dnssec-keygen.html 20.4 KB
Newer Older
1
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2005, 2007-2012, 2014-2019 Internet Systems Consortium, Inc. ("ISC")
Rob Austein's avatar
regen  
Rob Austein committed
4
 - 
Tinderbox User's avatar
Tinderbox User committed
5 6 7
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8
-->
9
<html lang="en">
Rob Austein's avatar
regen  
Rob Austein committed
10 11 12
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keygen</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Rob Austein's avatar
regen  
Rob Austein committed
14
</head>
Tinderbox User's avatar
Tinderbox User committed
15
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
Mark Andrews's avatar
gregen  
Mark Andrews committed
16
<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
17 18 19 20 21 22
  
  

  

  <div class="refnamediv">
Rob Austein's avatar
regen  
Rob Austein committed
23
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
24 25 26 27
<p>
    <span class="application">dnssec-keygen</span>
     &#8212; DNSSEC key generation tool
  </p>
Rob Austein's avatar
regen  
Rob Austein committed
28
</div>
Tinderbox User's avatar
Tinderbox User committed
29 30 31 32

  

  <div class="refsynopsisdiv">
Rob Austein's avatar
regen  
Rob Austein committed
33
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
34 35 36 37
    <div class="cmdsynopsis"><p>
      <code class="command">dnssec-keygen</code> 
       [<code class="option">-3</code>]
       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
Tinderbox User's avatar
Tinderbox User committed
38 39
       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
       [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
Tinderbox User's avatar
Tinderbox User committed
40 41 42 43 44 45 46 47 48 49 50 51 52 53
       [<code class="option">-C</code>]
       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
       [<code class="option">-G</code>]
       [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
       [<code class="option">-h</code>]
       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-k</code>]
       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
Tinderbox User's avatar
Tinderbox User committed
54
       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
Tinderbox User's avatar
Tinderbox User committed
55 56 57 58 59 60 61 62 63 64 65 66 67 68 69
       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
       [<code class="option">-q</code>]
       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
       [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
       [<code class="option">-V</code>]
       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
       {name}
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
70
<a name="id-1.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
71 72

    <p><span class="command"><strong>dnssec-keygen</strong></span>
Rob Austein's avatar
regen  
Rob Austein committed
73
      generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
Mark Andrews's avatar
regen  
Mark Andrews committed
74
      and RFC 4034.  It can also generate keys for use with
Automatic Updater's avatar
regen  
Automatic Updater committed
75 76
      TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
      (Transaction Key) as defined in RFC 2930.
Rob Austein's avatar
regen  
Rob Austein committed
77
    </p>
Tinderbox User's avatar
Tinderbox User committed
78
    <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
79 80 81 82
      The <code class="option">name</code> of the key is specified on the command
      line.  For DNSSEC keys, this must match the name of the zone for
      which the key is being generated.
    </p>
Tinderbox User's avatar
Tinderbox User committed
83 84 85 86 87 88 89
    <p>
      The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
      around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
      as needed to enforce defined security policies such as key rollover
      scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
      to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
90 91 92
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
93
<a name="id-1.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
94 95 96


