dnssec-keygen.html 21.1 KB
Newer Older
1
<!--
Tinderbox User's avatar
Tinderbox User committed
2
 - Copyright (C) 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
Mark Andrews's avatar
regen  
Mark Andrews committed
3
 - Copyright (C) 2000-2003 Internet Software Consortium.
Rob Austein's avatar
regen  
Rob Austein committed
4
 - 
Automatic Updater's avatar
regen  
Automatic Updater committed
5
 - Permission to use, copy, modify, and/or distribute this software for any
6 7
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
Rob Austein's avatar
regen  
Rob Austein committed
8
 - 
Mark Andrews's avatar
Mark Andrews committed
9 10
 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
Rob Austein's avatar
regen  
Rob Austein committed
11
 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
Mark Andrews's avatar
Mark Andrews committed
12 13 14 15
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 - PERFORMANCE OF THIS SOFTWARE.
16
-->
Rob Austein's avatar
regen  
Rob Austein committed
17 18 19 20
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keygen</title>
Tinderbox User's avatar
Tinderbox User committed
21
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Rob Austein's avatar
regen  
Rob Austein committed
22
</head>
Tinderbox User's avatar
Tinderbox User committed
23
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
Mark Andrews's avatar
gregen  
Mark Andrews committed
24
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
25
<div class="refnamediv">
Rob Austein's avatar
regen  
Rob Austein committed
26
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
27
<p><span class="application">dnssec-keygen</span> &#8212; DNSSEC key generation tool</p>
Rob Austein's avatar
regen  
Rob Austein committed
28
</div>
Tinderbox User's avatar
Tinderbox User committed
29
<div class="refsynopsisdiv">
Rob Austein's avatar
regen  
Rob Austein committed
30
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
31 32 33 34 35
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code>  [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsection">
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
<p><span class="command"><strong>dnssec-keygen</strong></span>
Rob Austein's avatar
regen  
Rob Austein committed
36
      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
Mark Andrews's avatar
regen  
Mark Andrews committed
37
      and RFC 4034.  It can also generate keys for use with
Automatic Updater's avatar
regen  
Automatic Updater committed
38 39
      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
      (Transaction Key) as defined in RFC 2930.
Rob Austein's avatar
regen  
Rob Austein committed
40
    </p>
Tinderbox User's avatar
Tinderbox User committed
41
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
42 43 44 45
      The <code class="option">name</code> of the key is specified on the command
      line.  For DNSSEC keys, this must match the name of the zone for
      which the key is being generated.
    </p>
Tinderbox User's avatar
Tinderbox User committed
46 47 48 49
</div>
<div class="refsection">
<a name="id-1.8"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl class="variablelist">
Rob Austein's avatar
regen  
Rob Austein committed
50 51
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
52
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
53 54
            Selects the cryptographic algorithm.  For DNSSEC keys, the value
            of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
55 56
	    DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
	    ECDSAP256SHA256 or ECDSAP384SHA384.
Automatic Updater's avatar
regen  
Automatic Updater committed
57
	    For TSIG/TKEY, the value must
Automatic Updater's avatar
regen  
Automatic Updater committed
58 59 60 61
            be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
            HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512.  These values are
            case insensitive.
          </p>
Tinderbox User's avatar
Tinderbox User committed
62
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
63 64
            If no algorithm is specified, then RSASHA1 will be used by
            default, unless the <code class="option">-3</code> option is specified,
Automatic Updater's avatar
regen  
Automatic Updater committed
65 66 67
            in which case NSEC3RSASHA1 will be used instead.  (If
            <code class="option">-3</code> is used and an algorithm is specified,
            that algorithm will be checked for compatibility with NSEC3.)
Rob Austein's avatar
regen  
Rob Austein committed
68
          </p>
Tinderbox User's avatar
Tinderbox User committed
69
<p>
Rob Austein's avatar
regen  
Rob Austein committed
70
            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
Automatic Updater's avatar
regen  
Automatic Updater committed
71 72
            algorithm, and DSA is recommended.  For TSIG, HMAC-MD5 is
	    mandatory.
Rob Austein's avatar
regen  
Rob Austein committed
73
          </p>
Tinderbox User's avatar
Tinderbox User committed
74
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
75 76
            Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
            automatically set the -T KEY option.
