Commit 15ba758c authored by Brian Wellington's avatar Brian Wellington
Browse files

minor tweaks

parent 53dc7714
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.3 2000/06/28 23:40:58 jim Exp $
.\" $Id: dnssec-keygen.8,v 1.4 2000/07/26 00:47:13 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-KEYGEN 8
......@@ -25,12 +25,12 @@
.Nd key generation tool for DNSSEC
.Sh SYNOPSIS
.Nm dnssec-keygen
.Op Fl a Ar algorithm
.Op Fl b Ar keysize
.Fl a Ar algorithm
.Fl b Ar keysize
.Op Fl e
.Op Fl g Ar generator
.Op Fl h
.Op Fl n Ar nametype
.Fl n Ar nametype
.Op Fl p Ar protocol-value
.Op Fl r Ar randomdev
.Op Fl s Ar strength-value
......@@ -42,11 +42,13 @@
generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
It also generates keys for use in Transaction Signatures, TSIG, which
is defined in RFC2845.
.Pp
A short summary of the options and arguments to
.Nm dnssec-keygen
is printed by the
.Fl h
(help) option.
.Pp
The
.Fl a ,
.Fl b ,
......@@ -62,7 +64,7 @@ option to
.Nm dnssec-keygen .
.Ar algorithm
must be one of
.Dv RSAMD5
.Dv RSAMD5 ,
.Dv DH ,
.Dv DSA
or
......@@ -71,8 +73,7 @@ to indicate that an RSA, Diffie-Hellman, Digital Signature
Algorithm or HMAC-MD5 key is required.
An argument of
.Dv RSA
can also be given.
It is equivalent to
can also be given, which is equivalent to
.Dv RSAMD5 .
The argument identifying the encryption algorithm is case-insensitive.
DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
......@@ -85,7 +86,7 @@ argument following the
option.
The choice of key size depends on the algorithm that is used.
RSA keys must be between 512 and 2048 bits.
Diffie-Hellman keys have to be between 128 and 4096 bits.
Diffie-Hellman keys must be between 128 and 4096 bits.
For DSA, the key size must be between 512 and 1024 bits and a multiple
of 64.
The length of an HMAC-MD5 key can be between 1 and 512 bits.
......@@ -124,7 +125,7 @@ that is to be used.
The only supported values value of
.Ar generator
are 2 and 5.
If no Diffie-Hellman generator is supplied a known prime
If no Diffie-Hellman generator is supplied, a known prime
from RFC2539 will be used if possible; otherwise 2 will be used as the
generator.
.Pp
......@@ -141,12 +142,12 @@ successors.
.Nm dnssec-keygen
uses random numbers to seed the process
of generating keys.
If the system does not have a pseudo-device like
If the system does not have a
.Pa /dev/random
for generating random numbers,
device that can be used for generating random numbers,
.Nm dnssec-keygen
will prompt for some keyboard input and use the time intervals between
keystrokes to provide some randomness.
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
......@@ -259,10 +260,12 @@ The private part of the key is used by
.Xr dnssec-signzone 8
to generate signatures and the public part is used to verify the
signatures.
A
Both
.Ar .key
and
.Ar .private
key file is generated for a symmetric encryption algorithm such as
HDMAC-MD5, even though it has no private key.
key files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
.Sh EXAMPLE
To generate a 768-bit DSA key for the domain
.Dv example.com ,
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-makekeyset.8,v 1.3 2000/06/28 23:40:59 jim Exp $
.\" $Id: dnssec-makekeyset.8,v 1.4 2000/07/26 00:47:14 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
......@@ -30,7 +30,7 @@
.Op Fl e Ar end-time
.Op Fl t Ar TTL
.Op Fl r Ar randomdev
.Op Fl v level
.Op Fl v Ar level
.Ar keyfile ....
.Sh DESCRIPTION
.Nm dnssec-makekeyset
......@@ -125,8 +125,7 @@ If no
.Fl t
option is provided,
.Nm dnssec-makekeyset
prints a warning and assumes that a default TTL of
3600 seconds was required.
prints a warning and uses a default TTL of 3600 seconds.
.Pp
The
.Fl v
......@@ -139,9 +138,10 @@ increases,
.Nm dnssec-makekeyset
generates increasingly detailed reports about what it is doing.
The default level is zero.
An option of
.Pp
The
.Fl h
gets
option makes
.Nm dnssec-makekeyset
to print a short summary of its options and arguments.
.Pp
......@@ -178,7 +178,7 @@ will create a file called
.Pa example.com.keyset
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 1 day: 86400 seconds.
These records will have a TTL of 86400 seconds (1 day).
The SIG record becomes valid at noon UTC on July 1st 2000 and expires
30 days (2592000 seconds) later.
.Pp
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signkey.8,v 1.3 2000/06/28 23:41:00 jim Exp $
.\" $Id: dnssec-signkey.8,v 1.4 2000/07/26 00:47:16 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
......@@ -55,31 +55,38 @@ This allows the child's keys to be signed by more than 1 parent zone
key if these exist.
.Pp
The
.Fl h
option makes
.Nm dnssec-signkey
print a short summary of its command line options
and arguments.
.Pp
The
.Fl p
option instructs
.Nm dnssec-signkey
to use pseudo-random data when signing the keys which is faster, but
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone keysets to
sign of if the entropy source is limited.
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require strengthening against cryptanalysis: for instance when the key
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
.Pp
An alternate file for obtaining random data can be used with the
.Fl r
option.
.Ar filename
is the name of the file to use.
If no
.Fl r
option is used and the default file for random data
.Nm dnssec-signkey
may need random numbers in the process of generating keys.
If the system does not have a
.Pa /dev/random
does not exist,
device that can be used for generating random numbers,
.Nm dnssec-signkey
will prompt for input from the keyboard.
The time between keystrokes will be measured and used to derive random
data.
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-signkey
use
.Ar randomdev
as a source of random data.
.Pp
The
.Fl v
......@@ -93,13 +100,6 @@ increases,
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
An option of
.Fl h
makes
.Nm dnssec-signkey
print a short summary of its command line options
and arguments.
.Pp
When
.Nm dnssec-signkey
completes successfully, it generates a file called
......@@ -129,13 +129,14 @@ sign the
file for
.Dv example.com
created in the example shown in the man page for
.Nm dnssec-makekeyset :
.Xr dnssec-makekeyset 8 :
.Pp
.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
was a key file identifier that was produced when
.Nm dnssec-keygen
.Xr dnssec-keygen 8
generated a key for the
.Dv .com
zone.
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.3 2000/06/28 23:41:01 jim Exp $
.\" $Id: dnssec-signzone.8,v 1.4 2000/07/26 00:47:17 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
......@@ -46,8 +46,8 @@ files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
.Ar keyfile
arguments are supplied, the default behaviour is to use all the zone's
keys.
arguments are supplied, the default behaviour is to use all of the zone's
keys that are present in the current directory.
Providing specific
.Ar keyfile
arguments constrains
......@@ -182,29 +182,30 @@ determine when fresh SIG records should be generated.
The
.Fl p
option instructs
.Nm dnssec-signzone
to use pseudo-random data when signing the zone's resource records.
This is faster but less secure than using genuinely random data for signing.
This option may be useful when the zone has many resource records to be
signed and the entropy source is limited.
.Nm dnssec-signkey
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone keysets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require strengthening against cryptanalysis: for instance when the signatures
will be discarded long before the signed data could be compromised.
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
.Pp
An alternate source of random data can be specified with the
.Fl r
option.
.Ar randomdev
is the name of the file to use to obtain random data.
By default
.Nm dnssec-signzone
may need random numbers in the process of signing the zone.
If the system does not have a
.Pa /dev/random
is used if this device is available.
If it is not provided by the operating system and no
device that can be used for generating random numbers,
.Nm dnssec-signzone
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option is used,
option overrides this behaviour, making
.Nm dnssec-signzone
will prompt the user for input from the keyboard and use the time
between keystrokes to derive some random data.
use
.Ar randomdev
as a source of random data.