    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
97 98 99 100 101 102 103 104 105 106
<dt><span class="term">-3</span></dt>
<dd>
	  <p>
	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
	    If this option is used with an algorithm that has both
	    NSEC and NSEC3 versions, then the NSEC3 version will be
	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
	    specifies the NSEC3RSASHA1 algorithm.
	  </p>
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
107 108
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
109
	  <p>
Tinderbox User's avatar
Tinderbox User committed
110
	    Selects the cryptographic algorithm.  For DNSSEC keys, the value
Tinderbox User's avatar
Tinderbox User committed
111
	    of <code class="option">algorithm</code> must be one of RSASHA1,
Tinderbox User's avatar
Tinderbox User committed
112
	    NSEC3RSASHA1, RSASHA256, RSASHA512,
Tinderbox User's avatar
Tinderbox User committed
113
	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
Tinderbox User's avatar
Tinderbox User committed
114 115 116
	    TKEY, the value must be DH (Diffie Hellman); specifying
	    his value will automatically set the <code class="option">-T KEY</code>
	    option as well.
Tinderbox User's avatar
Tinderbox User committed
117
	  </p>
Tinderbox User's avatar
Tinderbox User committed
118
	  <p>
Tinderbox User's avatar
Tinderbox User committed
119 120
	    These values are case insensitive. In some cases, abbreviations
	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
Tinderbox User's avatar
Tinderbox User committed
121
	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
Tinderbox User's avatar
Tinderbox User committed
122
	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
Tinderbox User's avatar
Tinderbox User committed
123
	    will be used instead.
Tinderbox User's avatar
Tinderbox User committed
124
	  </p>
Tinderbox User's avatar
Tinderbox User committed
125
	  <p>
Tinderbox User's avatar
Tinderbox User committed
126 127 128 129 130 131 132 133 134
	    This parameter <span class="emphasis"><em>must</em></span> be specified except
	    when using the <code class="option">-S</code> option, which copies the
	    algorithm from the predecessor key.
	  </p>
	  <p>
	    In prior releases, HMAC algorithms could be generated for
	    use as TSIG keys, but that feature has been removed as of
	    BIND 9.13.0. Use <span class="command"><strong>tsig-keygen</strong></span> to generate
	    TSIG keys.
Tinderbox User's avatar
Tinderbox User committed
135
	  </p>
Tinderbox User's avatar
Tinderbox User committed
136
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
137
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
138
<dd>
Tinderbox User's avatar
Tinderbox User committed
139
	  <p>
Tinderbox User's avatar
Tinderbox User committed
140 141
	    Specifies the number of bits in the key.  The choice of key
	    size depends on the algorithm used.  RSA keys must be
Tinderbox User's avatar
Tinderbox User committed
142 143 144
	    between 1024 and 4096 bits.  Diffie Hellman keys must be between
	    128 and 4096 bits.  Elliptic curve algorithms don't need this
	    parameter.
Tinderbox User's avatar
Tinderbox User committed
145
	  </p>
Tinderbox User's avatar
Tinderbox User committed
146
	  <p>
Tinderbox User's avatar
Tinderbox User committed
147 148 149 150 151
	    If the key size is not specified, some algorithms have
	    pre-defined defaults.  For example, RSA keys for use as
	    DNSSEC zone signing keys have a default size of 1024 bits;
	    RSA keys for use as key signing keys (KSKs, generated with
	    <code class="option">-f KSK</code>) default to 2048 bits.
Tinderbox User's avatar
Tinderbox User committed
152
	  </p>
Tinderbox User's avatar
Tinderbox User committed
153
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
154
<dt><span class="term">-C</span></dt>
Tinderbox User's avatar
Tinderbox User committed
155 156
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
157 158 159 160 161 162
	    Compatibility mode: generates an old-style key, without any
	    timing metadata. By default, <span class="command"><strong>dnssec-keygen</strong></span>
	    will include the key's creation date in the metadata stored with
	    the private key, and other dates may be set there as well
	    (publication date, activation date, etc). Keys that include this
	    data may be incompatible with older versions of BIND; the
Automatic Updater's avatar
regen  
Automatic Updater committed
163
	    <code class="option">-C</code> option suppresses them.
Tinderbox User's avatar
Tinderbox User committed
164 165
	  </p>
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
166
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
167 168
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
169 170
	    Indicates that the DNS record containing the key should have
	    the specified class.  If not specified, class IN is used.
Tinderbox User's avatar
Tinderbox User committed
171 172
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
173
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
174
<dd>
Tinderbox User's avatar
Tinderbox User committed
175
	  <p>
Tinderbox User's avatar
Tinderbox User committed
176 177
	    Specifies the cryptographic hardware to use, when applicable.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
178
	  <p>
Tinderbox User's avatar
Tinderbox User committed
179 180 181 182 183 184 185
	    When BIND is built with OpenSSL PKCS#11 support, this defaults
	    to the string "pkcs11", which identifies an OpenSSL engine
	    that can drive a cryptographic accelerator or hardware service
	    module.  When BIND is built with native PKCS#11 cryptography
	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
	    provider library specified via "--with-pkcs11".
	  </p>
Tinderbox User's avatar
Tinderbox User committed
186
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
187
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
188 189
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
190 191
	    Set the specified flag in the flag field of the KEY/DNSKEY record.
	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
Tinderbox User's avatar
Tinderbox User committed
192 193
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
194
<dt><span class="term">-G</span></dt>
Tinderbox User's avatar
Tinderbox User committed
195 196
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
197 198
	    Generate a key, but do not publish it or sign with it.  This
	    option is incompatible with -P and -A.
Tinderbox User's avatar
Tinderbox User committed
199 200
	  </p>
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