Rob Austein's avatar
regen  
Rob Austein committed
77
          </p>
Tinderbox User's avatar
Tinderbox User committed
78
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
79
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
80
<dd>
Tinderbox User's avatar
Tinderbox User committed
81
<p>
Rob Austein's avatar
regen  
Rob Austein committed
82
            Specifies the number of bits in the key.  The choice of key
Automatic Updater's avatar
regen  
Automatic Updater committed
83
            size depends on the algorithm used.  RSA keys must be
84
            between 512 and 2048 bits.  Diffie Hellman keys must be between
Rob Austein's avatar
regen  
Rob Austein committed
85
            128 and 4096 bits.  DSA keys must be between 512 and 1024
Automatic Updater's avatar
regen  
Automatic Updater committed
86
            bits and an exact multiple of 64.  HMAC keys must be
87 88
            between 1 and 512 bits. Elliptic curve algorithms don't need
            this parameter.
89
          </p>
Tinderbox User's avatar
Tinderbox User committed
90
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
91 92
            The key size does not need to be specified if using a default
            algorithm.  The default key size is 1024 bits for zone signing
Tinderbox User's avatar
Tinderbox User committed
93
            keys (ZSKs) and 2048 bits for key signing keys (KSKs,
Automatic Updater's avatar
regen  
Automatic Updater committed
94 95 96 97
            generated with <code class="option">-f KSK</code>).  However, if an
            algorithm is explicitly specified with the <code class="option">-a</code>,
            then there is no default key size, and the <code class="option">-b</code>
            must be used.
98
          </p>
Tinderbox User's avatar
Tinderbox User committed
99
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
100
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
101
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
102 103 104 105 106
            Specifies the owner type of the key.  The value of
            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
            a host (KEY)),
            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
Mark Andrews's avatar
regen  
Mark Andrews committed
107 108
            These values are case insensitive.  Defaults to ZONE for DNSKEY
	    generation.
Tinderbox User's avatar
Tinderbox User committed
109
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
110
<dt><span class="term">-3</span></dt>
Tinderbox User's avatar
Tinderbox User committed
111
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
112 113 114
	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
            If this option is used and no algorithm is explicitly
            set on the command line, NSEC3RSASHA1 will be used by
115 116
            default. Note that RSASHA256, RSASHA512, ECCGOST,
	    ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
Automatic Updater's avatar
regen  
Automatic Updater committed
117
	    are NSEC3-capable.
Tinderbox User's avatar
Tinderbox User committed
118
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
119
<dt><span class="term">-C</span></dt>
Tinderbox User's avatar
Tinderbox User committed
120
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
121
	    Compatibility mode:  generates an old-style key, without
Tinderbox User's avatar
Tinderbox User committed
122
	    any metadata.  By default, <span class="command"><strong>dnssec-keygen</strong></span>
Automatic Updater's avatar
regen  
Automatic Updater committed
123 124 125 126 127
	    will include the key's creation date in the metadata stored
	    with the private key, and other dates may be set there as well
	    (publication date, activation date, etc).  Keys that include
	    this data may be incompatible with older versions of BIND; the
	    <code class="option">-C</code> option suppresses them.
Tinderbox User's avatar
Tinderbox User committed
128
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
129
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
130
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
131 132
            Indicates that the DNS record containing the key should have
            the specified class.  If not specified, class IN is used.
Tinderbox User's avatar
Tinderbox User committed
133
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
134
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
135
<dd>
Tinderbox User's avatar
Tinderbox User committed
136
<p>
Tinderbox User's avatar
Tinderbox User committed
137 138
            Specifies the cryptographic hardware to use, when applicable.
          </p>
Tinderbox User's avatar
Tinderbox User committed
139
<p>
Tinderbox User's avatar
Tinderbox User committed
140 141 142 143 144 145 146
            When BIND is built with OpenSSL PKCS#11 support, this defaults
            to the string "pkcs11", which identifies an OpenSSL engine
            that can drive a cryptographic accelerator or hardware service
            module.  When BIND is built with native PKCS#11 cryptography
            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
            provider library specified via "--with-pkcs11".
          </p>
Tinderbox User's avatar
Tinderbox User committed
147
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
148
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
149
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
150
            Set the specified flag in the flag field of the KEY/DNSKEY record.
Automatic Updater's avatar
regen  
Automatic Updater committed
151
            The only recognized flags are KSK (Key Signing Key) and REVOKE.
Tinderbox User's avatar
Tinderbox User committed
152
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
153
<dt><span class="term">-G</span></dt>
Tinderbox User's avatar
Tinderbox User committed
154
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
155 156
            Generate a key, but do not publish it or sign with it.  This
            option is incompatible with -P and -A.
Tinderbox User's avatar
Tinderbox User committed
157
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
158
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
159
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
160 161 162 163
            If generating a Diffie Hellman key, use this generator.
            Allowed values are 2 and 5.  If no generator
            is specified, a known prime from RFC 2539 will be used
            if possible; otherwise the default is 2.
