1*00b67f09SDavid van Moolenbroek<!-- 2*00b67f09SDavid van Moolenbroek - Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC") 3*00b67f09SDavid van Moolenbroek - Copyright (C) 2000-2003 Internet Software Consortium. 4*00b67f09SDavid van Moolenbroek - 5*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek - 9*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek--> 17*00b67f09SDavid van Moolenbroek<!-- Id --> 18*00b67f09SDavid van Moolenbroek<html> 19*00b67f09SDavid van Moolenbroek<head> 20*00b67f09SDavid van Moolenbroek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21*00b67f09SDavid van Moolenbroek<title>dnssec-keygen</title> 22*00b67f09SDavid van Moolenbroek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23*00b67f09SDavid van Moolenbroek</head> 24*00b67f09SDavid van Moolenbroek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> 25*00b67f09SDavid van Moolenbroek<a name="man.dnssec-keygen"></a><div class="titlepage"></div> 26*00b67f09SDavid van Moolenbroek<div class="refnamediv"> 27*00b67f09SDavid van Moolenbroek<h2>Name</h2> 28*00b67f09SDavid van Moolenbroek<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p> 29*00b67f09SDavid van Moolenbroek</div> 30*00b67f09SDavid van Moolenbroek<div class="refsynopsisdiv"> 31*00b67f09SDavid van Moolenbroek<h2>Synopsis</h2> 32*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div> 33*00b67f09SDavid van Moolenbroek</div> 34*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 35*00b67f09SDavid van Moolenbroek<a name="id2543608"></a><h2>DESCRIPTION</h2> 36*00b67f09SDavid van Moolenbroek<p><span><strong class="command">dnssec-keygen</strong></span> 37*00b67f09SDavid van Moolenbroek generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 38*00b67f09SDavid van Moolenbroek and RFC 4034. It can also generate keys for use with 39*00b67f09SDavid van Moolenbroek TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY 40*00b67f09SDavid van Moolenbroek (Transaction Key) as defined in RFC 2930. 41*00b67f09SDavid van Moolenbroek </p> 42*00b67f09SDavid van Moolenbroek<p> 43*00b67f09SDavid van Moolenbroek The <code class="option">name</code> of the key is specified on the command 44*00b67f09SDavid van Moolenbroek line. For DNSSEC keys, this must match the name of the zone for 45*00b67f09SDavid van Moolenbroek which the key is being generated. 46*00b67f09SDavid van Moolenbroek </p> 47*00b67f09SDavid van Moolenbroek</div> 48*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 49*00b67f09SDavid van Moolenbroek<a name="id2543626"></a><h2>OPTIONS</h2> 50*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 51*00b67f09SDavid van Moolenbroek<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> 52*00b67f09SDavid van Moolenbroek<dd> 53*00b67f09SDavid van Moolenbroek<p> 54*00b67f09SDavid van Moolenbroek Selects the cryptographic algorithm. For DNSSEC keys, the value 55*00b67f09SDavid van Moolenbroek of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1, 56*00b67f09SDavid van Moolenbroek DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, 57*00b67f09SDavid van Moolenbroek ECDSAP256SHA256 or ECDSAP384SHA384. 58*00b67f09SDavid van Moolenbroek For TSIG/TKEY, the value must 59*00b67f09SDavid van Moolenbroek be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, 60*00b67f09SDavid van Moolenbroek HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are 61*00b67f09SDavid van Moolenbroek case insensitive. 