Commit 57584184 authored by Jim Reid's avatar Jim Reid
Browse files

incorporated Brian's corrections and improvements

parent 88995c0b
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-KEYGEN 8
......@@ -39,7 +39,7 @@
.Ar name
.Sh DESCRIPTION
.Nm dnssec-keygen
generates keys for DNSSEC, Secure DNS, as defined in RFC2065.
generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
It also generates keys for use in Transaction Signatures, TSIG, which
is defined in RFC2845.
A short summary of the options and arguments to
......@@ -62,14 +62,18 @@ option to
.Nm dnssec-keygen .
.Ar algorithm
must be one of
.Dv RSA ,
.Dv RSAMD5 ,
.Dv RSAMD5
.Dv DH ,
.Dv DSA
or
.Dv HMAC-MD5
to indicate that an RSA, RSAMD5, Diffie-Hellman, Digital Signature
to indicate that an RSA, Diffie-Hellman, Digital Signature
Algorithm or HMAC-MD5 key is required.
An argument of
.Dv RSA
can also be given.
It is equivalent to
.Dv RSAMD5 .
The argument identifying the encryption algorithm is case-insensitive.
DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
Implementations of TSIG must support HMAC-MD5.
......@@ -92,12 +96,17 @@ option specifies how the generated key will be used.
.Ar nametype
can be either
.Dv ZONE ,
.Dv HOST ,
.Dv ENTITY
.Dv HOST ,
.Dv ENTITY ,
or
.Dv USER
to indicate that the key will be used for signing a zone, host,
entity or user respectively.
In this context
.Dv HOST
and
.Dv ENTITY
are identical.
.Ar nametype
is case-insensitive.
.Pp
......@@ -112,16 +121,19 @@ When creating Diffie-Hellman keys, the
option selects the Diffie-Hellman generator
.Ar generator
that is to be used.
The value of
The only supported values value of
.Ar generator
must be either 2 or 5.
are 2 and 5.
If no Diffie-Hellman generator is supplied a known prime
from RFC2539 will be used if possible; otherwise 2 will be used as the
generator.
.Pp
.Ar protocol-value
sets the protocol value for the generated key.
The default is 2 (email) for keys of type
.Dv USER
and 3 (DNSSEC) for all other key types.
Other possible values for this argument are listed in RFC2065 and its
Other possible values for this argument are listed in RFC2535 and its
successors.
.Pp
.Nm dnssec-keygen
......@@ -146,6 +158,7 @@ given by
.Ar strength-value .
It should be a number between 0 and 15.
The default strength is zero.
The key strength field currently has no defined purpose in DNSSEC.
.Pp
The
.Ar t
......@@ -266,8 +279,9 @@ DSA key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2065,
.Xr RFC2535,
.Xr RFC2845,
.Xr RFC2539,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 ,
.Xr dnssec-signzone 8 .
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-makekeyset.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
......@@ -163,7 +163,8 @@ zone for them to sign the contents with
The following command generates a key set for the DSA key for
.Dv example.com
that was shown in the
.Xr dnssec-keygen 8 man page.
.Xr dnssec-keygen 8
man page.
The backslash is for typographic reasons and would not be provided on
the command line when running
.Nm dnssec-makekeyset .
......@@ -196,6 +197,6 @@ signatures securely.
.Sh FILES
.Pa /dev/random .
.Sh SEE ALSO
.Xr RFC2065 ,
.Xr RFC2535 ,
.Xr dnssec-keygen 8 ,
.Xr dnssec-signkey 8 .
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signkey.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
......@@ -151,7 +151,7 @@ zone's zone key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2065,
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signzone 8 .
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
......@@ -65,9 +65,7 @@ current working directory used by
.Pp
.Ar zonefile
is the name of the unsigned zone file.
If the fully qualified domain name is not clear from the resource
records in the zone file because the owner-names are not fully
qualified and dot-terminated, the
Unless the file name is the same as the name of the zone, the
.Ar o
option should be given.
.Ar origin
......@@ -188,7 +186,7 @@ option instructs
to use pseudo-random data when signing the zone's resource records.
This is faster but less secure than using genuinely random data for signing.
This option may be useful when the zone has many resource records to be
signed and CPU resources are limited.
signed and the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require strengthening against cryptanalysis: for instance when the signatures
will be discarded long before the signed data could be compromised.
......@@ -244,9 +242,7 @@ This zone file contains the keyset for
.Dv example.com
that was created by
.Xr dnssec-makekeyset 8 .
The zone's
.Ar .keyset
file was either appended to the zone file or
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
......@@ -276,7 +272,7 @@ so that it can be loaded by the name server.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2065,
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 .
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-keygen.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-keygen.8,v 1.2 2000/06/28 03:20:46 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-KEYGEN 8
......@@ -39,7 +39,7 @@
.Ar name
.Sh DESCRIPTION
.Nm dnssec-keygen
generates keys for DNSSEC, Secure DNS, as defined in RFC2065.
generates keys for DNSSEC, Secure DNS, as defined in RFC2535.
It also generates keys for use in Transaction Signatures, TSIG, which
is defined in RFC2845.