Tinderbox User's avatar
Tinderbox User committed
164
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
165
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
166
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
167
            Prints a short summary of the options and arguments to
Tinderbox User's avatar
Tinderbox User committed
168
            <span class="command"><strong>dnssec-keygen</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
169
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
170
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
171
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
172
            Sets the directory in which the key files are to be written.
Tinderbox User's avatar
Tinderbox User committed
173
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
174
<dt><span class="term">-k</span></dt>
Tinderbox User's avatar
Tinderbox User committed
175
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
176
            Deprecated in favor of -T KEY.
Tinderbox User's avatar
Tinderbox User committed
177
          </p></dd>
Automatic Updater's avatar
Automatic Updater committed
178
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
179
<dd><p>
Automatic Updater's avatar
Automatic Updater committed
180 181 182 183
            Sets the default TTL to use for this key when it is converted
            into a DNSKEY RR.  If the key is imported into a zone,
            this is the TTL that will be used for it, unless there was
            already a DNSKEY RRset in place, in which case the existing TTL
Tinderbox User's avatar
Tinderbox User committed
184 185 186 187
            would take precedence.  If this value is not set and there
            is no existing DNSKEY RRset, the TTL will default to the
            SOA TTL. Setting the default TTL to <code class="literal">0</code>
            or <code class="literal">none</code> is the same as leaving it unset.
Tinderbox User's avatar
Tinderbox User committed
188
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
189
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
190
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
191 192 193 194
            Sets the protocol value for the generated key.  The protocol
            is a number between 0 and 255.  The default is 3 (DNSSEC).
            Other possible values for this argument are listed in
            RFC 2535 and its successors.
Tinderbox User's avatar
Tinderbox User committed
195
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
196
<dt><span class="term">-q</span></dt>
Tinderbox User's avatar
Tinderbox User committed
197
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
198 199
            Quiet mode: Suppresses unnecessary output, including
            progress indication.  Without this option, when
Tinderbox User's avatar
Tinderbox User committed
200
            <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
Automatic Updater's avatar
regen  
Automatic Updater committed
201 202 203 204 205 206 207 208
            to generate an RSA or DSA key pair, it will print a string
            of symbols to <code class="filename">stderr</code> indicating the
            progress of the key generation.  A '.' indicates that a
            random number has been found which passed an initial
            sieve test; '+' means a number has passed a single
            round of the Miller-Rabin primality test; a space
            means that the number has passed all the tests and is
            a satisfactory key.
Tinderbox User's avatar
Tinderbox User committed
209
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
210
<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
211
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
212 213 214 215 216 217 218 219 220
            Specifies the source of randomness.  If the operating
            system does not provide a <code class="filename">/dev/random</code>
            or equivalent device, the default source of randomness
            is keyboard input.  <code class="filename">randomdev</code>
            specifies
            the name of a character device or file containing random
            data to be used instead of the default.  The special value
            <code class="filename">keyboard</code> indicates that keyboard
            input should be used.
Tinderbox User's avatar
Tinderbox User committed
221
          </p></dd>
Automatic Updater's avatar
Automatic Updater committed
222
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
223
<dd><p>
Automatic Updater's avatar
Automatic Updater committed
224 225 226 227 228 229 230
            Create a new key which is an explicit successor to an
            existing key.  The name, algorithm, size, and type of the
            key will be set to match the existing key.  The activation
            date of the new key will be set to the inactivation date of
            the existing one.  The publication date will be set to the
            activation date minus the prepublication interval, which
            defaults to 30 days.
Tinderbox User's avatar
Tinderbox User committed
231
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
232
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
233
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
234 235 236
            Specifies the strength value of the key.  The strength is
            a number between 0 and 15, and currently has no defined
            purpose in DNSSEC.
Tinderbox User's avatar
Tinderbox User committed
237
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
238 239
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
240
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
241 242 243 244 245 246 247 248 249 250 251
            Specifies the resource record type to use for the key.
            <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
            default is DNSKEY when using a DNSSEC algorithm, but it can be
            overridden to KEY for use with SIG(0).
          </p>
<p>
          </p>
<p>
            Using any TSIG algorithm (HMAC-* or DH) forces this option
            to KEY.
          </p>
Tinderbox User's avatar
Tinderbox User committed
252
</dd>
Rob Austein's avatar
regen  
Rob Austein committed
253
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
254
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
255 256 257 258
            Indicates the use of the key.  <code class="option">type</code> must be
            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
            is AUTHCONF.  AUTH refers to the ability to authenticate
            data, and CONF the ability to encrypt data.