62*00b67f09SDavid van Moolenbroek </p> 63*00b67f09SDavid van Moolenbroek<p> 64*00b67f09SDavid van Moolenbroek If no algorithm is specified, then RSASHA1 will be used by 65*00b67f09SDavid van Moolenbroek default, unless the <code class="option">-3</code> option is specified, 66*00b67f09SDavid van Moolenbroek in which case NSEC3RSASHA1 will be used instead. (If 67*00b67f09SDavid van Moolenbroek <code class="option">-3</code> is used and an algorithm is specified, 68*00b67f09SDavid van Moolenbroek that algorithm will be checked for compatibility with NSEC3.) 69*00b67f09SDavid van Moolenbroek </p> 70*00b67f09SDavid van Moolenbroek<p> 71*00b67f09SDavid van Moolenbroek Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement 72*00b67f09SDavid van Moolenbroek algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is 73*00b67f09SDavid van Moolenbroek mandatory. 74*00b67f09SDavid van Moolenbroek </p> 75*00b67f09SDavid van Moolenbroek<p> 76*00b67f09SDavid van Moolenbroek Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 77*00b67f09SDavid van Moolenbroek automatically set the -T KEY option. 78*00b67f09SDavid van Moolenbroek </p> 79*00b67f09SDavid van Moolenbroek</dd> 80*00b67f09SDavid van Moolenbroek<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt> 81*00b67f09SDavid van Moolenbroek<dd> 82*00b67f09SDavid van Moolenbroek<p> 83*00b67f09SDavid van Moolenbroek Specifies the number of bits in the key. The choice of key 84*00b67f09SDavid van Moolenbroek size depends on the algorithm used. RSA keys must be 85*00b67f09SDavid van Moolenbroek between 512 and 2048 bits. Diffie Hellman keys must be between 86*00b67f09SDavid van Moolenbroek 128 and 4096 bits. DSA keys must be between 512 and 1024 87*00b67f09SDavid van Moolenbroek bits and an exact multiple of 64. HMAC keys must be 88*00b67f09SDavid van Moolenbroek between 1 and 512 bits. Elliptic curve algorithms don't need 89*00b67f09SDavid van Moolenbroek this parameter. 90*00b67f09SDavid van Moolenbroek </p> 91*00b67f09SDavid van Moolenbroek<p> 92*00b67f09SDavid van Moolenbroek The key size does not need to be specified if using a default 93*00b67f09SDavid van Moolenbroek algorithm. The default key size is 1024 bits for zone signing 94*00b67f09SDavid van Moolenbroek keys (ZSK's) and 2048 bits for key signing keys (KSK's, 95*00b67f09SDavid van Moolenbroek generated with <code class="option">-f KSK</code>). However, if an 96*00b67f09SDavid van Moolenbroek algorithm is explicitly specified with the <code class="option">-a</code>, 97*00b67f09SDavid van Moolenbroek then there is no default key size, and the <code class="option">-b</code> 98*00b67f09SDavid van Moolenbroek must be used. 99*00b67f09SDavid van Moolenbroek </p> 100*00b67f09SDavid van Moolenbroek</dd> 101*00b67f09SDavid van Moolenbroek<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt> 102*00b67f09SDavid van Moolenbroek<dd><p> 103*00b67f09SDavid van Moolenbroek Specifies the owner type of the key. The value of 104*00b67f09SDavid van Moolenbroek <code class="option">nametype</code> must either be ZONE (for a DNSSEC 105*00b67f09SDavid van Moolenbroek zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with 106*00b67f09SDavid van Moolenbroek a host (KEY)), 107*00b67f09SDavid van Moolenbroek USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). 108*00b67f09SDavid van Moolenbroek These values are case insensitive. Defaults to ZONE for DNSKEY 109*00b67f09SDavid van Moolenbroek generation. 110*00b67f09SDavid van Moolenbroek </p></dd> 111*00b67f09SDavid van Moolenbroek<dt><span class="term">-3</span></dt> 112*00b67f09SDavid van Moolenbroek<dd><p> 113*00b67f09SDavid van Moolenbroek Use an NSEC3-capable algorithm to generate a DNSSEC key. 114*00b67f09SDavid van Moolenbroek If this option is used and no algorithm is explicitly 115*00b67f09SDavid van Moolenbroek set on the command line, NSEC3RSASHA1 will be used by 116*00b67f09SDavid van Moolenbroek default. Note that RSASHA256, RSASHA512, ECCGOST, 117*00b67f09SDavid van Moolenbroek ECDSAP256SHA256 and ECDSAP384SHA384 algorithms 118*00b67f09SDavid van Moolenbroek are NSEC3-capable. 