201
<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
202 203
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
204 205 206 207
	    If generating a Diffie Hellman key, use this generator.
	    Allowed values are 2 and 5.  If no generator
	    is specified, a known prime from RFC 2539 will be used
	    if possible; otherwise the default is 2.
Tinderbox User's avatar
Tinderbox User committed
208 209
	  </p>
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
210
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
211 212
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
213 214
	    Prints a short summary of the options and arguments to
	    <span class="command"><strong>dnssec-keygen</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
215 216
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
217
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
218 219
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
220
	    Sets the directory in which the key files are to be written.
Tinderbox User's avatar
Tinderbox User committed
221 222
	  </p>
	</dd>
Automatic Updater's avatar
Automatic Updater committed
223
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
224 225
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
226 227 228 229 230 231 232 233
	    Sets the default TTL to use for this key when it is converted
	    into a DNSKEY RR.  If the key is imported into a zone,
	    this is the TTL that will be used for it, unless there was
	    already a DNSKEY RRset in place, in which case the existing TTL
	    would take precedence.  If this value is not set and there
	    is no existing DNSKEY RRset, the TTL will default to the
	    SOA TTL. Setting the default TTL to <code class="literal">0</code>
	    or <code class="literal">none</code> is the same as leaving it unset.
Tinderbox User's avatar
Tinderbox User committed
234 235
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
236 237 238 239 240 241 242 243 244 245 246
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<dd>
	  <p>
	    Specifies the owner type of the key.  The value of
	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
	    with a host (KEY)), USER (for a key associated with a
	    user(KEY)) or OTHER (DNSKEY).  These values are case
	    insensitive.  Defaults to ZONE for DNSKEY generation.
	  </p>
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
247
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
248 249
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
250 251 252 253
	    Sets the protocol value for the generated key, for use
	    with <code class="option">-T KEY</code>. The protocol is a number between 0
	    and 255. The default is 3 (DNSSEC). Other possible values for
	    this argument are listed in RFC 2535 and its successors.
Tinderbox User's avatar
Tinderbox User committed
254 255
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
256
<dt><span class="term">-q</span></dt>
Tinderbox User's avatar
Tinderbox User committed
257 258
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
259 260 261 262 263 264 265 266 267 268 269
	    Quiet mode: Suppresses unnecessary output, including
	    progress indication.  Without this option, when
	    <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
	    to generate an RSA or DSA key pair, it will print a string
	    of symbols to <code class="filename">stderr</code> indicating the
	    progress of the key generation.  A '.' indicates that a
	    random number has been found which passed an initial
	    sieve test; '+' means a number has passed a single
	    round of the Miller-Rabin primality test; a space
	    means that the number has passed all the tests and is
	    a satisfactory key.
Tinderbox User's avatar
Tinderbox User committed
270 271
	  </p>
	</dd>
Automatic Updater's avatar
Automatic Updater committed
272
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
273 274
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
275 276 277 278 279 280 281
	    Create a new key which is an explicit successor to an
	    existing key.  The name, algorithm, size, and type of the
	    key will be set to match the existing key.  The activation
	    date of the new key will be set to the inactivation date of
	    the existing one.  The publication date will be set to the
	    activation date minus the prepublication interval, which
	    defaults to 30 days.
Tinderbox User's avatar
Tinderbox User committed
282 283
	  </p>
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
284
<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
285 286
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
287 288 289
	    Specifies the strength value of the key.  The strength is
	    a number between 0 and 15, and currently has no defined
	    purpose in DNSSEC.
Tinderbox User's avatar
Tinderbox User committed
290 291
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
292 293
<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
294
	  <p>
Tinderbox User's avatar
Tinderbox User committed
295 296 297 298 299
	    Specifies the resource record type to use for the key.
	    <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
	    default is DNSKEY when using a DNSSEC algorithm, but it can be
	    overridden to KEY for use with SIG(0).
	  </p>
Tinderbox User's avatar
Tinderbox User committed
300
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
301
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
302 303
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
304 305 306 307 308
	    Indicates the use of the key, for use with <code class="option">-T
	    KEY</code>. <code class="option">type</code> must be one of AUTHCONF,
	    NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
	    refers to the ability to authenticate data, and CONF the ability
	    to encrypt data.
Tinderbox User's avatar
Tinderbox User committed
309 310
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
311
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
312 313
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
314
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
315 316
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
317
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
318 319
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
320
	    Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
321 322
	  </p>
	</dd>
Rob Austein's avatar
regen  
Rob Austein committed
323
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
324 325 326
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
327
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
328 329 330


