man.dnssec-keygen.html 21.6 KB
Newer Older
1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
Mark Andrews's avatar
gregen  
Mark Andrews committed
2
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
gregen  
Mark Andrews committed
4
 - 
Tinderbox User's avatar
Tinderbox User committed
5 6 7
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
Mark Andrews's avatar
gregen  
Mark Andrews committed
8
-->
9
<html lang="en">
Mark Andrews's avatar
gregen  
Mark Andrews committed
10 11 12
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keygen</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Evan Hunt's avatar
Evan Hunt committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
Tinderbox User's avatar
Tinderbox User committed
15
<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
Francis Dupont's avatar
Francis Dupont committed
16
<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
Tinderbox User's avatar
Tinderbox User committed
17
<link rel="next" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
Mark Andrews's avatar
gregen  
Mark Andrews committed
18 19 20 21 22 23 24
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
<tr>
<td width="20%" align="left">
Automatic Updater's avatar
regen  
Automatic Updater committed
25
<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a></td>
Mark Andrews's avatar
gregen  
Mark Andrews committed
26
<th width="60%" align="center">Manual pages</th>
Tinderbox User's avatar
Tinderbox User committed
27
<td width="20%" align="right"><a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
Mark Andrews's avatar
gregen  
Mark Andrews committed
28 29 30 31 32
</td>
</tr>
</table>
<hr>
</div>
Tinderbox User's avatar
Tinderbox User committed
33
<div class="refentry">
Mark Andrews's avatar
gregen  
Mark Andrews committed
34
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35
<div class="refnamediv">
Mark Andrews's avatar
gregen  
Mark Andrews committed
36
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
37
<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
38
</div>
Tinderbox User's avatar
Tinderbox User committed
39
<div class="refsynopsisdiv">
Mark Andrews's avatar
gregen  
Mark Andrews committed
40
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
41
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
Tinderbox User's avatar
Tinderbox User committed
42 43
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
44
<a name="id-1.14.12.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
45
<p><span class="command"><strong>dnssec-keygen</strong></span>
Mark Andrews's avatar
gregen  
Mark Andrews committed
46
      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
Mark Andrews's avatar
regen  
Mark Andrews committed
47
      and RFC 4034.  It can also generate keys for use with
Automatic Updater's avatar
regen  
Automatic Updater committed
48 49
      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
      (Transaction Key) as defined in RFC 2930.
Mark Andrews's avatar
gregen  
Mark Andrews committed
50
    </p>
Tinderbox User's avatar
Tinderbox User committed
51
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
52 53 54 55
      The <code class="option">name</code> of the key is specified on the command
      line.  For DNSSEC keys, this must match the name of the zone for
      which the key is being generated.
    </p>
Tinderbox User's avatar
Tinderbox User committed
56 57
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
58
<a name="id-1.14.12.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
59
<div class="variablelist"><dl class="variablelist">
Mark Andrews's avatar
gregen  
Mark Andrews committed
60 61
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
62
<p>
Tinderbox User's avatar
Tinderbox User committed
63 64
	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
	    of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
Tinderbox User's avatar
Tinderbox User committed
65 66
	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
	    ECDSAP256SHA256 or ECDSAP384SHA384.
Automatic Updater's avatar
regen  
Automatic Updater committed
67
	    For TSIG/TKEY, the value must
Tinderbox User's avatar
Tinderbox User committed
68 69 70 71
	    be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
	    HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
	    case insensitive.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
72
<p>
Tinderbox User's avatar
Tinderbox User committed
73 74 75 76 77 78
	    If no algorithm is specified, then RSASHA1 will be used by
	    default, unless the <code class="option">-3</code> option is specified,
	    in which case NSEC3RSASHA1 will be used instead.  (If
	    <code class="option">-3</code> is used and an algorithm is specified,
	    that algorithm will be checked for compatibility with NSEC3.)
	  </p>
Tinderbox User's avatar
Tinderbox User committed
79
<p>
Tinderbox User's avatar
Tinderbox User committed
80 81
	    Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
	    algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
Automatic Updater's avatar
regen  
Automatic Updater committed
82
	    mandatory.
