dnssec-keygen.8 14.7 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1
.\" Copyright (C) 2000-2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Rob Austein's avatar
regen  
Rob Austein committed
2
.\" 
Tinderbox User's avatar
Tinderbox User committed
3 4 5
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
Rob Austein's avatar
regen  
Rob Austein committed
6
.\"
Rob Austein's avatar
regen  
Rob Austein committed
7 8
.hy 0
.ad l
Tinderbox User's avatar
Tinderbox User committed
9 10
'\" t
.\"     Title: dnssec-keygen
Automatic Updater's avatar
regen  
Automatic Updater committed
11
.\"    Author: 
Tinderbox User's avatar
Tinderbox User committed
12
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
Tinderbox User's avatar
Tinderbox User committed
13
.\"      Date: August 21, 2015
Automatic Updater's avatar
regen  
Automatic Updater committed
14
.\"    Manual: BIND9
Tinderbox User's avatar
Tinderbox User committed
15 16
.\"    Source: ISC
.\"  Language: English
Automatic Updater's avatar
regen  
Automatic Updater committed
17
.\"
Tinderbox User's avatar
Tinderbox User committed
18
.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9"
Tinderbox User's avatar
Tinderbox User committed
19 20 21 22 23 24 25 26 27 28 29 30
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
31 32 33 34
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
Tinderbox User's avatar
Tinderbox User committed
35 36 37
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
38
.SH "NAME"
Tinderbox User's avatar
Tinderbox User committed
39
dnssec-keygen \- DNSSEC key generation tool
Rob Austein's avatar
regen  
Rob Austein committed
40
.SH "SYNOPSIS"
Tinderbox User's avatar
Tinderbox User committed
41
.HP \w'\fBdnssec\-keygen\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
42
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
43 44
.SH "DESCRIPTION"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
45
\fBdnssec\-keygen\fR
Tinderbox User's avatar
Tinderbox User committed
46
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034\&. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
47 48 49
.PP
The
\fBname\fR
Tinderbox User's avatar
Tinderbox User committed
50
of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
51
.SH "OPTIONS"
Automatic Updater's avatar
regen  
Automatic Updater committed
52
.PP
Rob Austein's avatar
regen  
Rob Austein committed
53
\-a \fIalgorithm\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
54
.RS 4
Tinderbox User's avatar
Tinderbox User committed
55
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
Automatic Updater's avatar
regen  
Automatic Updater committed
56
\fBalgorithm\fR
Tinderbox User's avatar
Tinderbox User committed
57
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 or ECDSAP384SHA384\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
58 59 60
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
Tinderbox User's avatar
Tinderbox User committed
61
option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
Automatic Updater's avatar
regen  
Automatic Updater committed
62
\fB\-3\fR
Tinderbox User's avatar
Tinderbox User committed
63
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
Automatic Updater's avatar
regen  
Automatic Updater committed
64
.sp
Tinderbox User's avatar
Tinderbox User committed
65
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&. For TSIG, HMAC\-MD5 is mandatory\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
66
.sp
Tinderbox User's avatar
Tinderbox User committed
67
Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
68 69
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
70
\-b \fIkeysize\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
71
.RS 4
Tinderbox User's avatar
Tinderbox User committed
72
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
73
.sp
Tinderbox User's avatar
Tinderbox User committed
74 75
The key size does not need to be specified if using a default algorithm\&. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with
\fB\-f KSK\fR)\&. However, if an algorithm is explicitly specified with the
Automatic Updater's avatar
regen  
Automatic Updater committed
76 77
\fB\-a\fR, then there is no default key size, and the
\fB\-b\fR
Tinderbox User's avatar
Tinderbox User committed
78
must be used\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
79 80
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
81
\-n \fInametype\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
82
.RS 4
Tinderbox User's avatar
Tinderbox User committed
83
Specifies the owner type of the key\&. The value of
Automatic Updater's avatar
regen  
Automatic Updater committed
84
\fBnametype\fR
Tinderbox User's avatar
Tinderbox User committed
85
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
86 87
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
88 89
\-3
.RS 4
Tinderbox User's avatar
Tinderbox User committed
90
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256 and ECDSAP384SHA384 algorithms are NSEC3\-capable\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
91 92 93 94
.RE
.PP
\-C
.RS 4
Tinderbox User's avatar
Tinderbox User committed
95
Compatibility mode: generates an old\-style key, without any metadata\&. By default,
Automatic Updater's avatar
regen  
Automatic Updater committed
96
\fBdnssec\-keygen\fR
Tinderbox User's avatar
Tinderbox User committed
97
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
Automatic Updater's avatar
regen  
Automatic Updater committed
98
\fB\-C\fR
Tinderbox User's avatar
Tinderbox User committed
99
option suppresses them\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
100 101
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
102
\-c \fIclass\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
103
.RS 4
Tinderbox User's avatar
Tinderbox User committed
104
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
105 106
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
107 108
\-E \fIengine\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
109
Specifies the cryptographic hardware to use, when applicable\&.