Tinderbox User's avatar
Tinderbox User committed
259
          </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
260
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
261
<dd><p>
Rob Austein's avatar
regen  
Rob Austein committed
262
            Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
263
          </p></dd>
Tinderbox User's avatar
Tinderbox User committed
264
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
265
<dd><p>
Tinderbox User's avatar
Tinderbox User committed
266
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
267
	  </p></dd>
Rob Austein's avatar
regen  
Rob Austein committed
268
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
269 270 271 272
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
Automatic Updater's avatar
regen  
Automatic Updater committed
273 274
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
Automatic Updater's avatar
regen  
Automatic Updater committed
275 276 277 278 279
      an offset from the present time.  For convenience, if such an offset
      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
      then the offset is computed in years (defined as 365 24-hour days,
      ignoring leap years), months (defined as 30 24-hour days), weeks,
      days, hours, or minutes, respectively.  Without a suffix, the offset
Tinderbox User's avatar
Tinderbox User committed
280 281
      is computed in seconds.  To explicitly prevent a date from being
      set, use 'none' or 'never'.
Automatic Updater's avatar
regen  
Automatic Updater committed
282
    </p>
Tinderbox User's avatar
Tinderbox User committed
283
<div class="variablelist"><dl class="variablelist">
Automatic Updater's avatar
regen  
Automatic Updater committed
284
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
285
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
286 287
            Sets the date on which a key is to be published to the zone.
            After that date, the key will be included in the zone but will
Automatic Updater's avatar
regen  
Automatic Updater committed
288 289
            not be used to sign it.  If not set, and if the -G option has
            not been used, the default is "now".
Tinderbox User's avatar
Tinderbox User committed
290
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
291
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
292
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
293
            Sets the date on which the key is to be activated.  After that
Automatic Updater's avatar
regen  
Automatic Updater committed
294
            date, the key will be included in the zone and used to sign
Automatic Updater's avatar
regen  
Automatic Updater committed
295
            it.  If not set, and if the -G option has not been used, the
Tinderbox User's avatar
Tinderbox User committed
296 297 298
            default is "now".  If set, if and -P is not set, then
            the publication date will be set to the activation date
            minus the prepublication interval.
Tinderbox User's avatar
Tinderbox User committed
299
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
300
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
301
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
302 303 304
            Sets the date on which the key is to be revoked.  After that
            date, the key will be flagged as revoked.  It will be included
            in the zone and will be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
305
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
306
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
307
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
308 309 310
            Sets the date on which the key is to be retired.  After that
            date, the key will still be included in the zone, but it
            will not be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
311
          </p></dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
312
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
313
<dd><p>
Automatic Updater's avatar
regen  
Automatic Updater committed
314
            Sets the date on which the key is to be deleted.  After that
Automatic Updater's avatar
regen  
Automatic Updater committed
315 316
            date, the key will no longer be included in the zone.  (It
            may remain in the key repository, however.)
Tinderbox User's avatar
Tinderbox User committed
317
          </p></dd>
Automatic Updater's avatar
Automatic Updater committed
318 319
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
320
<p>
Automatic Updater's avatar
Automatic Updater committed
321 322 323 324 325 326 327 328
            Sets the prepublication interval for a key.  If set, then
            the publication and activation dates must be separated by at least
            this much time.  If the activation date is specified but the
            publication date isn't, then the publication date will default
            to this much time before the activation date; conversely, if
            the publication date is specified but activation date isn't,
            then activation will be set to this much time after publication.
          </p>
Tinderbox User's avatar
Tinderbox User committed
329
<p>
Automatic Updater's avatar
Automatic Updater committed
330
            If the key is being created as an explicit successor to another
Tinderbox User's avatar
Tinderbox User committed
331
            key, then the default prepublication interval is 30 days;
Automatic Updater's avatar
Automatic Updater committed
332 333
            otherwise it is zero.
          </p>
Tinderbox User's avatar
Tinderbox User committed
334
<p>
Automatic Updater's avatar
Automatic Updater committed
335 336 337 338 339 340
            As with date offsets, if the argument is followed by one of
            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
            interval is measured in years, months, weeks, days, hours,
            or minutes, respectively.  Without a suffix, the interval is
            measured in seconds.
          </p>
Tinderbox User's avatar
Tinderbox User committed
341
</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
342
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
343 344 345 346
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>GENERATED KEYS</h2>
<p>
Tinderbox User's avatar
Tinderbox User committed
347
      When <span class="command"><strong>dnssec-keygen</strong></span> completes
Rob Austein's avatar
regen  
Rob Austein committed
348 349 350
      successfully,
      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
      to the standard output.  This is an identification string for
Mark Andrews's avatar
regen  
Mark Andrews committed
351
      the key it has generated.