119*00b67f09SDavid van Moolenbroek </p></dd> 120*00b67f09SDavid van Moolenbroek<dt><span class="term">-C</span></dt> 121*00b67f09SDavid van Moolenbroek<dd><p> 122*00b67f09SDavid van Moolenbroek Compatibility mode: generates an old-style key, without 123*00b67f09SDavid van Moolenbroek any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span> 124*00b67f09SDavid van Moolenbroek will include the key's creation date in the metadata stored 125*00b67f09SDavid van Moolenbroek with the private key, and other dates may be set there as well 126*00b67f09SDavid van Moolenbroek (publication date, activation date, etc). Keys that include 127*00b67f09SDavid van Moolenbroek this data may be incompatible with older versions of BIND; the 128*00b67f09SDavid van Moolenbroek <code class="option">-C</code> option suppresses them. 129*00b67f09SDavid van Moolenbroek </p></dd> 130*00b67f09SDavid van Moolenbroek<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> 131*00b67f09SDavid van Moolenbroek<dd><p> 132*00b67f09SDavid van Moolenbroek Indicates that the DNS record containing the key should have 133*00b67f09SDavid van Moolenbroek the specified class. If not specified, class IN is used. 134*00b67f09SDavid van Moolenbroek </p></dd> 135*00b67f09SDavid van Moolenbroek<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt> 136*00b67f09SDavid van Moolenbroek<dd> 137*00b67f09SDavid van Moolenbroek<p> 138*00b67f09SDavid van Moolenbroek Specifies the cryptographic hardware to use, when applicable. 139*00b67f09SDavid van Moolenbroek </p> 140*00b67f09SDavid van Moolenbroek<p> 141*00b67f09SDavid van Moolenbroek When BIND is built with OpenSSL PKCS#11 support, this defaults 142*00b67f09SDavid van Moolenbroek to the string "pkcs11", which identifies an OpenSSL engine 143*00b67f09SDavid van Moolenbroek that can drive a cryptographic accelerator or hardware service 144*00b67f09SDavid van Moolenbroek module. When BIND is built with native PKCS#11 cryptography 145*00b67f09SDavid van Moolenbroek (--enable-native-pkcs11), it defaults to the path of the PKCS#11 146*00b67f09SDavid van Moolenbroek provider library specified via "--with-pkcs11". 147*00b67f09SDavid van Moolenbroek </p> 148*00b67f09SDavid van Moolenbroek</dd> 149*00b67f09SDavid van Moolenbroek<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt> 150*00b67f09SDavid van Moolenbroek<dd><p> 151*00b67f09SDavid van Moolenbroek Set the specified flag in the flag field of the KEY/DNSKEY record. 152*00b67f09SDavid van Moolenbroek The only recognized flags are KSK (Key Signing Key) and REVOKE. 153*00b67f09SDavid van Moolenbroek </p></dd> 154*00b67f09SDavid van Moolenbroek<dt><span class="term">-G</span></dt> 155*00b67f09SDavid van Moolenbroek<dd><p> 156*00b67f09SDavid van Moolenbroek Generate a key, but do not publish it or sign with it. This 157*00b67f09SDavid van Moolenbroek option is incompatible with -P and -A. 158*00b67f09SDavid van Moolenbroek </p></dd> 159*00b67f09SDavid van Moolenbroek<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt> 160*00b67f09SDavid van Moolenbroek<dd><p> 161*00b67f09SDavid van Moolenbroek If generating a Diffie Hellman key, use this generator. 162*00b67f09SDavid van Moolenbroek Allowed values are 2 and 5. If no generator 163*00b67f09SDavid van Moolenbroek is specified, a known prime from RFC 2539 will be used 164*00b67f09SDavid van Moolenbroek if possible; otherwise the default is 2. 