    <p>
Automatic Updater's avatar
regen  
Automatic Updater committed
331 332
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
Automatic Updater's avatar
regen  
Automatic Updater committed
333 334 335 336 337
      an offset from the present time.  For convenience, if such an offset
      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
      then the offset is computed in years (defined as 365 24-hour days,
      ignoring leap years), months (defined as 30 24-hour days), weeks,
      days, hours, or minutes, respectively.  Without a suffix, the offset
Tinderbox User's avatar
Tinderbox User committed
338 339
      is computed in seconds.  To explicitly prevent a date from being
      set, use 'none' or 'never'.
Automatic Updater's avatar
regen  
Automatic Updater committed
340
    </p>
Tinderbox User's avatar
Tinderbox User committed
341 342

    <div class="variablelist"><dl class="variablelist">
Automatic Updater's avatar
regen  
Automatic Updater committed
343
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
344 345
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
346 347 348 349
	    Sets the date on which a key is to be published to the zone.
	    After that date, the key will be included in the zone but will
	    not be used to sign it.  If not set, and if the -G option has
	    not been used, the default is "now".
Tinderbox User's avatar
Tinderbox User committed
350 351
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
352
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
353 354
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
355 356
	    Sets the date on which CDS and CDNSKEY records that match this
	    key are to be published to the zone.
Tinderbox User's avatar
Tinderbox User committed
357 358
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
359
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
360 361
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
362 363 364 365 366 367
	    Sets the date on which the key is to be activated.  After that
	    date, the key will be included in the zone and used to sign
	    it.  If not set, and if the -G option has not been used, the
	    default is "now".  If set, if and -P is not set, then
	    the publication date will be set to the activation date
	    minus the prepublication interval.
Tinderbox User's avatar
Tinderbox User committed
368 369
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
370
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
371 372
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
373 374 375
	    Sets the date on which the key is to be revoked.  After that
	    date, the key will be flagged as revoked.  It will be included
	    in the zone and will be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
376 377
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
378
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
379 380
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
381 382 383
	    Sets the date on which the key is to be retired.  After that
	    date, the key will still be included in the zone, but it
	    will not be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
384 385
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
386
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
387 388
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
389 390 391
	    Sets the date on which the key is to be deleted.  After that
	    date, the key will no longer be included in the zone.  (It
	    may remain in the key repository, however.)
Tinderbox User's avatar
Tinderbox User committed
392 393
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
394
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
395 396
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
397 398
	    Sets the date on which the CDS and CDNSKEY records that match this
	    key are to be deleted.
Tinderbox User's avatar
Tinderbox User committed
399 400
	  </p>
	</dd>
Automatic Updater's avatar
Automatic Updater committed
401 402
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424
	  <p>
	    Sets the prepublication interval for a key.  If set, then
	    the publication and activation dates must be separated by at least
	    this much time.  If the activation date is specified but the
	    publication date isn't, then the publication date will default
	    to this much time before the activation date; conversely, if
	    the publication date is specified but activation date isn't,
	    then activation will be set to this much time after publication.
	  </p>
	  <p>
	    If the key is being created as an explicit successor to another
	    key, then the default prepublication interval is 30 days;
	    otherwise it is zero.
	  </p>
	  <p>
	    As with date offsets, if the argument is followed by one of
	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
	    interval is measured in years, months, weeks, days, hours,
	    or minutes, respectively.  Without a suffix, the interval is
	    measured in seconds.
	  </p>
	</dd>
Automatic Updater's avatar
regen  
Automatic Updater committed
425
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
426 427 428 429
  </div>


  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
430
<a name="id-1.10"></a><h2>GENERATED KEYS</h2>
Tinderbox User's avatar
Tinderbox User committed
431 432