A short summary of the options and arguments to
......@@ -62,14 +62,18 @@ option to
.Nm dnssec-keygen .
.Ar algorithm
must be one of
.Dv RSA ,
.Dv RSAMD5 ,
.Dv RSAMD5
.Dv DH ,
.Dv DSA
or
.Dv HMAC-MD5
to indicate that an RSA, RSAMD5, Diffie-Hellman, Digital Signature
to indicate that an RSA, Diffie-Hellman, Digital Signature
Algorithm or HMAC-MD5 key is required.
An argument of
.Dv RSA
can also be given.
It is equivalent to
.Dv RSAMD5 .
The argument identifying the encryption algorithm is case-insensitive.
DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one.
Implementations of TSIG must support HMAC-MD5.
......@@ -92,12 +96,17 @@ option specifies how the generated key will be used.
.Ar nametype
can be either
.Dv ZONE ,
.Dv HOST ,
.Dv ENTITY
.Dv HOST ,
.Dv ENTITY ,
or
.Dv USER
to indicate that the key will be used for signing a zone, host,
entity or user respectively.
In this context
.Dv HOST
and
.Dv ENTITY
are identical.
.Ar nametype
is case-insensitive.
.Pp
......@@ -112,16 +121,19 @@ When creating Diffie-Hellman keys, the
option selects the Diffie-Hellman generator
.Ar generator
that is to be used.
The value of
The only supported values value of
.Ar generator
must be either 2 or 5.
are 2 and 5.
If no Diffie-Hellman generator is supplied a known prime
from RFC2539 will be used if possible; otherwise 2 will be used as the
generator.
.Pp
.Ar protocol-value
sets the protocol value for the generated key.
The default is 2 (email) for keys of type
.Dv USER
and 3 (DNSSEC) for all other key types.
Other possible values for this argument are listed in RFC2065 and its
Other possible values for this argument are listed in RFC2535 and its
successors.
.Pp
.Nm dnssec-keygen
......@@ -146,6 +158,7 @@ given by
.Ar strength-value .
It should be a number between 0 and 15.
The default strength is zero.
The key strength field currently has no defined purpose in DNSSEC.
.Pp
The
.Ar t
......@@ -266,8 +279,9 @@ DSA key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2065,
.Xr RFC2535,
.Xr RFC2845,
.Xr RFC2539,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 ,
.Xr dnssec-signzone 8 .
......
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-makekeyset.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-makekeyset.8,v 1.2 2000/06/28 03:20:47 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-MAKEKEYSET 8
......@@ -163,7 +163,8 @@ zone for them to sign the contents with
The following command generates a key set for the DSA key for
.Dv example.com
that was shown in the
.Xr dnssec-keygen 8 man page.
.Xr dnssec-keygen 8
man page.
The backslash is for typographic reasons and would not be provided on
the command line when running
.Nm dnssec-makekeyset .
......@@ -196,6 +197,6 @@ signatures securely.
.Sh FILES
.Pa /dev/random .
.Sh SEE ALSO
.Xr RFC2065 ,
.Xr RFC2535 ,
.Xr dnssec-keygen 8 ,
.Xr dnssec-signkey 8 .
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signkey.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-signkey.8,v 1.2 2000/06/28 03:20:48 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNKEY 8
......@@ -151,7 +151,7 @@ zone's zone key.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2065,
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signzone 8 .
......@@ -14,7 +14,7 @@
.\" NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
.\" WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnssec-signzone.8,v 1.1 2000/06/27 21:50:27 jim Exp $
.\" $Id: dnssec-signzone.8,v 1.2 2000/06/28 03:20:49 jim Exp $
.\"
.Dd Jun 30, 2000
.Dt DNSSEC-SIGNZONE 8
......@@ -65,9 +65,7 @@ current working directory used by
.Pp
.Ar zonefile
is the name of the unsigned zone file.
If the fully qualified domain name is not clear from the resource
records in the zone file because the owner-names are not fully
qualified and dot-terminated, the
Unless the file name is the same as the name of the zone, the
.Ar o
option should be given.
.Ar origin
......@@ -188,7 +186,7 @@ option instructs
to use pseudo-random data when signing the zone's resource records.
This is faster but less secure than using genuinely random data for signing.
This option may be useful when the zone has many resource records to be
signed and CPU resources are limited.
signed and the entropy source is limited.
It could also be used for short-lived keys and signatures that don't
require strengthening against cryptanalysis: for instance when the signatures
will be discarded long before the signed data could be compromised.
......@@ -244,9 +242,7 @@ This zone file contains the keyset for
.Dv example.com
that was created by
.Xr dnssec-makekeyset 8 .
The zone's
.Ar .keyset
file was either appended to the zone file or
The zone's keys were either appended to the zone file or
incorporated using a
.Dv $INCLUDE
statement.
......@@ -276,7 +272,7 @@ so that it can be loaded by the name server.
.Sh FILES
.Pa /dev/random
.Sh SEE ALSO
.Xr RFC2065,
.Xr RFC2535,
.Xr dnssec-keygen 8 ,
.Xr dnssec-makekeyset 8 ,
.Xr dnssec-signkey 8 .
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment