Commit 0a7ed886 authored by Automatic Updater's avatar Automatic Updater

regen

parent 553ead32
......@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-dsfromkey.8,v 1.9 2009/06/18 01:13:02 tbox Exp $
.\" $Id: dnssec-dsfromkey.8,v 1.10 2009/07/19 04:27:55 tbox Exp $
.\"
.hy 0
.ad l
......@@ -34,7 +34,7 @@ dnssec\-dsfromkey \- DNSSEC DS RR generation tool
.HP 17
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile}
.HP 17
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname}
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
.SH "DESCRIPTION"
.PP
\fBdnssec\-dsfromkey\fR
......@@ -58,9 +58,24 @@ Select the digest algorithm. The value of
must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256). These values are case insensitive.
.RE
.PP
\-v \fIlevel\fR
\-K \fIdirectory\fR
.RS 4
Sets the debugging level.
Look for key files (or, in keyset mode,
\fIkeyset\-\fR
files) in
\fBdirectory\fR.
.RE
.PP
\-f \fIfile\fR
.RS 4
Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
\fBfile\fR. If the zone name is the same as
\fBfile\fR, then it may be omitted.
.RE
.PP
\-A
.RS 4
Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
.RE
.PP
\-l \fIdomain\fR
......@@ -72,21 +87,17 @@ is appended to the name for each record in the set.
.PP
\-s
.RS 4
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
.RE
.PP
\-c \fIclass\fR
.RS 4
Specifies the DNS class (default is IN), useful only in the keyset mode.
Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
.RE
.PP
\-d \fIdirectory\fR
\-v \fIlevel\fR
.RS 4
Look for
\fIkeyset\fR
files in
\fBdirectory\fR
as the directory, ignored when not in the keyset mode.
Sets the debugging level.
.RE
.SH "EXAMPLE"
.PP
......
......@@ -14,7 +14,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-dsfromkey.html,v 1.9 2009/06/18 01:13:02 tbox Exp $ -->
<!-- $Id: dnssec-dsfromkey.html,v 1.10 2009/07/19 04:27:55 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -30,17 +30,17 @@
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] {keyfile}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-d <em class="replaceable"><code>dir</code></em></code>] {dnsname}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543427"></a><h2>DESCRIPTION</h2>
<a name="id2543444"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-dsfromkey</strong></span>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543438"></a><h2>OPTIONS</h2>
<a name="id2543456"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-1</span></dt>
<dd><p>
......@@ -57,9 +57,24 @@
<code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
SHA-256 (SHA256). These values are case insensitive.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the debugging level.
Look for key files (or, in keyset mode,
<code class="filename">keyset-</code> files) in
<code class="option">directory</code>.
</p></dd>
<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
<dd><p>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <code class="option">file</code>. If the zone name is the same as
<code class="option">file</code>, then it may be omitted.
</p></dd>
<dt><span class="term">-A</span></dt>
<dd><p>
Include ZSK's when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</p></dd>
<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
<dd><p>
......@@ -70,24 +85,21 @@
<dt><span class="term">-s</span></dt>
<dd><p>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file. Following options make sense
only in this mode.
the DNS domain name of a keyset file.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Specifies the DNS class (default is IN), useful only
in the keyset mode.
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</p></dd>
<dt><span class="term">-d <em class="replaceable"><code>directory</code></em></span></dt>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Look for <code class="filename">keyset</code> files in
<code class="option">directory</code> as the directory, ignored when
not in the keyset mode.
Sets the debugging level.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543587"></a><h2>EXAMPLE</h2>
<a name="id2543642"></a><h2>EXAMPLE</h2>
<p>
To build the SHA-256 DS RR from the
<strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
......@@ -102,7 +114,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543617"></a><h2>FILES</h2>
<a name="id2543672"></a><h2>FILES</h2>
<p>
The keyfile can be designed by the key identification
<code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
......@@ -116,13 +128,13 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543652"></a><h2>CAVEAT</h2>
<a name="id2543707"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543661"></a><h2>SEE ALSO</h2>
<a name="id2543717"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
......@@ -131,7 +143,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543698"></a><h2>AUTHOR</h2>
<a name="id2543753"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
......
......@@ -12,7 +12,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keyfromlabel.8,v 1.7 2009/07/11 01:12:45 tbox Exp $
.\" $Id: dnssec-keyfromlabel.8,v 1.8 2009/07/19 04:27:55 tbox Exp $
.\"
.hy 0
.ad l
......@@ -32,7 +32,7 @@
dnssec\-keyfromlabel \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 20
\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
\fBdnssec\-keyfromlabel\fR {\-a\ \fIalgorithm\fR} {\-l\ \fIlabel\fR} [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-k\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keyfromlabel\fR
......@@ -78,6 +78,11 @@ Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written.
