |
133 |
the specified class. If not specified, class IN is used. |
134 |
</p></dd> |
135 |
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt> |
136 |
<dd><p> |
137 |
Uses a crypto hardware (OpenSSL engine) for random number |
138 |
and, when supported, key generation. When compiled with PKCS#11 |
139 |
support it defaults to pkcs11; the empty name resets it to |
140 |
no engine. |
141 |
</p></dd> |
142 |
<dt><span class="term">-e</span></dt> |
143 |
<dd><p> |
144 |
If generating an RSAMD5/RSASHA1 key, use a large exponent. |
145 |
</p></dd> |
146 |
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt> |
147 |
<dd><p> |
148 |
Set the specified flag in the flag field of the KEY/DNSKEY record. |
149 |
The only recognized flags are KSK (Key Signing Key) and REVOKE. |
150 |
</p></dd> |
151 |
<dt><span class="term">-G</span></dt> |
152 |
<dd><p> |
153 |
Generate a key, but do not publish it or sign with it. This |
154 |
option is incompatible with -P and -A. |
155 |
</p></dd> |
156 |
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt> |
157 |
<dd><p> |
158 |
If generating a Diffie Hellman key, use this generator. |
159 |
Allowed values are 2 and 5. If no generator |
160 |
is specified, a known prime from RFC 2539 will be used |
161 |
if possible; otherwise the default is 2. |
162 |
</p></dd> |
163 |
<dt><span class="term">-h</span></dt> |
164 |
<dd><p> |
165 |
Prints a short summary of the options and arguments to |
166 |
<span><strong class="command">dnssec-keygen</strong></span>. |
167 |
</p></dd> |
168 |
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> |
169 |
<dd><p> |
170 |
Sets the directory in which the key files are to be written. |
171 |
</p></dd> |
172 |
<dt><span class="term">-k</span></dt> |
173 |
<dd><p> |
174 |
Deprecated in favor of -T KEY. |
175 |
</p></dd> |
176 |
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt> |
177 |
<dd><p> |
178 |
Sets the protocol value for the generated key. The protocol |
179 |
is a number between 0 and 255. The default is 3 (DNSSEC). |
180 |
Other possible values for this argument are listed in |
181 |
RFC 2535 and its successors. |
182 |
</p></dd> |
183 |
<dt><span class="term">-q</span></dt> |
184 |
<dd><p> |
185 |
Quiet mode: Suppresses unnecessary output, including |
186 |
progress indication. Without this option, when |
187 |
<span><strong class="command">dnssec-keygen</strong></span> is run interactively |
188 |
to generate an RSA or DSA key pair, it will print a string |
189 |
of symbols to <code class="filename">stderr</code> indicating the |
190 |
progress of the key generation. A '.' indicates that a |
191 |
random number has been found which passed an initial |
192 |
sieve test; '+' means a number has passed a single |
193 |
round of the Miller-Rabin primality test; a space |
194 |
means that the number has passed all the tests and is |
195 |
a satisfactory key. |
196 |
</p></dd> |
197 |
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> |
198 |
<dd><p> |
199 |
Specifies the source of randomness. If the operating |
200 |
system does not provide a <code class="filename">/dev/random</code> |
201 |
or equivalent device, the default source of randomness |
202 |
is keyboard input. <code class="filename">randomdev</code> |
203 |
specifies |
204 |
the name of a character device or file containing random |
205 |
data to be used instead of the default. The special value |
206 |
<code class="filename">keyboard</code> indicates that keyboard |
207 |
input should be used. |
208 |
</p></dd> |
209 |
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt> |
210 |
<dd><p> |
211 |
Create a new key which is an explicit successor to an |
212 |
existing key. The name, algorithm, size, and type of the |
213 |
key will be set to match the existing key. The activation |
214 |
date of the new key will be set to the inactivation date of |
215 |
the existing one. The publication date will be set to the |
216 |
activation date minus the prepublication interval, which |
217 |
defaults to 30 days. |
218 |
</p></dd> |
219 |
