1dnssec-keygen(1M)       System Administration Commands       dnssec-keygen(1M)
2
3
4

NAME

6       dnssec-keygen - DNSSEC key generation tool
7

SYNOPSIS

9       dnssec-keygen -a algorithm -b keysize -n nametype [-ehk]
10            [-c class] [-f flag] [-g generator] [-p protocol]
11            [-r randomdev] [-s strength] [-t type] [-v level] name
12
13

DESCRIPTION

15       The  dnssec-keygen  utility  generates keys for DNSSEC (Secure DNS), as
16       defined in RFC 2535 and RFC 4034. It can also  generate  keys  for  use
17       with TSIG (Transaction Signatures), as defined in RFC 2845.
18

OPTIONS

20       The following options are supported:
21
22       -a algorithm    Select  the cryptographic algorithm. The value of algo‐
23                       rithm must be one of RSAMD5 (RSA) or RSASHA1,  DSA,  DH
24                       (Diffie  Hellman),  or  HMAC-MD5. These values are case
25                       insensitive.
26
27                       For DNSSEC, RSASHA1 is a  mandatory-to-implement  algo‐
28                       rithm  and  DSA  is  recommended. For TSIG, HMAC-MD5 is
29                       mandatory.
30
31                       Note -
32
33                         HMAC-MD5 and DH automatically set the -k flag.
34
35
36       -b keysize      Specify the number of bits in the key.  The  choice  of
37                       key  size  depends  on  the  algorithm used. RSAMD5 and
38                       RSASHA1 keys must be between 512 and 2048 bits.  Diffie
39                       Hellman  keys  must  be  between 128 and 4096 bits. DSA
40                       keys must be between 512 and 1024  bits  and  an  exact
41                       multiple of 64. HMAC-MD5 keys must be between 1 and 512
42                       bits.
43
44
45       -c class        Indicate that the DNS record containing the key  should
46                       have the specified class. If not specified, class IN is
47                       used.
48
49
50       -e              Use a large exponent if generating an RSAMD5 or RSASHA1
51                       key.
52
53
54       -f flag         Set  the  specified  flag  in  the  flag  field  of the
55                       KEY/DNSKEY record. The only recognized flag is KSK (Key
56                       Signing Key) DNSKEY.
57
58
59       -g generator    Use  this generator if generating a Diffie Hellman key.
60                       Allowed values are 2 and 5. If no generator  is  speci‐
61                       fied,  a known prime from RFC 2539 will be used if pos‐
62                       sible; otherwise the default is 2.
63
64
65       -h              Print a short summary of the options and  arguments  to
66                       dnssec-keygen.
67
68
69       -k              Generate KEY records rather than DNSKEY records.
70
71
72       -n nametype     Specify  the  owner type of the key. The value of name‐
73                       type must either be ZONE (for a DNSSEC zone key),  HOST
74                       or  ENTITY  (for a key associated with a user) or OTHER
75                       (DNSKEY). These values are case insensitive.
76
77
78       -p protocol     Set the protocol value for the generated key. The  pro‐
79                       tocol  argument  is  a  number  between  0 and 255. The
80                       default is 3 (DNSSEC) Other possible  values  for  this
81                       argument are listed in RFC 2535 and its successors.
82
83
84       -r randomdev    Specify the source of randomness. By default, /dev/ran‐
85                       dom is used. The randomdev argument specifies the  name
86                       of a character device or file containing random data to
87                       be used instead of the default. The special value "key‐
88                       board" indicates that keyboard input should be used.
89
90
91       -s strength     Specify  the  strength  value  of the key. The strength
92                       argument is a number between 0 and  15,  and  currently
93                       has no defined purpose in DNSSEC.
94
95
96       -t type         Indicate  the use of the key. type must be one of AUTH‐
97                       CONF, NOAUTHCONF, NOAUTH, or  NOCONF.  The  default  is
98                       AUTHCONF.  AUTH  refers  to the ability to authenticate
99                       data, and CONF the ability to encrypt data.
100
101
102       -v level        Set the debugging level.
103
104

GENERATED KEYS

106       When dnssec-keygen completes successfully, it prints a  string  of  the
107       form Knnnn.+aaa+iiiii to the standard output. This is an identification
108       string for the key it has generated.
109
110           o      nnnn is the key name.
111
112           o      aaa is the numeric representation of the algorithm.
113
114           o      iiiii is the key identifier (or footprint).
115
116
117       The dnssec-keygen utility creates two files, with names  based  on  the
118       printed string.
119
120           o      Knnnn.+aaa+iiiii.key contains the public key.
121
122           o      Knnnn.+aaa+iiiii.private contains the private key.
123
124
125       The  .key  file  contains  a DNS KEY record that can be inserted into a
126       zone file (directly or with a $INCLUDE statement).
127
128
129       The .private file contains algorithm specific fields. For obvious secu‐
130       rity reasons, this file does not have general read permission.
131
132
133       Both  .key  and  .private  files are generated for symmetric encryption
134       algorithm such as HMAC-MD5, even though the public and private key  are
135       equivalent.
136

EXAMPLES

138       Example 1 Generate a 768-bit DSA key for the domain example.com.
139
140
141       To generate a 768-bit DSA key for the domain example.com, the following
142       command would be issued:
143
144
145         dnssec-keygen -a DSA -b 768 -n ZONE example.com
146
147
148
149
150       The command would print a string of the form:
151
152
153         Kexample.com.+003+26160
154
155
156
157       Example 2  Create  the  files  Kexample.com.+003+26160.key  and  Kexam‐
158       ple.com.+003+26160.private.
159
160
161       In  the  following  example,  dnssec-keygen  creates  the  files Kexam‐
162       ple.com.+003+26160.key and Kexample.com.+003+26160.private
163
164

ATTRIBUTES

166       See attributes(5) for descriptions of the following attributes:
167
168
169
170
171       ┌─────────────────────────────┬─────────────────────────────┐
172       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
173       ├─────────────────────────────┼─────────────────────────────┤
174       │Availability                 │SUNWbind                     │
175       ├─────────────────────────────┼─────────────────────────────┤
176       │Interface Stability          │Volatile                     │
177       └─────────────────────────────┴─────────────────────────────┘
178

SEE ALSO

180       dnssec-signzone(1M), attributes(5)
181
182
183       RFC 2535, RFC 2845, RFC 2539, RFC 4033, RFC 4034
184
185
186       BIND 9 Administrator Reference Manual
187
188
189
190SunOS 5.11                        24 Dec 2008                dnssec-keygen(1M)
Impressum