Tinderbox User's avatar
Tinderbox User committed
83
	  </p>
Tinderbox User's avatar
Tinderbox User committed
84
<p>
Tinderbox User's avatar
Tinderbox User committed
85 86 87
	    Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
	    automatically set the -T KEY option.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
88
</dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
89
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
Automatic Updater's avatar
regen  
Automatic Updater committed
90
<dd>
Tinderbox User's avatar
Tinderbox User committed
91
<p>
Tinderbox User's avatar
Tinderbox User committed
92 93 94 95 96 97 98 99
	    Specifies the number of bits in the key.  The choice of key
	    size depends on the algorithm used.  RSA keys must be
	    between 512 and 2048 bits.  Diffie Hellman keys must be between
	    128 and 4096 bits.  DSA keys must be between 512 and 1024
	    bits and an exact multiple of 64.  HMAC keys must be
	    between 1 and 512 bits. Elliptic curve algorithms don't need
	    this parameter.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
100
<p>
Tinderbox User's avatar
Tinderbox User committed
101 102 103 104 105 106 107 108
	    The key size does not need to be specified if using a default
	    algorithm.  The default key size is 1024 bits for zone signing
	    keys (ZSKs) and 2048 bits for key signing keys (KSKs,
	    generated with <code class="option">-f KSK</code>).  However, if an
	    algorithm is explicitly specified with the <code class="option">-a</code>,
	    then there is no default key size, and the <code class="option">-b</code>
	    must be used.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
109
</dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
110
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
111
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
112 113 114 115 116 117
	    Specifies the owner type of the key.  The value of
	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
	    a host (KEY)),
	    USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
	    These values are case insensitive.  Defaults to ZONE for DNSKEY
Mark Andrews's avatar
regen  
Mark Andrews committed
118
	    generation.
Tinderbox User's avatar
Tinderbox User committed
119
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
120
<dt><span class="term">-3</span></dt>
Tinderbox User's avatar
Tinderbox User committed
121
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
122
	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
Tinderbox User's avatar
Tinderbox User committed
123 124 125
	    If this option is used and no algorithm is explicitly
	    set on the command line, NSEC3RSASHA1 will be used by
	    default. Note that RSASHA256, RSASHA512, ECCGOST,
Tinderbox User's avatar
Tinderbox User committed
126
	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
Automatic Updater's avatar
regen  
Automatic Updater committed
127
	    are NSEC3-capable.
Tinderbox User's avatar
Tinderbox User committed
128
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
129
<dt><span class="term">-C</span></dt>
Tinderbox User's avatar
Tinderbox User committed
130
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
131
	    Compatibility mode:  generates an old-style key, without
Evan Hunt's avatar
Evan Hunt committed
132
	    any metadata.  By default, <span class="command"><strong>dnssec-keygen</strong></span>
Automatic Updater's avatar
regen  
Automatic Updater committed
133 134 135 136 137
	    will include the key's creation date in the metadata stored
	    with the private key, and other dates may be set there as well
	    (publication date, activation date, etc).  Keys that include
	    this data may be incompatible with older versions of BIND; the
	    <code class="option">-C</code> option suppresses them.
Tinderbox User's avatar
Tinderbox User committed
138
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
139
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
140
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
141 142 143
	    Indicates that the DNS record containing the key should have
	    the specified class.  If not specified, class IN is used.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
144
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
145
<dd>
Tinderbox User's avatar
Tinderbox User committed
146
<p>
Tinderbox User's avatar
Tinderbox User committed
147 148
	    Specifies the cryptographic hardware to use, when applicable.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
149
<p>
Tinderbox User's avatar
Tinderbox User committed
150 151 152 153 154 155 156
	    When BIND is built with OpenSSL PKCS#11 support, this defaults
	    to the string "pkcs11", which identifies an OpenSSL engine
	    that can drive a cryptographic accelerator or hardware service
	    module.  When BIND is built with native PKCS#11 cryptography
	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
	    provider library specified via "--with-pkcs11".
	  </p>
Tinderbox User's avatar
Tinderbox User committed
157
</dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
158
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
159
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
160 161 162
	    Set the specified flag in the flag field of the KEY/DNSKEY record.
	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
163
<dt><span class="term">-G</span></dt>
Tinderbox User's avatar
Tinderbox User committed
164
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
165 166 167
	    Generate a key, but do not publish it or sign with it.  This
	    option is incompatible with -P and -A.
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
168
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
169
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
170 171 172 173 174
	    If generating a Diffie Hellman key, use this generator.
	    Allowed values are 2 and 5.  If no generator
	    is specified, a known prime from RFC 2539 will be used
	    if possible; otherwise the default is 2.
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
175
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
176
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
177 178 179
	    Prints a short summary of the options and arguments to
	    <span class="command"><strong>dnssec-keygen</strong></span>.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
180
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
181
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
182 183
	    Sets the directory in which the key files are to be written.