Tinderbox User's avatar
Tinderbox User committed
110
.sp
Tinderbox User's avatar
Tinderbox User committed
111
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
112 113
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
114
\-f \fIflag\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
115
.RS 4
Tinderbox User's avatar
Tinderbox User committed
116
Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
117 118
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
119 120
\-G
.RS 4
Tinderbox User's avatar
Tinderbox User committed
121
Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
122 123
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
124
\-g \fIgenerator\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
125
.RS 4
Tinderbox User's avatar
Tinderbox User committed
126
If generating a Diffie Hellman key, use this generator\&. Allowed values are 2 and 5\&. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
127 128
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
129
\-h
Automatic Updater's avatar
regen  
Automatic Updater committed
130 131
.RS 4
Prints a short summary of the options and arguments to
Tinderbox User's avatar
Tinderbox User committed
132
\fBdnssec\-keygen\fR\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
133 134
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
135 136
\-K \fIdirectory\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
137
Sets the directory in which the key files are to be written\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
138 139
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
140
\-k
Automatic Updater's avatar
regen  
Automatic Updater committed
141
.RS 4
Tinderbox User's avatar
Tinderbox User committed
142
Deprecated in favor of \-T KEY\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
143 144
.RE
.PP
Automatic Updater's avatar
Automatic Updater committed
145 146
\-L \fIttl\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
147
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
Automatic Updater's avatar
Automatic Updater committed
148 149 150
0
or
none
Tinderbox User's avatar
Tinderbox User committed
151
is the same as leaving it unset\&.
Automatic Updater's avatar
Automatic Updater committed
152 153
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
154
\-p \fIprotocol\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
155
.RS 4
Tinderbox User's avatar
Tinderbox User committed
156
Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
157 158
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
159 160
\-q
.RS 4
Tinderbox User's avatar
Tinderbox User committed
161
Quiet mode: Suppresses unnecessary output, including progress indication\&. Without this option, when
Automatic Updater's avatar
regen  
Automatic Updater committed
162 163
\fBdnssec\-keygen\fR
is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
Tinderbox User's avatar
Tinderbox User committed
164 165
stderr
indicating the progress of the key generation\&. A \*(Aq\&.\*(Aq indicates that a random number has been found which passed an initial sieve test; \*(Aq+\*(Aq means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
166 167
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
168
\-r \fIrandomdev\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
169
.RS 4
Tinderbox User's avatar
Tinderbox User committed
170 171 172 173 174 175 176
Specifies the source of randomness\&. If the operating system does not provide a
/dev/random
or equivalent device, the default source of randomness is keyboard input\&.
randomdev
specifies the name of a character device or file containing random data to be used instead of the default\&. The special value
keyboard
indicates that keyboard input should be used\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
177 178
.RE
.PP
Automatic Updater's avatar
Automatic Updater committed
179 180
\-S \fIkey\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
181
Create a new key which is an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the existing key\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
Automatic Updater's avatar
Automatic Updater committed
182 183
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
184
\-s \fIstrength\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
185
.RS 4
Tinderbox User's avatar
Tinderbox User committed
186
Specifies the strength value of the key\&. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
187 188
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
189 190
\-T \fIrrtype\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
191
Specifies the resource record type to use for the key\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
192
\fBrrtype\fR
Tinderbox User's avatar
Tinderbox User committed
193 194
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
195 196
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
197
\-t \fItype\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
198
.RS 4
Tinderbox User's avatar
Tinderbox User committed
199
Indicates the use of the key\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
200
\fBtype\fR
Tinderbox User's avatar
Tinderbox User committed
201
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
202 203
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
204
\-v \fIlevel\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
205
.RS 4
Tinderbox User's avatar
Tinderbox User committed
206
Sets the debugging level\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
207
.RE
Tinderbox User's avatar
Tinderbox User committed
208 209 210
.PP
\-V
.RS 4
Tinderbox User's avatar
Tinderbox User committed
211
Prints version information\&.
