1DNSSEC-KEYGEN(8) BIND9 DNSSEC-KEYGEN(8)
2
6 dnssec-keygen - DNSSEC key generation tool
7
9 dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3]
10 [-A date/offset] [-C] [-c class] [-D date/offset]
11 [-E engine] [-e] [-f flag] [-G] [-g generator] [-h]
12 [-I date/offset] [-i interval] [-K directory] [-k]
13 [-P date/offset] [-p protocol] [-q] [-R date/offset]
14 [-r randomdev] [-S key] [-s strength] [-t type]
15 [-v level] [-z] {name}
16
18 dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC
19 2535 and RFC 4034. It can also generate keys for use with TSIG
20 (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction
21 Key) as defined in RFC 2930.
22 The name of the key is specified on the command line. For DNSSEC keys,
24 this must match the name of the zone for which the key is being
25 generated.
26
28 -a algorithm
29 Selects the cryptographic algorithm. For DNSSEC keys, the value of
30 algorithm must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1,
31 NSEC3DSA, RSASHA256 or RSASHA512. For TSIG/TKEY, the value must be
32 DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256,
33 HMAC-SHA384, or HMAC-SHA512. These values are case insensitive.
34 If no algorithm is specified, then RSASHA1 will be used by default,
36 unless the -3 option is specified, in which case NSEC3RSASHA1 will
37 be used instead. (If -3 is used and an algorithm is specified, that
38 algorithm will be checked for compatibility with NSEC3.)
39 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
41 algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
42 Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
44 automatically set the -T KEY option.
45 -b keysize
47 Specifies the number of bits in the key. The choice of key size
48 depends on the algorithm used. RSA keys must be between 512 and
49 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits.
50 DSA keys must be between 512 and 1024 bits and an exact multiple of
51 64. HMAC keys must be between 1 and 512 bits.
52 The key size does not need to be specified if using a default
54 algorithm. The default key size is 1024 bits for zone signing keys
55 (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
56 -f KSK). However, if an algorithm is explicitly specified with the
57 -a, then there is no default key size, and the -b must be used.
58 -n nametype
60 Specifies the owner type of the key. The value of nametype must
61 either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
62 (for a key associated with a host (KEY)), USER (for a key
63 associated with a user(KEY)) or OTHER (DNSKEY). These values are
64 case insensitive. Defaults to ZONE for DNSKEY generation.
65 -3
67 Use an NSEC3-capable algorithm to generate a DNSSEC key. If this
68 option is used and no algorithm is explicitly set on the command
69 line, NSEC3RSASHA1 will be used by default. Note that RSASHA256 and
70 RSASHA512 algorithms are NSEC3-capable.
71 -C
73 Compatibility mode: generates an old-style key, without any
74 metadata. By default, dnssec-keygen will include the key's creation
75 date in the metadata stored with the private key, and other dates
76 may be set there as well (publication date, activation date, etc).
77 Keys that include this data may be incompatible with older versions
78 of BIND; the -C option suppresses them.
79 -c class
81 Indicates that the DNS record containing the key should have the
82 specified class. If not specified, class IN is used.
83 -E engine
85 Uses a crypto hardware (OpenSSL engine) for random number and, when
86 supported, key generation. When compiled with PKCS#11 support it
87 defaults to pkcs11; the empty name resets it to no engine.
88 -e
90 If generating an RSAMD5/RSASHA1 key, use a large exponent.
91 -f flag
93 Set the specified flag in the flag field of the KEY/DNSKEY record.
94 The only recognized flags are KSK (Key Signing Key) and REVOKE.
95 -G
97 Generate a key, but do not publish it or sign with it. This option
98 is incompatible with -P and -A.
99 -g generator
101 If generating a Diffie Hellman key, use this generator. Allowed
102 values are 2 and 5. If no generator is specified, a known prime
103 from RFC 2539 will be used if possible; otherwise the default is 2.
104 -h
106 Prints a short summary of the options and arguments to
107 dnssec-keygen.
108 -K directory
110 Sets the directory in which the key files are to be written.
111 -k
113 Deprecated in favor of -T KEY.
114 -p protocol
116 Sets the protocol value for the generated key. The protocol is a
117 number between 0 and 255. The default is 3 (DNSSEC). Other possible
118 values for this argument are listed in RFC 2535 and its successors.
119 -q
121 Quiet mode: Suppresses unnecessary output, including progress
122 indication. Without this option, when dnssec-keygen is run
123 interactively to generate an RSA or DSA key pair, it will print a
124 string of symbols to stderr indicating the progress of the key
125 generation. A '.' indicates that a random number has been found
126 which passed an initial sieve test; '+' means a number has passed a
127 single round of the Miller-Rabin primality test; a space means that
128 the number has passed all the tests and is a satisfactory key.