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
184
<dt><span class="term">-k</span></dt>
Tinderbox User's avatar
Tinderbox User committed
185
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
186 187
	    Deprecated in favor of -T KEY.
	  </p></dd>
Automatic Updater's avatar
Automatic Updater committed
188
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
189
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
190 191 192 193 194 195 196 197 198
	    Sets the default TTL to use for this key when it is converted
	    into a DNSKEY RR.  If the key is imported into a zone,
	    this is the TTL that will be used for it, unless there was
	    already a DNSKEY RRset in place, in which case the existing TTL
	    would take precedence.  If this value is not set and there
	    is no existing DNSKEY RRset, the TTL will default to the
	    SOA TTL. Setting the default TTL to <code class="literal">0</code>
	    or <code class="literal">none</code> is the same as leaving it unset.
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
199
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
200
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
201 202 203 204 205
	    Sets the protocol value for the generated key.  The protocol
	    is a number between 0 and 255.  The default is 3 (DNSSEC).
	    Other possible values for this argument are listed in
	    RFC 2535 and its successors.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
206
<dt><span class="term">-q</span></dt>
Tinderbox User's avatar
Tinderbox User committed
207
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
208 209 210 211 212 213 214 215 216 217 218 219
	    Quiet mode: Suppresses unnecessary output, including
	    progress indication.  Without this option, when
	    <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
	    to generate an RSA or DSA key pair, it will print a string
	    of symbols to <code class="filename">stderr</code> indicating the
	    progress of the key generation.  A '.' indicates that a
	    random number has been found which passed an initial
	    sieve test; '+' means a number has passed a single
	    round of the Miller-Rabin primality test; a space
	    means that the number has passed all the tests and is
	    a satisfactory key.
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
220
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
221
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
222 223 224 225 226 227 228 229 230 231
	    Specifies the source of randomness.  If the operating
	    system does not provide a <code class="filename">/dev/random</code>
	    or equivalent device, the default source of randomness
	    is keyboard input.  <code class="filename">randomdev</code>
	    specifies
	    the name of a character device or file containing random
	    data to be used instead of the default.  The special value
	    <code class="filename">keyboard</code> indicates that keyboard
	    input should be used.
	  </p></dd>
Automatic Updater's avatar
Automatic Updater committed
232
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
233
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
234 235 236 237 238 239 240 241
	    Create a new key which is an explicit successor to an
	    existing key.  The name, algorithm, size, and type of the
	    key will be set to match the existing key.  The activation
	    date of the new key will be set to the inactivation date of
	    the existing one.  The publication date will be set to the
	    activation date minus the prepublication interval, which
	    defaults to 30 days.
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
242
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
243
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
244 245 246 247
	    Specifies the strength value of the key.  The strength is
	    a number between 0 and 15, and currently has no defined
	    purpose in DNSSEC.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
248 249
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
250
<p>
Tinderbox User's avatar
Tinderbox User committed
251 252 253 254 255
	    Specifies the resource record type to use for the key.
	    <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
	    default is DNSKEY when using a DNSSEC algorithm, but it can be
	    overridden to KEY for use with SIG(0).
	  </p>
Automatic Updater's avatar
regen  
Automatic Updater committed
256
<p>
Tinderbox User's avatar
Tinderbox User committed
257
	  </p>
Automatic Updater's avatar
regen  
Automatic Updater committed
258
<p>
Tinderbox User's avatar
Tinderbox User committed
259 260 261
	    Using any TSIG algorithm (HMAC-* or DH) forces this option
	    to KEY.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
262
</dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
263
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
264
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
265 266 267 268 269
	    Indicates the use of the key.  <code class="option">type</code> must be
	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
	    is AUTHCONF.  AUTH refers to the ability to authenticate
	    data, and CONF the ability to encrypt data.
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
270
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
271
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
272 273
	    Sets the debugging level.
	  </p></dd>
Tinderbox User's avatar
Tinderbox User committed
274
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
275
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
276
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
277
	  </p></dd>
Mark Andrews's avatar
gregen  
Mark Andrews committed
278
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
279 280
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
281
<a name="id-1.14.12.9"></a><h2>TIMING OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
282
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
283 284
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
Automatic Updater's avatar
regen  
Automatic Updater committed
285 286 287 288 289
      an offset from the present time.  For convenience, if such an offset
      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
      then the offset is computed in years (defined as 365 24-hour days,
      ignoring leap years), months (defined as 30 24-hour days), weeks,
      days, hours, or minutes, respectively.  Without a suffix, the offset
Tinderbox User's avatar
Tinderbox User committed
290 291
      is computed in seconds.  To explicitly prevent a date from being
      set, use 'none' or 'never'.