Tinderbox User's avatar
Tinderbox User committed
212
.RE
Automatic Updater's avatar
regen  
Automatic Updater committed
213 214
.SH "TIMING OPTIONS"
.PP
Tinderbox User's avatar
Tinderbox User committed
215
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
216 217 218
.PP
\-P \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
219
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
220 221
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
222 223 224 225 226
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
227 228
\-A \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
229
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
230 231 232 233
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
234
Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
235 236
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
237
\-I \fIdate/offset\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
238
.RS 4
Tinderbox User's avatar
Tinderbox User committed
239
Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
240 241 242 243
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
244
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
Automatic Updater's avatar
regen  
Automatic Updater committed
245
.RE
Automatic Updater's avatar
Automatic Updater committed
246
.PP
Tinderbox User's avatar
Tinderbox User committed
247 248 249 250 251
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
Automatic Updater's avatar
Automatic Updater committed
252 253
\-i \fIinterval\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
254
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
Automatic Updater's avatar
Automatic Updater committed
255
.sp
Tinderbox User's avatar
Tinderbox User committed
256
If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
Automatic Updater's avatar
Automatic Updater committed
257
.sp
Tinderbox User's avatar
Tinderbox User committed
258
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
Automatic Updater's avatar
Automatic Updater committed
259
.RE
260 261
.SH "GENERATED KEYS"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
262 263 264
When
\fBdnssec\-keygen\fR
completes successfully, it prints a string of the form
Tinderbox User's avatar
Tinderbox User committed
265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302
Knnnn\&.+aaa+iiiii
to the standard output\&. This is an identification string for the key it has generated\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
nnnn
is the key name\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
aaa
is the numeric representation of the algorithm\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
iiiii
is the key identifier (or footprint)\&.
.RE
Brian Wellington's avatar
Brian Wellington committed
303
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
304
\fBdnssec\-keygen\fR
Tinderbox User's avatar
Tinderbox User committed
305 306
creates two files, with names based on the printed string\&.
Knnnn\&.+aaa+iiiii\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
307
contains the public key, and
Tinderbox User's avatar
Tinderbox User committed
308 309
Knnnn\&.+aaa+iiiii\&.private
contains the private key\&.
310
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
311
The
Tinderbox User's avatar
Tinderbox User committed
312 313
\&.key
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
Brian Wellington's avatar
Brian Wellington committed
314
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
315
The
Tinderbox User's avatar
Tinderbox User committed
316 317
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
Brian Wellington's avatar
Brian Wellington committed
318
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
319
Both
Tinderbox User's avatar
Tinderbox User committed
320
\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
321
and
Tinderbox User's avatar
Tinderbox User committed
322
\&.private
Tinderbox User's avatar
Tinderbox User committed
323
files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
324 325
.SH "EXAMPLE"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
326
To generate a 768\-bit DSA key for the domain
Tinderbox User's avatar
Tinderbox User committed
327
\fBexample\&.com\fR, the following command would be issued:
328
.PP
Tinderbox User's avatar
Tinderbox User committed
329
\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
330 331 332
.PP
The command would print a string of the form:
.PP
Tinderbox User's avatar
Tinderbox User committed
333
\fBKexample\&.com\&.+003+26160\fR
334
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
335 336 337
In this example,
\fBdnssec\-keygen\fR
creates the files
Tinderbox User's avatar
Tinderbox User committed
338
Kexample\&.com\&.+003+26160\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
339
and
Tinderbox User's avatar
Tinderbox User committed
340
Kexample\&.com\&.+003+26160\&.private\&.
341 342
.SH "SEE ALSO"
.PP
Tinderbox User's avatar
Tinderbox User committed
343
\fBdnssec-signzone\fR(8),
Automatic Updater's avatar
regen  
Automatic Updater committed
344 345 346
BIND 9 Administrator Reference Manual,
RFC 2539,
RFC 2845,
Tinderbox User's avatar
Tinderbox User committed
347
RFC 4034\&.
348 349
.SH "AUTHOR"
.PP
Tinderbox User's avatar
Tinderbox User committed
350
\fBInternet Systems Consortium, Inc\&.\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
351 352
.SH "COPYRIGHT"
.br
Tinderbox User's avatar
Tinderbox User committed
353
Copyright \(co 2000-2005, 2007-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
regen  
Automatic Updater committed
354
.br