    <p>
Tinderbox User's avatar
Tinderbox User committed
433
      When <span class="command"><strong>dnssec-keygen</strong></span> completes
Rob Austein's avatar
regen  
Rob Austein committed
434 435 436
      successfully,
      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
      to the standard output.  This is an identification string for
Mark Andrews's avatar
regen  
Mark Andrews committed
437
      the key it has generated.
Rob Austein's avatar
regen  
Rob Austein committed
438
    </p>
Tinderbox User's avatar
Tinderbox User committed
439 440 441 442 443 444 445
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	<p><code class="filename">nnnn</code> is the key name.
	</p>
      </li>
<li class="listitem">
	<p><code class="filename">aaa</code> is the numeric representation
Tinderbox User's avatar
Tinderbox User committed
446 447
	  of the
	  algorithm.
Tinderbox User's avatar
Tinderbox User committed
448 449 450 451
	</p>
      </li>
<li class="listitem">
	<p><code class="filename">iiiii</code> is the key identifier (or
Tinderbox User's avatar
Tinderbox User committed
452
	  footprint).
Tinderbox User's avatar
Tinderbox User committed
453 454
	</p>
      </li>
Rob Austein's avatar
regen  
Rob Austein committed
455
</ul></div>
Tinderbox User's avatar
Tinderbox User committed
456
    <p><span class="command"><strong>dnssec-keygen</strong></span>
Mark Andrews's avatar
regen  
Mark Andrews committed
457
      creates two files, with names based
Rob Austein's avatar
regen  
Rob Austein committed
458 459 460 461 462 463
      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
      contains the public key, and
      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
      private
      key.
    </p>
Tinderbox User's avatar
Tinderbox User committed
464
    <p>
Tinderbox User's avatar
Tinderbox User committed
465 466 467 468 469 470
      The <code class="filename">.key</code> file contains a DNSKEY or KEY record.
      When a zone is being signed by <span class="command"><strong>named</strong></span>
      or <span class="command"><strong>dnssec-signzone</strong></span> <code class="option">-S</code>, DNSKEY
      records are included automatically. In other cases,
      the <code class="filename">.key</code> file can be inserted into a zone file
      manually or with a <strong class="userinput"><code>$INCLUDE</code></strong> statement.
Rob Austein's avatar
regen  
Rob Austein committed
471
    </p>
Tinderbox User's avatar
Tinderbox User committed
472
    <p>
Mark Andrews's avatar
regen  
Mark Andrews committed
473 474
      The <code class="filename">.private</code> file contains
      algorithm-specific
Rob Austein's avatar
regen  
Rob Austein committed
475 476 477
      fields.  For obvious security reasons, this file does not have
      general read permission.
    </p>
Tinderbox User's avatar
Tinderbox User committed
478 479 480
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
481
<a name="id-1.11"></a><h2>EXAMPLE</h2>
Tinderbox User's avatar
Tinderbox User committed
482 483

    <p>
Tinderbox User's avatar
Tinderbox User committed
484 485
      To generate an ECDSAP256SHA256 zone-signing key for the zone
      <strong class="userinput"><code>example.com</code></strong>, issue the command:
Rob Austein's avatar
regen  
Rob Austein committed
486
    </p>
Tinderbox User's avatar
Tinderbox User committed
487 488
    <p>
      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 example.com</code></strong>
Rob Austein's avatar
regen  
Rob Austein committed
489
    </p>
Tinderbox User's avatar
Tinderbox User committed
490
    <p>
Rob Austein's avatar
regen  
Rob Austein committed
491 492
      The command would print a string of the form:
    </p>
Tinderbox User's avatar
Tinderbox User committed
493
    <p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
Rob Austein's avatar
regen  
Rob Austein committed
494
    </p>
Tinderbox User's avatar
Tinderbox User committed
495
    <p>
Tinderbox User's avatar
Tinderbox User committed
496
      In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
Tinderbox User's avatar
Tinderbox User committed
497
      the files <code class="filename">Kexample.com.+013+26160.key</code>
Rob Austein's avatar
regen  
Rob Austein committed
498
      and
Tinderbox User's avatar
Tinderbox User committed
499
      <code class="filename">Kexample.com.+013+26160.private</code>.
Rob Austein's avatar
regen  
Rob Austein committed
500
    </p>
Tinderbox User's avatar
Tinderbox User committed
501 502 503 504 505 506
    <p>
      To generate a matching key-signing key, issue the command:
    </p>
    <p>
      <strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</code></strong>
    </p>
Tinderbox User's avatar
Tinderbox User committed
507 508 509
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
510
<a name="id-1.12"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
511 512 513 514

    <p><span class="citerefentry">
	<span class="refentrytitle">dnssec-signzone</span>(8)
      </span>,
Rob Austein's avatar
regen  
Rob Austein committed
515
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
Automatic Updater's avatar
regen  
Automatic Updater committed
516
      <em class="citetitle">RFC 2539</em>,
Rob Austein's avatar
regen  
Rob Austein committed
517
      <em class="citetitle">RFC 2845</em>,
Automatic Updater's avatar
regen  
Automatic Updater committed
518
      <em class="citetitle">RFC 4034</em>.
Rob Austein's avatar
regen  
Rob Austein committed
519
    </p>
Tinderbox User's avatar
Tinderbox User committed
520 521
  </div>

Rob Austein's avatar
regen  
Rob Austein committed
522 523
</div></body>
</html>