Automatic Updater's avatar
regen  
Automatic Updater committed
292
    </p>
Tinderbox User's avatar
Tinderbox User committed
293
<div class="variablelist"><dl class="variablelist">
Automatic Updater's avatar
regen  
Automatic Updater committed
294
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
295
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
296 297 298 299 300 301 302 303 304 305
	    Sets the date on which a key is to be published to the zone.
	    After that date, the key will be included in the zone but will
	    not be used to sign it.  If not set, and if the -G option has
	    not been used, the default is "now".
	  </p></dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
	    Sets the date on which CDS and CDNSKEY records that match this
	    key are to be published to the zone.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
306
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
307
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
308 309 310 311 312 313 314
	    Sets the date on which the key is to be activated.  After that
	    date, the key will be included in the zone and used to sign
	    it.  If not set, and if the -G option has not been used, the
	    default is "now".  If set, if and -P is not set, then
	    the publication date will be set to the activation date
	    minus the prepublication interval.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
315
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
316
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
317 318 319 320
	    Sets the date on which the key is to be revoked.  After that
	    date, the key will be flagged as revoked.  It will be included
	    in the zone and will be used to sign it.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
321
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
322
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
323 324 325 326
	    Sets the date on which the key is to be retired.  After that
	    date, the key will still be included in the zone, but it
	    will not be used to sign it.
	  </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
327
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
328
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
329 330 331 332 333 334 335 336 337
	    Sets the date on which the key is to be deleted.  After that
	    date, the key will no longer be included in the zone.  (It
	    may remain in the key repository, however.)
	  </p></dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
	    Sets the date on which the CDS and CDNSKEY records that match this
	    key are to be deleted.
	  </p></dd>
Automatic Updater's avatar
Automatic Updater committed
338 339
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
340
<p>
Automatic Updater's avatar
Automatic Updater committed
341 342 343 344 345 346 347 348
            Sets the prepublication interval for a key.  If set, then
            the publication and activation dates must be separated by at least
            this much time.  If the activation date is specified but the
            publication date isn't, then the publication date will default
            to this much time before the activation date; conversely, if
            the publication date is specified but activation date isn't,
            then activation will be set to this much time after publication.
          </p>
Tinderbox User's avatar
Tinderbox User committed
349
<p>
Automatic Updater's avatar
Automatic Updater committed
350
            If the key is being created as an explicit successor to another
Tinderbox User's avatar
Tinderbox User committed
351
            key, then the default prepublication interval is 30 days;
Automatic Updater's avatar
Automatic Updater committed
352 353
            otherwise it is zero.
          </p>
Tinderbox User's avatar
Tinderbox User committed
354
<p>
Automatic Updater's avatar
Automatic Updater committed
355 356 357 358 359 360
            As with date offsets, if the argument is followed by one of
            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
            interval is measured in years, months, weeks, days, hours,
            or minutes, respectively.  Without a suffix, the interval is
            measured in seconds.
          </p>
Tinderbox User's avatar
Tinderbox User committed
361
</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
362
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
363 364
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
365
<a name="id-1.14.12.10"></a><h2>GENERATED KEYS</h2>
Tinderbox User's avatar
Tinderbox User committed
366
<p>
Evan Hunt's avatar
Evan Hunt committed
367
      When <span class="command"><strong>dnssec-keygen</strong></span> completes
Mark Andrews's avatar
gregen  
Mark Andrews committed
368 369 370
      successfully,
      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
      to the standard output.  This is an identification string for
Mark Andrews's avatar
regen  
Mark Andrews committed
371
      the key it has generated.
Mark Andrews's avatar
gregen  
Mark Andrews committed
372
    </p>
Tinderbox User's avatar
Tinderbox User committed
373 374
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
Tinderbox User's avatar
Tinderbox User committed
375
	</p></li>
Tinderbox User's avatar
Tinderbox User committed
376
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
Tinderbox User's avatar
Tinderbox User committed
377 378 379
	  of the
	  algorithm.
	</p></li>
Tinderbox User's avatar
Tinderbox User committed
380
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
Tinderbox User's avatar
Tinderbox User committed
381 382
	  footprint).
	</p></li>
Mark Andrews's avatar
gregen  
Mark Andrews committed
383
</ul></div>
Tinderbox User's avatar
Tinderbox User committed
384
<p><span class="command"><strong>dnssec-keygen</strong></span>
Mark Andrews's avatar
regen  
Mark Andrews committed
385
      creates two files, with names based
Mark Andrews's avatar
gregen  
Mark Andrews committed
386 387 388 389 390 391
      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
      contains the public key, and
      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
      private
      key.