.Pp
An option of
.Fl h
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.3 2000/06/28 23:40:58 jim Exp $
.\" $Id: dnssec-keygen.8,v 1.4 2000/07/26 00:47:13 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-KEYGEN 8
......@@ -25,12 +25,12 @@
.Nd key generation tool for DNSSEC
.Sh SYNOPSIS
.Nm dnssec-keygen
.Op Fl a Ar algorithm
.Op Fl b Ar keysize
.Fl a Ar algorithm
.Fl b Ar keysize
.Op Fl e
.Op Fl g Ar generator
.Op Fl h
.Op Fl n Ar nametype
.Fl n Ar nametype
.Op Fl p Ar protocol-value
.Op Fl r Ar randomdev
.Op Fl s Ar strength-value
......@@ -42,11 +42,13 @@
generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
It also generates keys for use in Transaction Signatures, TSIG, which
is defined in RFC2845.
.Pp
A short summary of the options and arguments to
.Nm dnssec-keygen
is printed by the
.Fl h
(help) option.
.Pp
The
.Fl a ,
.Fl b ,
......@@ -62,7 +64,7 @@ option to
.Nm dnssec-keygen .
.Ar algorithm
must be one of
.Dv RSAMD5
.Dv RSAMD5 ,
.Dv DH ,
.Dv DSA
or
......@@ -71,8 +73,7 @@ to indicate that an RSA, Diffie-Hellman, Digital Signature
Algorithm or HMAC-MD5 key is required.
An argument of
.Dv RSA
can also be given.
It is equivalent to
can also be given, which is equivalent to
.Dv RSAMD5 .
The argument identifying the encryption algorithm is case-insensitive.
DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
......@@ -85,7 +86,7 @@ argument following the
option.
The choice of key size depends on the algorithm that is used.
RSA keys must be between 512 and 2048 bits.
Diffie-Hellman keys have to be between 128 and 4096 bits.
Diffie-Hellman keys must be between 128 and 4096 bits.
For DSA, the key size must be between 512 and 1024 bits and a multiple
of 64.
The length of an HMAC-MD5 key can be between 1 and 512 bits.
......@@ -124,7 +125,7 @@ that is to be used.
The only supported values value of
.Ar generator
are 2 and 5.
If no Diffie-Hellman generator is supplied a known prime
If no Diffie-Hellman generator is supplied, a known prime
from RFC2539 will be used if possible; otherwise 2 will be used as the
generator.
.Pp
......@@ -141,12 +142,12 @@ successors.
.Nm dnssec-keygen
uses random numbers to seed the process
of generating keys.
If the system does not have a pseudo-device like
If the system does not have a
.Pa /dev/random
for generating random numbers,
device that can be used for generating random numbers,
.Nm dnssec-keygen
will prompt for some keyboard input and use the time intervals between
keystrokes to provide some randomness.
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
......@@ -259,10 +260,12 @@ The private part of the key is used by
.Xr dnssec-signzone 8
to generate signatures and the public part is used to verify the
signatures.
A
Both
.Ar .key
and
.Ar .private
key file is generated for a symmetric encryption algorithm such as
HDMAC-MD5, even though it has no private key.
key files are generated for symmetric encryption algorithm such as
HMAC-MD5, even though the public and private key are equivalent.
.Sh EXAMPLE
To generate a 768-bit DSA key for the domain
.Dv example.com ,
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-makekeyset.8,v 1.3 2000/06/28 23:40:59 jim Exp $
.\" $Id: dnssec-makekeyset.8,v 1.4 2000/07/26 00:47:14 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
......@@ -30,7 +30,7 @@
.Op Fl e Ar end-time
.Op Fl t Ar TTL
.Op Fl r Ar randomdev
.Op Fl v level
.Op Fl v Ar level
.Ar keyfile ....
.Sh DESCRIPTION
.Nm dnssec-makekeyset
......@@ -125,8 +125,7 @@ If no
.Fl t
option is provided,
.Nm dnssec-makekeyset
prints a warning and assumes that a default TTL of
3600 seconds was required.
prints a warning and uses a default TTL of 3600 seconds.
.Pp
The
.Fl v
......@@ -139,9 +138,10 @@ increases,
.Nm dnssec-makekeyset
generates increasingly detailed reports about what it is doing.
The default level is zero.
An option of
.Pp
The
.Fl h
gets
option makes
.Nm dnssec-makekeyset
to print a short summary of its options and arguments.
.Pp
......@@ -178,7 +178,7 @@ will create a file called
.Pa example.com.keyset
containing a SIG and KEY record for
.Dv example.com.
These records will have a TTL of 1 day: 86400 seconds.