165*00b67f09SDavid van Moolenbroek </p></dd> 166*00b67f09SDavid van Moolenbroek<dt><span class="term">-h</span></dt> 167*00b67f09SDavid van Moolenbroek<dd><p> 168*00b67f09SDavid van Moolenbroek Prints a short summary of the options and arguments to 169*00b67f09SDavid van Moolenbroek <span><strong class="command">dnssec-keygen</strong></span>. 170*00b67f09SDavid van Moolenbroek </p></dd> 171*00b67f09SDavid van Moolenbroek<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> 172*00b67f09SDavid van Moolenbroek<dd><p> 173*00b67f09SDavid van Moolenbroek Sets the directory in which the key files are to be written. 174*00b67f09SDavid van Moolenbroek </p></dd> 175*00b67f09SDavid van Moolenbroek<dt><span class="term">-k</span></dt> 176*00b67f09SDavid van Moolenbroek<dd><p> 177*00b67f09SDavid van Moolenbroek Deprecated in favor of -T KEY. 178*00b67f09SDavid van Moolenbroek </p></dd> 179*00b67f09SDavid van Moolenbroek<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt> 180*00b67f09SDavid van Moolenbroek<dd><p> 181*00b67f09SDavid van Moolenbroek Sets the default TTL to use for this key when it is converted 182*00b67f09SDavid van Moolenbroek into a DNSKEY RR. If the key is imported into a zone, 183*00b67f09SDavid van Moolenbroek this is the TTL that will be used for it, unless there was 184*00b67f09SDavid van Moolenbroek already a DNSKEY RRset in place, in which case the existing TTL 185*00b67f09SDavid van Moolenbroek would take precedence. If this value is not set and there 186*00b67f09SDavid van Moolenbroek is no existing DNSKEY RRset, the TTL will default to the 187*00b67f09SDavid van Moolenbroek SOA TTL. Setting the default TTL to <code class="literal">0</code> 188*00b67f09SDavid van Moolenbroek or <code class="literal">none</code> is the same as leaving it unset. 189*00b67f09SDavid van Moolenbroek </p></dd> 190*00b67f09SDavid van Moolenbroek<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt> 191*00b67f09SDavid van Moolenbroek<dd><p> 192*00b67f09SDavid van Moolenbroek Sets the protocol value for the generated key. The protocol 193*00b67f09SDavid van Moolenbroek is a number between 0 and 255. The default is 3 (DNSSEC). 194*00b67f09SDavid van Moolenbroek Other possible values for this argument are listed in 195*00b67f09SDavid van Moolenbroek RFC 2535 and its successors. 196*00b67f09SDavid van Moolenbroek </p></dd> 197*00b67f09SDavid van Moolenbroek<dt><span class="term">-q</span></dt> 198*00b67f09SDavid van Moolenbroek<dd><p> 199*00b67f09SDavid van Moolenbroek Quiet mode: Suppresses unnecessary output, including 200*00b67f09SDavid van Moolenbroek progress indication. Without this option, when 201*00b67f09SDavid van Moolenbroek <span><strong class="command">dnssec-keygen</strong></span> is run interactively 202*00b67f09SDavid van Moolenbroek to generate an RSA or DSA key pair, it will print a string 203*00b67f09SDavid van Moolenbroek of symbols to <code class="filename">stderr</code> indicating the 204*00b67f09SDavid van Moolenbroek progress of the key generation. A '.' indicates that a 205*00b67f09SDavid van Moolenbroek random number has been found which passed an initial 206*00b67f09SDavid van Moolenbroek sieve test; '+' means a number has passed a single 207*00b67f09SDavid van Moolenbroek round of the Miller-Rabin primality test; a space 208*00b67f09SDavid van Moolenbroek means that the number has passed all the tests and is 209*00b67f09SDavid van Moolenbroek a satisfactory key. 210*00b67f09SDavid van Moolenbroek </p></dd> 211*00b67f09SDavid van Moolenbroek<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt> 212*00b67f09SDavid van Moolenbroek<dd><p> 213*00b67f09SDavid van Moolenbroek Specifies the source of randomness. If the operating 214*00b67f09SDavid van Moolenbroek system does not provide a <code class="filename">/dev/random</code> 215*00b67f09SDavid van Moolenbroek or equivalent device, the default source of randomness 216*00b67f09SDavid van Moolenbroek is keyboard input. <code class="filename">randomdev</code> 217*00b67f09SDavid van Moolenbroek specifies 218*00b67f09SDavid van Moolenbroek the name of a character device or file containing random 219*00b67f09SDavid van Moolenbroek data to be used instead of the default. The special value 220*00b67f09SDavid van Moolenbroek <code class="filename">keyboard</code> indicates that keyboard 221*00b67f09SDavid van Moolenbroek input should be used. 222*00b67f09SDavid van Moolenbroek </p></dd> 223*00b67f09SDavid van Moolenbroek<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt> 224*00b67f09SDavid van Moolenbroek<dd><p> 225*00b67f09SDavid van Moolenbroek Create a new key which is an explicit successor to an 226*00b67f09SDavid van Moolenbroek existing key. The name, algorithm, size, and type of the 227*00b67f09SDavid van Moolenbroek key will be set to match the existing key. The activation 228*00b67f09SDavid van Moolenbroek date of the new key will be set to the inactivation date of 229*00b67f09SDavid van Moolenbroek the existing one. The publication date will be set to the 230*00b67f09SDavid van Moolenbroek activation date minus the prepublication interval, which 231*00b67f09SDavid van Moolenbroek defaults to 30 days. 232*00b67f09SDavid van Moolenbroek </p></dd> 233*00b67f09SDavid van Moolenbroek<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt> 234*00b67f09SDavid van Moolenbroek<dd><p> 235*00b67f09SDavid van Moolenbroek Specifies the strength value of the key. The strength is 236*00b67f09SDavid van Moolenbroek a number between 0 and 15, and currently has no defined 237*00b67f09SDavid van Moolenbroek purpose in DNSSEC. 238*00b67f09SDavid van Moolenbroek </p></dd> 239*00b67f09SDavid van Moolenbroek<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt> 240*00b67f09SDavid van Moolenbroek<dd> 241*00b67f09SDavid van Moolenbroek<p> 242*00b67f09SDavid van Moolenbroek Specifies the resource record type to use for the key. 243*00b67f09SDavid van Moolenbroek <code class="option">rrtype</code> must be either DNSKEY or KEY. The 244*00b67f09SDavid van Moolenbroek default is DNSKEY when using a DNSSEC algorithm, but it can be 245*00b67f09SDavid van Moolenbroek overridden to KEY for use with SIG(0). 246*00b67f09SDavid van Moolenbroek </p> 247*00b67f09SDavid van Moolenbroek<p> 248*00b67f09SDavid van Moolenbroek </p> 249*00b67f09SDavid van Moolenbroek<p> 250*00b67f09SDavid van Moolenbroek Using any TSIG algorithm (HMAC-* or DH) forces this option 251*00b67f09SDavid van Moolenbroek to KEY. 252*00b67f09SDavid van Moolenbroek </p> 253*00b67f09SDavid van Moolenbroek</dd> 254*00b67f09SDavid van Moolenbroek<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt> 255*00b67f09SDavid van Moolenbroek<dd><p> 256*00b67f09SDavid van Moolenbroek Indicates the use of the key. <code class="option">type</code> must be 257*00b67f09SDavid van Moolenbroek one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default 258*00b67f09SDavid van Moolenbroek is AUTHCONF. AUTH refers to the ability to authenticate 259*00b67f09SDavid van Moolenbroek data, and CONF the ability to encrypt data. 260*00b67f09SDavid van Moolenbroek </p></dd> 261*00b67f09SDavid van Moolenbroek<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> 262*00b67f09SDavid van Moolenbroek<dd><p> 263*00b67f09SDavid van Moolenbroek Sets the debugging level. 264*00b67f09SDavid van Moolenbroek </p></dd> 265*00b67f09SDavid van Moolenbroek<dt><span class="term">-V</span></dt> 266*00b67f09SDavid van Moolenbroek<dd><p> 267*00b67f09SDavid van Moolenbroek Prints version information. 268*00b67f09SDavid van Moolenbroek </p></dd> 269*00b67f09SDavid van Moolenbroek</dl></div> 270*00b67f09SDavid van Moolenbroek</div> 271*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 272*00b67f09SDavid van Moolenbroek<a name="id2544292"></a><h2>TIMING OPTIONS</h2> 273*00b67f09SDavid van Moolenbroek<p> 274*00b67f09SDavid van Moolenbroek Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. 275*00b67f09SDavid van Moolenbroek If the argument begins with a '+' or '-', it is interpreted as 276*00b67f09SDavid van Moolenbroek an offset from the present time. For convenience, if such an offset 277*00b67f09SDavid van Moolenbroek is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', 278*00b67f09SDavid van Moolenbroek then the offset is computed in years (defined as 365 24-hour days, 279*00b67f09SDavid van Moolenbroek ignoring leap years), months (defined as 30 24-hour days), weeks, 280*00b67f09SDavid van Moolenbroek days, hours, or minutes, respectively. Without a suffix, the offset 281*00b67f09SDavid van Moolenbroek is computed in seconds. To explicitly prevent a date from being 282*00b67f09SDavid van Moolenbroek set, use 'none' or 'never'. 283*00b67f09SDavid van Moolenbroek </p> 284*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 285*00b67f09SDavid van Moolenbroek<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt> 286*00b67f09SDavid van Moolenbroek<dd><p> 287*00b67f09SDavid van Moolenbroek Sets the date on which a key is to be published to the zone. 288*00b67f09SDavid van Moolenbroek After that date, the key will be included in the zone but will 289*00b67f09SDavid van Moolenbroek not be used to sign it. If not set, and if the -G option has 290*00b67f09SDavid van Moolenbroek not been used, the default is "now". 291*00b67f09SDavid van Moolenbroek </p></dd> 292*00b67f09SDavid van Moolenbroek<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt> 293*00b67f09SDavid van Moolenbroek<dd><p> 294*00b67f09SDavid van Moolenbroek Sets the date on which the key is to be activated. After that 295*00b67f09SDavid van Moolenbroek date, the key will be included in the zone and used to sign 296*00b67f09SDavid van Moolenbroek it. If not set, and if the -G option has not been used, the 297*00b67f09SDavid van Moolenbroek default is "now". If set, if and -P is not set, then 298*00b67f09SDavid van Moolenbroek the publication date will be set to the activation date 299*00b67f09SDavid van Moolenbroek minus the prepublication interval. 300*00b67f09SDavid van Moolenbroek </p></dd> 301*00b67f09SDavid van Moolenbroek<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt> 302*00b67f09SDavid van Moolenbroek<dd><p> 303*00b67f09SDavid van Moolenbroek Sets the date on which the key is to be revoked. After that 304*00b67f09SDavid van Moolenbroek date, the key will be flagged as revoked. It will be included 305*00b67f09SDavid van Moolenbroek in the zone and will be used to sign it. 306*00b67f09SDavid van Moolenbroek </p></dd> 307*00b67f09SDavid van Moolenbroek<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt> 308*00b67f09SDavid van Moolenbroek<dd><p> 309*00b67f09SDavid van Moolenbroek Sets the date on which the key is to be retired. After that 310*00b67f09SDavid van Moolenbroek date, the key will still be included in the zone, but it 311*00b67f09SDavid van Moolenbroek will not be used to sign it. 312*00b67f09SDavid van Moolenbroek </p></dd> 313*00b67f09SDavid van Moolenbroek<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt> 314*00b67f09SDavid van Moolenbroek<dd><p> 315*00b67f09SDavid van Moolenbroek Sets the date on which the key is to be deleted. After that 316*00b67f09SDavid van Moolenbroek date, the key will no longer be included in the zone. (It 317*00b67f09SDavid van Moolenbroek may remain in the key repository, however.) 318*00b67f09SDavid van Moolenbroek </p></dd> 319*00b67f09SDavid van Moolenbroek<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt> 320*00b67f09SDavid van Moolenbroek<dd> 321*00b67f09SDavid van Moolenbroek<p> 322*00b67f09SDavid van Moolenbroek Sets the prepublication interval for a key. If set, then 323*00b67f09SDavid van Moolenbroek the publication and activation dates must be separated by at least 324*00b67f09SDavid van Moolenbroek this much time. If the activation date is specified but the 325*00b67f09SDavid van Moolenbroek publication date isn't, then the publication date will default 326*00b67f09SDavid van Moolenbroek to this much time before the activation date; conversely, if 327*00b67f09SDavid van Moolenbroek the publication date is specified but activation date isn't, 328*00b67f09SDavid van Moolenbroek then activation will be set to this much time after publication. 329*00b67f09SDavid van Moolenbroek </p> 330*00b67f09SDavid van Moolenbroek<p> 331*00b67f09SDavid van Moolenbroek If the key is being created as an explicit successor to another 332*00b67f09SDavid van Moolenbroek key, then the default prepublication interval is 30 days; 333*00b67f09SDavid van Moolenbroek otherwise it is zero. 334*00b67f09SDavid van Moolenbroek </p> 335*00b67f09SDavid van Moolenbroek<p> 336*00b67f09SDavid van Moolenbroek As with date offsets, if the argument is followed by one of 337*00b67f09SDavid van Moolenbroek the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the 338*00b67f09SDavid van Moolenbroek interval is measured in years, months, weeks, days, hours, 339*00b67f09SDavid van Moolenbroek or minutes, respectively. Without a suffix, the interval is 340*00b67f09SDavid van Moolenbroek measured in seconds. 341*00b67f09SDavid van Moolenbroek </p> 342*00b67f09SDavid van Moolenbroek</dd> 343*00b67f09SDavid van Moolenbroek</dl></div> 344*00b67f09SDavid van Moolenbroek</div> 345*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 346*00b67f09SDavid van Moolenbroek<a name="id2544413"></a><h2>GENERATED KEYS</h2> 347*00b67f09SDavid van Moolenbroek<p> 348*00b67f09SDavid van Moolenbroek When <span><strong class="command">dnssec-keygen</strong></span> completes 349*00b67f09SDavid van Moolenbroek successfully, 350*00b67f09SDavid van Moolenbroek it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code> 351*00b67f09SDavid van Moolenbroek to the standard output. This is an identification string for 352*00b67f09SDavid van Moolenbroek the key it has generated. 353*00b67f09SDavid van Moolenbroek </p> 354*00b67f09SDavid van Moolenbroek<div class="itemizedlist"><ul type="disc"> 355*00b67f09SDavid van Moolenbroek<li><p><code class="filename">nnnn</code> is the key name. 356*00b67f09SDavid van Moolenbroek </p></li> 357*00b67f09SDavid van Moolenbroek<li><p><code class="filename">aaa</code> is the numeric representation 358*00b67f09SDavid van Moolenbroek of the 359*00b67f09SDavid van Moolenbroek algorithm. 360*00b67f09SDavid van Moolenbroek </p></li> 361*00b67f09SDavid van Moolenbroek<li><p><code class="filename">iiiii</code> is the key identifier (or 362*00b67f09SDavid van Moolenbroek footprint). 363*00b67f09SDavid van Moolenbroek </p></li> 364*00b67f09SDavid van Moolenbroek</ul></div> 365*00b67f09SDavid van Moolenbroek<p><span><strong class="command">dnssec-keygen</strong></span> 366*00b67f09SDavid van Moolenbroek creates two files, with names based 367*00b67f09SDavid van Moolenbroek on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code> 368*00b67f09SDavid van Moolenbroek contains the public key, and 369*00b67f09SDavid van Moolenbroek <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the 370*00b67f09SDavid van Moolenbroek private 371*00b67f09SDavid van Moolenbroek key. 372*00b67f09SDavid van Moolenbroek </p> 373*00b67f09SDavid van Moolenbroek<p> 374*00b67f09SDavid van Moolenbroek The <code class="filename">.key</code> file contains a DNS KEY record 375*00b67f09SDavid van Moolenbroek that 376*00b67f09SDavid van Moolenbroek can be inserted into a zone file (directly or with a $INCLUDE 377*00b67f09SDavid van Moolenbroek statement). 378*00b67f09SDavid van Moolenbroek </p> 379*00b67f09SDavid van Moolenbroek<p> 380*00b67f09SDavid van Moolenbroek The <code class="filename">.private</code> file contains 381*00b67f09SDavid van Moolenbroek algorithm-specific 382*00b67f09SDavid van Moolenbroek fields. For obvious security reasons, this file does not have 383*00b67f09SDavid van Moolenbroek general read permission. 384*00b67f09SDavid van Moolenbroek </p> 385*00b67f09SDavid van Moolenbroek<p> 386*00b67f09SDavid van Moolenbroek Both <code class="filename">.key</code> and <code class="filename">.private</code> 387*00b67f09SDavid van Moolenbroek files are generated for symmetric encryption algorithms such as 388*00b67f09SDavid van Moolenbroek HMAC-MD5, even though the public and private key are equivalent. 389*00b67f09SDavid van Moolenbroek </p> 390*00b67f09SDavid van Moolenbroek</div> 391*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 392*00b67f09SDavid van Moolenbroek<a name="id2544496"></a><h2>EXAMPLE</h2> 393*00b67f09SDavid van Moolenbroek<p> 394*00b67f09SDavid van Moolenbroek To generate a 768-bit DSA key for the domain 395*00b67f09SDavid van Moolenbroek <strong class="userinput"><code>example.com</code></strong>, the following command would be 396*00b67f09SDavid van Moolenbroek issued: 397*00b67f09SDavid van Moolenbroek </p> 398*00b67f09SDavid van Moolenbroek<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong> 399*00b67f09SDavid van Moolenbroek </p> 400*00b67f09SDavid van Moolenbroek<p> 401*00b67f09SDavid van Moolenbroek The command would print a string of the form: 402*00b67f09SDavid van Moolenbroek </p> 403*00b67f09SDavid van Moolenbroek<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong> 404*00b67f09SDavid van Moolenbroek </p> 405*00b67f09SDavid van Moolenbroek<p> 406*00b67f09SDavid van Moolenbroek In this example, <span><strong class="command">dnssec-keygen</strong></span> creates 407*00b67f09SDavid van Moolenbroek the files <code class="filename">Kexample.com.+003+26160.key</code> 408*00b67f09SDavid van Moolenbroek and 409*00b67f09SDavid van Moolenbroek <code class="filename">Kexample.com.+003+26160.private</code>. 410*00b67f09SDavid van Moolenbroek </p> 411*00b67f09SDavid van Moolenbroek</div> 412*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 413*00b67f09SDavid van Moolenbroek<a name="id2544608"></a><h2>SEE ALSO</h2> 414*00b67f09SDavid van Moolenbroek<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, 415*00b67f09SDavid van Moolenbroek <em class="citetitle">BIND 9 Administrator Reference Manual</em>, 416*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC 2539</em>, 417*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC 2845</em>, 418*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC 4034</em>. 419*00b67f09SDavid van Moolenbroek </p> 420*00b67f09SDavid van Moolenbroek</div> 421*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 422*00b67f09SDavid van Moolenbroek<a name="id2544638"></a><h2>AUTHOR</h2> 423*00b67f09SDavid van Moolenbroek<p><span class="corpauthor">Internet Systems Consortium</span> 424*00b67f09SDavid van Moolenbroek </p> 425*00b67f09SDavid van Moolenbroek</div> 426*00b67f09SDavid van Moolenbroek</div></body> 427*00b67f09SDavid van Moolenbroek</html> 428