.RE
.PP
\-k
.RS 4
Generate KEY records rather than DNSKEY records.
......
......@@ -13,7 +13,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.html,v 1.6 2009/07/11 01:12:45 tbox Exp $ -->
<!-- $Id: dnssec-keyfromlabel.html,v 1.7 2009/07/19 04:27:55 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -28,10 +28,10 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543413"></a><h2>DESCRIPTION</h2>
<a name="id2543421"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
......@@ -39,7 +39,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543425"></a><h2>OPTIONS</h2>
<a name="id2543433"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
......@@ -87,6 +87,10 @@
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
......@@ -112,7 +116,7 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543619"></a><h2>GENERATED KEY FILES</h2>
<a name="id2543644"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
......@@ -153,7 +157,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543691"></a><h2>SEE ALSO</h2>
<a name="id2543717"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
......@@ -163,7 +167,7 @@
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543731"></a><h2>AUTHOR</h2>
<a name="id2543756"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
......
......@@ -13,7 +13,7 @@
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.44 2009/07/11 01:12:45 tbox Exp $
.\" $Id: dnssec-keygen.8,v 1.45 2009/07/19 04:27:55 tbox Exp $
.\"
.hy 0
.ad l
......@@ -33,30 +33,37 @@
dnssec\-keygen \- DNSSEC key generation tool
.SH "SYNOPSIS"
.HP 14
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-k\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {name}
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-e\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-r\ \fR\fB\fIrandomdev\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-U\ \fR\fB\fIdate/offset\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
.SH "DESCRIPTION"
.PP
\fBdnssec\-keygen\fR
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures), as defined in RFC 2845.
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm. The value of
Selects the cryptographic algorithm. For DNSSEC keys, the value of
\fBalgorithm\fR
must be one of RSAMD5 (RSA) or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC\-MD5. These values are case insensitive. The default is RSASHA1 for DNSSEC key generation.
must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512. These values are case insensitive.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
option is specified, in which case NSEC3RSASHA1 will be used instead.
.sp
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC\-MD5 is mandatory.
.sp
Note 2: HMAC\-MD5 and DH automatically set the \-k flag.
Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between 512 and 2048 bits. Diffie Hellman keys must be between 128 and 4096 bits. DSA keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC\-MD5 keys must be between 1 and 512 bits.
.sp
When generating a DNSSEC key with the default algorithm, this
value defaults to 1024, or 2048 if the KSK flag is set.
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with
\fB\-f KSK\fR). However, if an algorithm is explicitly specified with the
\fB\-a\fR, then there is no default key size, and the
\fB\-b\fR
must be used.
.RE
.PP
\-n \fInametype\fR
......@@ -66,6 +73,20 @@ Specifies the owner type of the key. The value of
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are case insensitive. Defaults to ZONE for DNSKEY generation.
.RE
.PP
\-3
.RS 4
Use an NSEC3\-capable algorithm to generate a DNSSEC key. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default.
.RE
.PP
\-C
.RS 4
Compatibility mode: generates an old\-style key, without any metadata. By default,
\fBdnssec\-keygen\fR
will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND; the
\fB\-C\fR
option suppresses them.
.RE
.PP
\-c \fIclass\fR
.RS 4
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.
......@@ -78,7 +99,7 @@ If generating an RSAMD5/RSASHA1 key, use a large exponent.
.PP
\-f \fIflag\fR
.RS 4
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
Set the specified flag in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
.RE
.PP
\-g \fIgenerator\fR
......@@ -92,9 +113,14 @@ Prints a short summary of the options and arguments to
\fBdnssec\-keygen\fR.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Sets the directory in which the key files are to be written.
.RE
.PP
\-k
.RS 4
Generate KEY records rather than DNSKEY records.
Deprecated in favor of \-T KEY.
.RE
.PP
\-p \fIprotocol\fR
......@@ -118,6 +144,14 @@ indicates that keyboard input should be used.
Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
.RE
.PP
\-T \fIrrtype\fR
.RS 4
Specifies the resource record type to use for the key.
\fBrrtype\fR
must be either DNSKEY or KEY. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0).
Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY.
.RE
.PP
\-t \fItype\fR
.RS 4
Indicates the use of the key.
......@@ -129,6 +163,34 @@ must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF.
.RS 4
Sets the debugging level.
.RE
.SH "TIMING OPTIONS"
.PP
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '\-', it is interpreted as an offset from the present time. If such an offset is followed by one of the characters 'y', 'm', 'w', 'd', or 'h', then the offset is computed in years, months, weeks, days, or hours, respectively; otherwise it is computed in seconds.
.PP
\-P \fIdate/offset\fR
.RS 4
Sets the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
.RE
.PP
\-A \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be activated. After that date, the key will be included and the zone and used to sign it.
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
.RE
.PP
\-U \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be unpublished. After that date, the key will no longer be included in the zone, but it may remain in the key repository.
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Sets the date on which the key is to be deleted. After that date, the key can be removed from the key repository. NOTE: Keys are not currently deleted automatically; this field is included for informational purposes and for future development.
.RE
.SH "GENERATED KEYS"
.PP
When
......
......@@ -14,7 +14,7 @@
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.html,v 1.36 2009/07/11 01:12:45 tbox Exp $ -->
<!-- $Id: dnssec-keygen.html,v 1.37 2009/07/19 04:27:55 tbox Exp $ -->
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
......@@ -29,27 +29,34 @@
</div>
<div class="refsynopsisdiv">
<h2>Synopsis</h2>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-k</code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-U <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543477"></a><h2>DESCRIPTION</h2>
<a name="id2543541"></a><h2>DESCRIPTION</h2>
<p><span><strong class="command">dnssec-keygen</strong></span>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
TSIG (Transaction Signatures), as defined in RFC 2845.
TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
(Transaction Key) as defined in RFC 2930.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543489"></a><h2>OPTIONS</h2>
<a name="id2543553"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
<p>
Selects the cryptographic algorithm. The value of
<code class="option">algorithm</code> must be one of RSAMD5 (RSA) or RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5.
These values are case insensitive. The default is RSASHA1 for
DNSSEC key generation.
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, or NSEC3DSA. For TSIG/TKEY, the value must
be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
default, unless the <code class="option">-3</code> option is specified,
in which case NSEC3RSASHA1 will be used instead.
</p>
<p>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
......@@ -57,7 +64,8 @@
mandatory.
</p>
<p>
Note 2: HMAC-MD5 and DH automatically set the -k flag.
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
automatically set the -T KEY option.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
......@@ -70,9 +78,14 @@
bits and an exact multiple of 64. HMAC-MD5 keys must be
between 1 and 512 bits.
</p>
When generating a DNSSEC key with the default algorithm, this
value defaults to 1024, or 2048 if the KSK flag is set.
<p>
<p>
The key size does not need to be specified if using a default
algorithm. The default key size is 1024 bits for zone signing
keys (ZSK's) and 2048 bits for key signing keys (KSK's,
generated with <code class="option">-f KSK</code>). However, if an
algorithm is explicitly specified with the <code class="option">-a</code>,
then there is no default key size, and the <code class="option">-b</code>
must be used.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
......@@ -85,6 +98,23 @@
These values are case insensitive. Defaults to ZONE for DNSKEY
generation.
</p></dd>
<dt><span class="term">-3</span></dt>
<dd><p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
If this option is used and no algorithm is explicitly
set on the command line, NSEC3RSASHA1 will be used by
default.
</p></dd>
<dt><span class="term">-C</span></dt>
<dd><p>
Compatibility mode: generates an old-style key, without
any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p></dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd><p>
Indicates that the DNS record containing the key should have
......@@ -97,7 +127,7 @@
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd><p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p></dd>
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
<dd><p>
......@@ -111,9 +141,13 @@
Prints a short summary of the options and arguments to
<span><strong class="command">dnssec-keygen</strong></span>.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to be written.
</p></dd>
<dt><span class="term">-k</span></dt>
<dd><p>
Generate KEY records rather than DNSKEY records.
Deprecated in favor of -T KEY.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd><p>
......@@ -140,6 +174,21 @@
a number between 0 and 15, and currently has no defined
purpose in DNSSEC.
</p></dd>
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
<p>
Specifies the resource record type to use for the key.
<code class="option">rrtype</code> must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
</p>
<p>
</p>
<p>
Using any TSIG algorithm (HMAC-* or DH) forces this option
to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd><p>
Indicates the use of the key. <code class="option">type</code> must be
......@@ -154,7 +203,52 @@
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543827"></a><h2>GENERATED KEYS</h2>
<a name="id2544052"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. If such an offset is followed
by one of the characters 'y', 'm', 'w', 'd', or 'h', then the
offset is computed in years, months, weeks, days, or hours,
respectively; otherwise it is computed in seconds.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included and the zone and used to sign
it.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be unpublished. After that
date, the key will no longer be included in the zone, but it
may remain in the key repository.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key can be removed from the key repository.
NOTE: Keys are not currently deleted automatically; this field
is included for informational purposes and for future
development.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2544150"></a><h2>GENERATED KEYS</h2>
<p>
When <span><strong class="command">dnssec-keygen</strong></span> completes