Rob Austein's avatar
regen  
Rob Austein committed
352
    </p>
Tinderbox User's avatar
Tinderbox User committed
353 354 355 356
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
        </p></li>
<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
Rob Austein's avatar
regen  
Rob Austein committed
357
          of the
Brian Wellington's avatar
Brian Wellington committed
358
          algorithm.
Tinderbox User's avatar
Tinderbox User committed
359 360
        </p></li>
<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
Rob Austein's avatar
regen  
Rob Austein committed
361
          footprint).
Tinderbox User's avatar
Tinderbox User committed
362
        </p></li>
Rob Austein's avatar
regen  
Rob Austein committed
363
</ul></div>
Tinderbox User's avatar
Tinderbox User committed
364
<p><span class="command"><strong>dnssec-keygen</strong></span>
Mark Andrews's avatar
regen  
Mark Andrews committed
365
      creates two files, with names based
Rob Austein's avatar
regen  
Rob Austein committed
366 367 368 369 370 371
      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
      contains the public key, and
      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
      private
      key.
    </p>
Tinderbox User's avatar
Tinderbox User committed
372
<p>
Rob Austein's avatar
regen  
Rob Austein committed
373 374 375 376 377
      The <code class="filename">.key</code> file contains a DNS KEY record
      that
      can be inserted into a zone file (directly or with a $INCLUDE
      statement).
    </p>
Tinderbox User's avatar
Tinderbox User committed
378
<p>
Mark Andrews's avatar
regen  
Mark Andrews committed
379 380
      The <code class="filename">.private</code> file contains
      algorithm-specific
Rob Austein's avatar
regen  
Rob Austein committed
381 382 383
      fields.  For obvious security reasons, this file does not have
      general read permission.
    </p>
Tinderbox User's avatar
Tinderbox User committed
384
<p>
Rob Austein's avatar
regen  
Rob Austein committed
385
      Both <code class="filename">.key</code> and <code class="filename">.private</code>
Mark Andrews's avatar
regen  
Mark Andrews committed
386
      files are generated for symmetric encryption algorithms such as
Rob Austein's avatar
regen  
Rob Austein committed
387 388
      HMAC-MD5, even though the public and private key are equivalent.
    </p>
Tinderbox User's avatar
Tinderbox User committed
389 390 391 392
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>EXAMPLE</h2>
<p>
Rob Austein's avatar
regen  
Rob Austein committed
393 394 395 396
      To generate a 768-bit DSA key for the domain
      <strong class="userinput"><code>example.com</code></strong>, the following command would be
      issued:
    </p>
Tinderbox User's avatar
Tinderbox User committed
397
<p><strong class="userinput"><code>dnssec-keygen -a DSA -b 768 -n ZONE example.com</code></strong>
Rob Austein's avatar
regen  
Rob Austein committed
398
    </p>
Tinderbox User's avatar
Tinderbox User committed
399
<p>
Rob Austein's avatar
regen  
Rob Austein committed
400 401
      The command would print a string of the form:
    </p>
Tinderbox User's avatar
Tinderbox User committed
402
<p><strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
Rob Austein's avatar
regen  
Rob Austein committed
403
    </p>
Tinderbox User's avatar
Tinderbox User committed
404
<p>
Tinderbox User's avatar
Tinderbox User committed
405
      In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
Rob Austein's avatar
regen  
Rob Austein committed
406 407
      the files <code class="filename">Kexample.com.+003+26160.key</code>
      and
Mark Andrews's avatar
regen  
Mark Andrews committed
408
      <code class="filename">Kexample.com.+003+26160.private</code>.
Rob Austein's avatar
regen  
Rob Austein committed
409
    </p>
Tinderbox User's avatar
Tinderbox User committed
410 411 412 413
</div>
<div class="refsection">
<a name="id-1.12"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
Rob Austein's avatar
regen  
Rob Austein committed
414
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
Automatic Updater's avatar
regen  
Automatic Updater committed
415
      <em class="citetitle">RFC 2539</em>,
Rob Austein's avatar
regen  
Rob Austein committed
416
      <em class="citetitle">RFC 2845</em>,
Automatic Updater's avatar
regen  
Automatic Updater committed
417
      <em class="citetitle">RFC 4034</em>.
Rob Austein's avatar
regen  
Rob Austein committed
418
    </p>
Tinderbox User's avatar
Tinderbox User committed
419
</div>
Rob Austein's avatar
regen  
Rob Austein committed
420 421
</div></body>
</html>