129 -r randomdev
131 Specifies the source of randomness. If the operating system does
132 not provide a /dev/random or equivalent device, the default source
133 of randomness is keyboard input. randomdev specifies the name of a
134 character device or file containing random data to be used instead
135 of the default. The special value keyboard indicates that keyboard
136 input should be used.
137 -S key
139 Create a new key which is an explicit successor to an existing key.
140 The name, algorithm, size, and type of the key will be set to match
141 the existing key. The activation date of the new key will be set to
142 the inactivation date of the existing one. The publication date
143 will be set to the activation date minus the prepublication
144 interval, which defaults to 30 days.
145 -s strength
147 Specifies the strength value of the key. The strength is a number
148 between 0 and 15, and currently has no defined purpose in DNSSEC.
149 -T rrtype
151 Specifies the resource record type to use for the key. rrtype must
152 be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC
153 algorithm, but it can be overridden to KEY for use with SIG(0).
154 Using any TSIG algorithm (HMAC-* or DH) forces this option to KEY.
155 -t type
157 Indicates the use of the key. type must be one of AUTHCONF,
158 NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
159 to the ability to authenticate data, and CONF the ability to
160 encrypt data.
161 -v level
163 Sets the debugging level.
164
166 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
167 argument begins with a '+' or '-', it is interpreted as an offset from
168 the present time. For convenience, if such an offset is followed by one
169 of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
170 computed in years (defined as 365 24-hour days, ignoring leap years),
171 months (defined as 30 24-hour days), weeks, days, hours, or minutes,
172 respectively. Without a suffix, the offset is computed in seconds.
173 -P date/offset
175 Sets the date on which a key is to be published to the zone. After
176 that date, the key will be included in the zone but will not be
177 used to sign it. If not set, and if the -G option has not been
178 used, the default is "now".
179 -A date/offset
181 Sets the date on which the key is to be activated. After that date,
182 the key will be included in the zone and used to sign it. If not
183 set, and if the -G option has not been used, the default is "now".
184 -R date/offset
186 Sets the date on which the key is to be revoked. After that date,
187 the key will be flagged as revoked. It will be included in the zone
188 and will be used to sign it.
189 -I date/offset
191 Sets the date on which the key is to be retired. After that date,
192 the key will still be included in the zone, but it will not be used
193 to sign it.
194 -D date/offset
196 Sets the date on which the key is to be deleted. After that date,
197 the key will no longer be included in the zone. (It may remain in
198 the key repository, however.)
199 -i interval
201 Sets the prepublication interval for a key. If set, then the
202 publication and activation dates must be separated by at least this
203 much time. If the activation date is specified but the publication
204 date isn't, then the publication date will default to this much
205 time before the activation date; conversely, if the publication
206 date is specified but activation date isn't, then activation will
207 be set to this much time after publication.
208 If the key is being created as an explicit successor to another
210 key, then the default prepublication interval is 30 days; otherwise
211 it is zero.
212 As with date offsets, if the argument is followed by one of the
214 suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is
215 measured in years, months, weeks, days, hours, or minutes,
216 respectively. Without a suffix, the interval is measured in
217 seconds.
218
220 When dnssec-keygen completes successfully, it prints a string of the
221 form Knnnn.+aaa+iiiii to the standard output. This is an identification
222 string for the key it has generated.
223 · nnnn is the key name.
225 · aaa is the numeric representation of the algorithm.
227 · iiiii is the key identifier (or footprint).
229 dnssec-keygen creates two files, with names based on the printed
231 string. Knnnn.+aaa+iiiii.key contains the public key, and
232 Knnnn.+aaa+iiiii.private contains the private key.
233 The .key file contains a DNS KEY record that can be inserted into a
235 zone file (directly or with a $INCLUDE statement).
236 The .private file contains algorithm-specific fields. For obvious
238 security reasons, this file does not have general read permission.
239 Both .key and .private files are generated for symmetric encryption
241 algorithms such as HMAC-MD5, even though the public and private key are
242 equivalent.
243
245 To generate a 768-bit DSA key for the domain example.com, the following
246 command would be issued:
247 dnssec-keygen -a DSA -b 768 -n ZONE example.com
249 The command would print a string of the form:
251 Kexample.com.+003+26160
253 In this example, dnssec-keygen creates the files
255 Kexample.com.+003+26160.key and Kexample.com.+003+26160.private.
256
258 dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539,
259 RFC 2845, RFC 4034.
260
262 Internet Systems Consortium
263
265 Copyright © 2004, 2005, 2007-2010 Internet Systems Consortium, Inc.
266 ("ISC")
267 Copyright © 2000-2003 Internet Software Consortium.
268BIND9 June 30, 2000 DNSSEC-KEYGEN(8)