NAME
dnssec-keygen — key generation tool for DNSSEC
SYNOPSIS
dnssec-keygen
[-ehk]
[-a
algorithm]
[-b
keysize]
[-c
class]
[-f
flag]
[-g
generator]
[-n
nametype]
[-p
protocol-value]
[-r
randomdev]
[-s
strength-value]
[-t
type]
[-v
level]
name
DESCRIPTION
dnssec-keygen
generates keys for Secure DNS (DNSSEC) as defined in RFC 2535.
It also generates keys for use in Transaction Signatures (TSIG),
which are defined in RFC 2845.
Options
dnssec-keygen
recognizes the following options:
- -a algorithm
Specify the encryption algorithm.
The
algorithm
can be
RSAMD5
(RSA),
RSASHA1,
DH,
DSA
or
HMAC-MD5.
algorithm
is case-insensitive.
DNSSEC specifies
RSASHA1
as a mandatory algorithm and
DSA
as a recommended one.
Implementations of TSIG must support
HMAC-MD5.
- -b keysize
Determine the number of bits in the key.
The choice of key size depends on the algorithm that is used.
For the
RSAMD5
or
RSASHA1
algorithm,
keysize
must be between 512 and 2048 bits.
For the
DH
(Diffie-Hellman) algorithm,
keysize
must be between 128 and 4096 bits.
For the
DSA
(Digital Signature)
algorithm,
keysize
must be between 512 and 1024 bits and a multiple of 64.
For the
HMAC-MD5
algorithm,
keysize
must be between 1 and 512 bits.
- -c class
Set the class for the DNS record containing the key.
The default class is
IN
(Internet).
Other values for
class
are
CH
(Chaosnet) and
HS
(Hesiod).
- -e
Generate
RSAMD5
and
RSASHA1
keys with a large exponent value.
- -f flag
Set the specified
flag
in the flag field of the KEY or DNSKEY
record.
The only recognized flag is
KSK
(Key Signing Key)
for DNSKEY.
- -g generator
Select the generator to be used when creating Diffie-Hellman keys.
The only supported values for
generator
are
2
and
5.
If no Diffie-Hellman generator is supplied, a known prime
from RFC 2539 is used, if possible;
otherwise,
2
is used as the generator.
- -h
Print a summary of the
dnssec-keygen
options and operands.
- -k
Generate KEY records rather than DNSKEY records.
- -n nametype
Specify how the generated key will be used.
nametype
can be either
ZONE,
HOST,
ENTITY,
or
USER
to indicate that the key will be used for signing
a zone, host, entity, or user, respectively.
In this context,
HOST
and
ENTITY
are equivalent.
nametype
is case-insensitive.
- -p protocol-value
Set the protocol value for the generated key to
protocol-value.
The default is
3
(DNSSEC).
Other possible values for this argument are listed in RFC 2535 and its
successors.
- -r randomdev
Override the behavior of
dnssec-keygen
to use random numbers to seed the process
of generating keys when the system does not have a
/dev/random
device to generate random numbers.
The
dnssec-keygen
program prompts for keyboard input and uses the time intervals between
keystrokes to provide randomness.
With this option, it uses
randomdev
as a source of random data.
- -s strength-value
Set the key's strength value.
The generated key will sign DNS resource records
with a strength value of
strength-value.
It should be a number in the range
0-15.
The default strength is
0.
The key strength field currently has no defined purpose in DNSSEC.
- -t type
Indicate if the key is used for authentication or confidentiality.
type
can be one of
- AUTHCONF
The key can be used for authentication and confidentiality.
- NOAUTHCONF
The key cannot be used for authentication or confidentiality.
- NOAUTH
The key can be used for confidentiality but not for authentication.
- NOCONF
The key cannot be used for confidentiality, although it can be used for authentication.
The default is
AUTHCONF.
- -v level
Set the verbosity level.
As the debugging/tracing
level
increases,
dnssec-keygen
generates increasingly detailed reports about what it is doing.
The default
level
is 0.
Operands
- name
The domain name for which the key is to be generated.
Generated Keys
When
dnssec-keygen
completes, it prints
an identification string
on standard output
for the key it has generated,
in the form
The fields are:
- nnnn
The dot-terminated domain name given by
name.
- aaa
The DNSSEC algorithm identifier.
- iiiii
A five-digit number identifying the key.
dnssec-keygen
creates two files.
The file names are adapted from the key identification string above,
in the form:
Knnnn.+aaa+iiiii
.private
These contain the public and private parts of the key respectively.
The files generated by
dnssec-keygen
follow this naming convention to
make it easy for the signing tool
dnssec-signzone
to identify which files have to be read to find the necessary
keys for generating or validating signatures.
The
.key
file contains a
DNSKEY
resource record that can be inserted into a zone file with a
$INCLUDE
statement.
The private part of the key is in the
.private
file.
It contains details of the encryption algorithm that was used and any
relevant parameters.
For obvious security reasons, the
.private
file does not have general read permission.
Both
.key
and
.private
key files are generated by a symmetric encryption algorithm, such as
HMAC-MD5,
even though the public and private key are equivalent.
EXAMPLES
To generate a 768-bit DSA key for the domain
example.com,
issue the command:
$ dnssec-keygen -a DSA -b 768 -n ZONE example.com
dnssec-keygen
prints the key identification string
indicating a DSA key with identifier 26160.
It creates the files
Kexample.com.+003+26160.key
Kexample.com.+003+26160.private
which contain the public and private keys, respectively,
for the generated DSA key.
AUTHOR
dnssec-keygen
was developed by the Internet Systems Consortium (ISC).
SEE ALSO
dnssec-signzone(1).
Requests for Comments (RFC):
2535,
2539,
and
2845,
available online at
http://www.rfc-editor.org/.
HP-UX IP Address and Client Management Administrator's Guide,
available online at
http://docs.hp.com.
BIND 9 Administrator Reference Manual,
available from the Internet Systems Consortium at
http://www.isc.org/sw/bind/arm93.
Printable version
