Jump to content United States-English
HP.com Home Products and Services Support and Drivers Solutions How to Buy
» Contact HP
More options
HP.com home
HP-UX Reference > D


BIND 9.3
HP-UX 11i Version 3: February 2007

Technical documentation

» Feedback
Content starts here

 » Table of Contents

 » Index


dnssec-keygen — key generation tool for DNSSEC


dnssec-keygen [-ehk] [-a algorithm] [-b keysize] [-c class] [-f flag] [-g generator] [-n nametype] [-p protocol-value] [-r randomdev] [-s strength-value] [-t type] [-v level] name


dnssec-keygen generates keys for Secure DNS (DNSSEC) as defined in RFC 2535. It also generates keys for use in Transaction Signatures (TSIG), which are defined in RFC 2845.


dnssec-keygen recognizes the following options:

-a algorithm

Specify the encryption algorithm. The algorithm can be RSAMD5 (RSA), RSASHA1, DH, DSA or HMAC-MD5. algorithm is case-insensitive.

DNSSEC specifies RSASHA1 as a mandatory algorithm and DSA as a recommended one. Implementations of TSIG must support HMAC-MD5.

-b keysize

Determine the number of bits in the key. The choice of key size depends on the algorithm that is used.

For the RSAMD5 or RSASHA1 algorithm, keysize must be between 512 and 2048 bits.

For the DH (Diffie-Hellman) algorithm, keysize must be between 128 and 4096 bits.

For the DSA (Digital Signature) algorithm, keysize must be between 512 and 1024 bits and a multiple of 64.

For the HMAC-MD5 algorithm, keysize must be between 1 and 512 bits.

-c class

Set the class for the DNS record containing the key. The default class is IN (Internet). Other values for class are CH (Chaosnet) and HS (Hesiod).


Generate RSAMD5 and RSASHA1 keys with a large exponent value.

-f flag

Set the specified flag in the flag field of the KEY or DNSKEY record. The only recognized flag is KSK (Key Signing Key) for DNSKEY.

-g generator

Select the generator to be used when creating Diffie-Hellman keys. The only supported values for generator are 2 and 5. If no Diffie-Hellman generator is supplied, a known prime from RFC 2539 is used, if possible; otherwise, 2 is used as the generator.


Print a summary of the dnssec-keygen options and operands.


Generate KEY records rather than DNSKEY records.

-n nametype

Specify how the generated key will be used.

nametype can be either ZONE, HOST, ENTITY, or USER to indicate that the key will be used for signing a zone, host, entity, or user, respectively. In this context, HOST and ENTITY are equivalent. nametype is case-insensitive.

-p protocol-value

Set the protocol value for the generated key to protocol-value. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.

-r randomdev

Override the behavior of dnssec-keygen to use random numbers to seed the process of generating keys when the system does not have a /dev/random device to generate random numbers. The dnssec-keygen program prompts for keyboard input and uses the time intervals between keystrokes to provide randomness. With this option, it uses randomdev as a source of random data.

-s strength-value

Set the key's strength value. The generated key will sign DNS resource records with a strength value of strength-value. It should be a number in the range 0-15. The default strength is 0. The key strength field currently has no defined purpose in DNSSEC.

-t type

Indicate if the key is used for authentication or confidentiality. type can be one of


The key can be used for authentication and confidentiality.


The key cannot be used for authentication or confidentiality.


The key can be used for confidentiality but not for authentication.


The key cannot be used for confidentiality, although it can be used for authentication.

The default is AUTHCONF.

-v level

Set the verbosity level. As the debugging/tracing level increases, dnssec-keygen generates increasingly detailed reports about what it is doing. The default level is 0.



The domain name for which the key is to be generated.

Generated Keys

When dnssec-keygen completes, it prints an identification string on standard output for the key it has generated, in the form


The fields are:


The dot-terminated domain name given by name.


The DNSSEC algorithm identifier.


A five-digit number identifying the key.

dnssec-keygen creates two files. The file names are adapted from the key identification string above, in the form:

  • Knnnn.+aaa+iiiii .key

  • Knnnn.+aaa+iiiii .private

These contain the public and private parts of the key respectively. The files generated by dnssec-keygen follow this naming convention to make it easy for the signing tool dnssec-signzone to identify which files have to be read to find the necessary keys for generating or validating signatures.

The .key file contains a DNSKEY resource record that can be inserted into a zone file with a $INCLUDE statement. The private part of the key is in the .private file. It contains details of the encryption algorithm that was used and any relevant parameters. For obvious security reasons, the .private file does not have general read permission. Both .key and .private key files are generated by a symmetric encryption algorithm, such as HMAC-MD5, even though the public and private key are equivalent.


To generate a 768-bit DSA key for the domain example.com, issue the command:

$ dnssec-keygen -a DSA -b 768 -n ZONE example.com

dnssec-keygen prints the key identification string


indicating a DSA key with identifier 26160. It creates the files

  • Kexample.com.+003+26160.key


which contain the public and private keys, respectively, for the generated DSA key.


dnssec-keygen was developed by the Internet Systems Consortium (ISC).





Requests for Comments (RFC): 2535, 2539, and 2845, available online at http://www.rfc-editor.org/.

HP-UX IP Address and Client Management Administrator's Guide, available online at http://docs.hp.com.

BIND 9 Administrator Reference Manual, available from the Internet Systems Consortium at http://www.isc.org/sw/bind/arm93.

Printable version
Privacy statement Using this site means you accept its terms Feedback to webmaster
© 1983-2007 Hewlett-Packard Development Company, L.P.