    </p>
Tinderbox User's avatar
Tinderbox User committed
392
<p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
393 394 395 396 397
      The <code class="filename">.key</code> file contains a DNS KEY record
      that
      can be inserted into a zone file (directly or with a $INCLUDE
      statement).
    </p>
Tinderbox User's avatar
Tinderbox User committed
398
<p>
Mark Andrews's avatar
regen  
Mark Andrews committed
399 400
      The <code class="filename">.private</code> file contains
      algorithm-specific
Mark Andrews's avatar
gregen  
Mark Andrews committed
401 402 403
      fields.  For obvious security reasons, this file does not have
      general read permission.
    </p>
Tinderbox User's avatar
Tinderbox User committed
404
<p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
405
      Both <code class="filename">.key</code> and <code class="filename">.private</code>
Tinderbox User's avatar
Tinderbox User committed
406
      files are generated for symmetric cryptography algorithms such as
Mark Andrews's avatar
gregen  
Mark Andrews committed
407 408
      HMAC-MD5, even though the public and private key are equivalent.
    </p>
Tinderbox User's avatar
Tinderbox User committed
409 410
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
411
<a name="id-1.14.12.11"></a><h2>EXAMPLE</h2>
Tinderbox User's avatar
Tinderbox User committed
412
<p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
413 414 415 416
      To generate a 768-bit DSA key for the domain
      <strong class="userinput"><code>example.com</code></strong>, the following command would be
      issued:
    </p>
Tinderbox User's avatar
Tinderbox User committed
417
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
Mark Andrews's avatar
gregen  
Mark Andrews committed
418
    </p>
Tinderbox User's avatar
Tinderbox User committed
419
<p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
420 421
      The command would print a string of the form:
    </p>
Tinderbox User's avatar
Tinderbox User committed
422
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
Mark Andrews's avatar
gregen  
Mark Andrews committed
423
    </p>
Tinderbox User's avatar
Tinderbox User committed
424
<p>
Evan Hunt's avatar
Evan Hunt committed
425
      In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
Mark Andrews's avatar
gregen  
Mark Andrews committed
426 427
      the files <code class="filename">Kexample.com.+003+26160.key</code>
      and
Mark Andrews's avatar
regen  
Mark Andrews committed
428
      <code class="filename">Kexample.com.+003+26160.private</code>.
Mark Andrews's avatar
gregen  
Mark Andrews committed
429
    </p>
Tinderbox User's avatar
Tinderbox User committed
430 431
</div>
<div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
432
<a name="id-1.14.12.12"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
433
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
Mark Andrews's avatar
gregen  
Mark Andrews committed
434
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
Automatic Updater's avatar
regen  
Automatic Updater committed
435
      <em class="citetitle">RFC 2539</em>,
Mark Andrews's avatar
gregen  
Mark Andrews committed
436
      <em class="citetitle">RFC 2845</em>,
Automatic Updater's avatar
regen  
Automatic Updater committed
437
      <em class="citetitle">RFC 4034</em>.
Mark Andrews's avatar
gregen  
Mark Andrews committed
438
    </p>
Tinderbox User's avatar
Tinderbox User committed
439
</div>
Mark Andrews's avatar
gregen  
Mark Andrews committed
440 441 442 443 444 445
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
Automatic Updater's avatar
regen  
Automatic Updater committed
446
<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a></td>
Tinderbox User's avatar
Tinderbox User committed
447
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
Tinderbox User's avatar
Tinderbox User committed
448
<td width="40%" align="right"><a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
Mark Andrews's avatar
gregen  
Mark Andrews committed
449 450 451
</td>
</tr>
<tr>
Automatic Updater's avatar
regen  
Automatic Updater committed
452 453
<td width="40%" align="left" valign="top">
<span class="application">dnssec-keyfromlabel</span></td>
Mark Andrews's avatar
gregen  
Mark Andrews committed
454
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
Tinderbox User's avatar
Tinderbox User committed
455
<td width="40%" align="right" valign="top"><span class="application">dnssec-keymgr</span>
Mark Andrews's avatar
regen  
Mark Andrews committed
456
</td>
Mark Andrews's avatar
gregen  
Mark Andrews committed
457 458 459
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
460
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0rc3</p>
Mark Andrews's avatar
gregen  
Mark Andrews committed
461 462
</body>
</html>