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt> |
220 |
<dd><p> |
221 |
Specifies the strength value of the key. The strength is |
222 |
a number between 0 and 15, and currently has no defined |
223 |
purpose in DNSSEC. |
224 |
</p></dd> |
225 |
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt> |
226 |
<dd> |
227 |
<p> |
228 |
Specifies the resource record type to use for the key. |
229 |
<code class="option">rrtype</code> must be either DNSKEY or KEY. The |
230 |
default is DNSKEY when using a DNSSEC algorithm, but it can be |
231 |
overridden to KEY for use with SIG(0). |
232 |
</p> |
233 |
<p> |
234 |
</p> |
235 |
<p> |
236 |
Using any TSIG algorithm (HMAC-* or DH) forces this option |
237 |
to KEY. |
238 |
</p> |
239 |
</dd> |
240 |
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> |
241 |
<dd><p> |
242 |
Indicates the use of the key. <code class="option">type</code> must be |
243 |
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default |
244 |
is AUTHCONF. AUTH refers to the ability to authenticate |
245 |
data, and CONF the ability to encrypt data. |
246 |
</p></dd> |
247 |
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> |
248 |
<dd><p> |
249 |
Sets the debugging level. |
250 |
</p></dd> |
251 |
</dl></div> |
252 |
</div> |
253 |
<div class="refsect1" lang="en"> |
254 |
<a name="id2544180"></a><h2>TIMING OPTIONS</h2> |
255 |
<p> |
256 |
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. |
257 |
If the argument begins with a '+' or '-', it is interpreted as |
258 |
an offset from the present time. For convenience, if such an offset |
259 |
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', |
260 |
then the offset is computed in years (defined as 365 24-hour days, |
261 |
ignoring leap years), months (defined as 30 24-hour days), weeks, |
262 |
days, hours, or minutes, respectively. Without a suffix, the offset |
263 |
is computed in seconds. To explicitly prevent a date from being |
264 |
set, use 'none' or 'never'. |
265 |
</p> |
266 |
<div class="variablelist"><dl> |
267 |
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt> |
268 |
<dd><p> |
269 |
Sets the date on which a key is to be published to the zone. |
270 |
After that date, the key will be included in the zone but will |
271 |
not be used to sign it. If not set, and if the -G option has |
272 |
not been used, the default is "now". |
273 |
</p></dd> |
274 |
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt> |
275 |
<dd><p> |
276 |
Sets the date on which the key is to be activated. After that |
277 |
date, the key will be included in the zone and used to sign |
278 |
it. If not set, and if the -G option has not been used, the |
279 |
default is "now". If set, if and -P is not set, then |
280 |
the publication date will be set to the activation date |
281 |
minus the prepublication interval. |
282 |
</p></dd> |
283 |
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt> |
284 |
<dd><p> |
285 |
Sets the date on which the key is to be revoked. After that |
286 |
date, the key will be flagged as revoked. It will be included |
287 |
in the zone and will be used to sign it. |
288 |
</p></dd> |
289 |
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt> |
290 |
<dd><p> |
291 |
Sets the date on which the key is to be retired. After that |
292 |
date, the key will still be included in the zone, but it |
293 |
will not be used to sign it. |
294 |
</p></dd> |
295 |
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt> |
296 |
<dd><p> |
297 |
Sets the date on which the key is to be deleted. After that |
298 |
date, the key will no longer be included in the zone. (It |
299 |
may remain in the key repository, however.) |
300 |
</p></dd> |
301 |
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> |
302 |
<dd> |
303 |
<p> |
304 |
Sets the prepublication interval for a key. If set, then |
305 |
the publication and activation dates must be separated by at least |
306 |
this much time. If the activation date is specified but the |
307 |
publication date isn't, then the publication date will default |
308 |
to this much time before the activation date; conversely, if |
309 |
the publication date is specified but activation date isn't, |
310 |
then activation will be set to this much time after publication. |
311 |
</p> |
312 |
<p> |
313 |
If the key is being created as an explicit successor to another |
314 |
key, then the default prepublication interval is 30 days; |
315 |
otherwise it is zero. |
316 |
</p> |
317 |
<p> |
318 |
As with date offsets, if the argument is followed by one of |
319 |
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the |
320 |
interval is measured in years, months, weeks, days, hours, |
321 |
or minutes, respectively. Without a suffix, the interval is |
322 |
measured in seconds. |
323 |
</p> |
324 |
</dd> |
325 |
</dl></div> |
326 |
</div> |
327 |
<div class="refsect1" lang="en"> |
328 |
<a name="id2543004"></a><h2>GENERATED KEYS</h2> |
329 |
<p> |
330 |
When <span><strong class="command">dnssec-keygen</strong></span> completes |
331 |
successfully, |
332 |
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> |
333 |
to the standard output. This is an identification string for |
334 |
the key it has generated. |
335 |
</p> |
336 |
<div class="itemizedlist"><ul type="disc"> |
337 |
<li><p><code class="filename">nnnn</code> is the key name. |
338 |
</p></li> |
339 |
<li><p><code class="filename">aaa</code> is the numeric representation |
340 |
of the |
341 |
algorithm. |
342 |
</p></li> |
343 |
<li><p><code class="filename">iiiii</code> is the key identifier (or |
344 |
footprint). |
345 |
</p></li> |
346 |
</ul></div> |
347 |
<p><span><strong class="command">dnssec-keygen</strong></span> |
348 |
creates two files, with names based |
349 |
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> |
350 |
contains the public key, and |
351 |
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the |
352 |
private |
353 |
key. |
354 |
</p> |
355 |
<p> |
356 |
The <code class="filename">.key</code> file contains a DNS KEY record |
357 |
that |
358 |
can be inserted into a zone file (directly or with a $INCLUDE |
359 |
statement). |
360 |
</p> |
361 |
<p> |
362 |
The <code class="filename">.private</code> file contains |
363 |
algorithm-specific |
364 |
fields. For obvious security reasons, this file does not have |
365 |
general read permission. |
366 |
</p> |
367 |
<p> |
368 |
Both <code class="filename">.key</code> and <code class="filename">.private</code> |
369 |
files are generated for symmetric encryption algorithms such as |
370 |
HMAC-MD5, even though the public and private key are equivalent. |
371 |
</p> |
372 |
</div> |
373 |
<div class="refsect1" lang="en"> |
374 |
<a name="id2543086"></a><h2>EXAMPLE</h2> |
375 |
<p> |
376 |
To generate a 768-bit DSA key for the domain |
377 |
<strong class="userinput"><code>example.com</code></strong>, the following command would be |
378 |
issued: |
379 |
</p> |
380 |
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> |
381 |
</p> |
382 |
<p> |
383 |
The command would print a string of the form: |
384 |
</p> |
385 |
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong> |
386 |
</p> |
387 |
<p> |
388 |
In this example, <span><strong class="command">dnssec-keygen</strong></span> creates |
389 |
the files <code class="filename">Kexample.com.+003+26160.key</code> |
390 |
and |
391 |
<code class="filename">Kexample.com.+003+26160.private</code>. |
392 |
</p> |
393 |
</div> |
394 |
<div class="refsect1" lang="en"> |
395 |
<a name="id2543130"></a><h2>SEE ALSO</h2> |
396 |
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, |
397 |
<em class="citetitle">BIND 9 Administrator Reference Manual</em>, |
398 |
<em class="citetitle">RFC 2539</em>, |
399 |
<em class="citetitle">RFC 2845</em>, |
400 |
<em class="citetitle">RFC 4034</em>. |
401 |
</p> |
402 |
</div> |
403 |
<div class="refsect1" lang="en"> |
404 |
<a name="id2544731"></a><h2>AUTHOR</h2> |
405 |
<p><span class="corpauthor">Internet Systems Consortium</span> |
406 |
</p> |
407 |
</div> |
408 |
</div></body> |
409 |
</html> |