These records will have a TTL of 86400 seconds (1 day).
The SIG record becomes valid at noon UTC on July 1st 2000 and expires
30 days (2592000 seconds) later.
.Pp
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signkey.8,v 1.3 2000/06/28 23:41:00 jim Exp $
.\" $Id: dnssec-signkey.8,v 1.4 2000/07/26 00:47:16 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
......@@ -55,31 +55,38 @@ This allows the child's keys to be signed by more than 1 parent zone
key if these exist.
.Pp
The
.Fl h
option makes
.Nm dnssec-signkey
print a short summary of its command line options
and arguments.
.Pp
The
.Fl p
option instructs
.Nm dnssec-signkey
to use pseudo-random data when signing the keys which is faster, but
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone keysets to
sign of if the entropy source is limited.
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require strengthening against cryptanalysis: for instance when the key
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
.Pp
An alternate file for obtaining random data can be used with the
.Fl r
option.
.Ar filename
is the name of the file to use.
If no
.Fl r
option is used and the default file for random data
.Nm dnssec-signkey
may need random numbers in the process of generating keys.
If the system does not have a
.Pa /dev/random
does not exist,
device that can be used for generating random numbers,
.Nm dnssec-signkey
will prompt for input from the keyboard.
The time between keystrokes will be measured and used to derive random
data.
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option overrides this behaviour, making
.Nm dnssec-signkey
use
.Ar randomdev
as a source of random data.
.Pp
The
.Fl v
......@@ -93,13 +100,6 @@ increases,
generates increasingly detailed reports about what it is doing.
The default level is zero.
.Pp
An option of
.Fl h
makes
.Nm dnssec-signkey
print a short summary of its command line options
and arguments.
.Pp
When
.Nm dnssec-signkey
completes successfully, it generates a file called
......@@ -129,13 +129,14 @@ sign the
file for
.Dv example.com
created in the example shown in the man page for
.Nm dnssec-makekeyset :
.Xr dnssec-makekeyset 8 :
.Pp
.Dl # dnssec-signkey example.com.keyset Kcom.+003+51944
.Pp
where
.Dv Kcom.+003+51944
was a key file identifier that was produced when
.Nm dnssec-keygen
.Xr dnssec-keygen 8
generated a key for the
.Dv .com
zone.
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.3 2000/06/28 23:41:01 jim Exp $
.\" $Id: dnssec-signzone.8,v 1.4 2000/07/26 00:47:17 bwelling Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
......@@ -46,8 +46,8 @@ files for the zone to be signed should be present in the current
directory, along with the keys that will be used to sign the zone.
If no
.Ar keyfile
arguments are supplied, the default behaviour is to use all the zone's
keys.
arguments are supplied, the default behaviour is to use all of the zone's
keys that are present in the current directory.
Providing specific
.Ar keyfile
arguments constrains
......@@ -182,29 +182,30 @@ determine when fresh SIG records should be generated.
The
.Fl p
option instructs
.Nm dnssec-signzone
to use pseudo-random data when signing the zone's resource records.
This is faster but less secure than using genuinely random data for signing.
This option may be useful when the zone has many resource records to be
signed and the entropy source is limited.
.Nm dnssec-signkey
to use pseudo-random data when signing the keys. This is faster, but
less secure, than using genuinely random data for signing.
This option may be useful when there are many child zone keysets to
sign or if the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require strengthening against cryptanalysis: for instance when the signatures
will be discarded long before the signed data could be compromised.
require as much protection against cryptanalysis, such as when the key
will be discarded long before it could be compromised.
.Pp
An alternate source of random data can be specified with the
.Fl r
option.
.Ar randomdev
is the name of the file to use to obtain random data.
By default
.Nm dnssec-signzone
may need random numbers in the process of signing the zone.
If the system does not have a
.Pa /dev/random
is used if this device is available.
If it is not provided by the operating system and no
device that can be used for generating random numbers,
.Nm dnssec-signzone
will prompt for keyboard input and use the time intervals between
keystrokes to provide randomness.
The
.Fl r
option is used,
option overrides this behaviour, making
.Nm dnssec-signzone
will prompt the user for input from the keyboard and use the time
between keystrokes to derive some random data.
use
.Ar randomdev
as a source of random data.
.Pp
An option of
.Fl h
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment