dnssec-keygen.8 14.5 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1
.\" Copyright (C) 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
Rob Austein's avatar
regen  
Rob Austein committed
2
.\" 
Tinderbox User's avatar
Tinderbox User committed
3 4 5
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
Rob Austein's avatar
regen  
Rob Austein committed
6
.\"
Rob Austein's avatar
regen  
Rob Austein committed
7 8
.hy 0
.ad l
Tinderbox User's avatar
Tinderbox User committed
9 10
'\" t
.\"     Title: dnssec-keygen
Automatic Updater's avatar
regen  
Automatic Updater committed
11
.\"    Author: 
Tinderbox User's avatar
Tinderbox User committed
12
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
Tinderbox User's avatar
Tinderbox User committed
13
.\"      Date: August 21, 2015
Automatic Updater's avatar
regen  
Automatic Updater committed
14
.\"    Manual: BIND9
Tinderbox User's avatar
Tinderbox User committed
15 16
.\"    Source: ISC
.\"  Language: English
Automatic Updater's avatar
regen  
Automatic Updater committed
17
.\"
Tinderbox User's avatar
Tinderbox User committed
18
.TH "DNSSEC\-KEYGEN" "8" "August 21, 2015" "ISC" "BIND9"
Tinderbox User's avatar
Tinderbox User committed
19 20 21 22 23 24 25 26 27 28 29 30
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
31 32 33 34
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
Tinderbox User's avatar
Tinderbox User committed
35 36 37
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
38
.SH "NAME"
Tinderbox User's avatar
Tinderbox User committed
39
dnssec-keygen \- DNSSEC key generation tool
Rob Austein's avatar
regen  
Rob Austein committed
40
.SH "SYNOPSIS"
Tinderbox User's avatar
Tinderbox User committed
41
.HP \w'\fBdnssec\-keygen\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
42
\fBdnssec\-keygen\fR [\fB\-a\ \fR\fB\fIalgorithm\fR\fR] [\fB\-b\ \fR\fB\fIkeysize\fR\fR] [\fB\-n\ \fR\fB\fInametype\fR\fR] [\fB\-3\fR] [\fB\-A\ \fR\fB\fIdate/offset\fR\fR] [\fB\-C\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-D\ \fR\fB\fIdate/offset\fR\fR] [\fB\-D\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-E\ \fR\fB\fIengine\fR\fR] [\fB\-f\ \fR\fB\fIflag\fR\fR] [\fB\-G\fR] [\fB\-g\ \fR\fB\fIgenerator\fR\fR] [\fB\-h\fR] [\fB\-I\ \fR\fB\fIdate/offset\fR\fR] [\fB\-i\ \fR\fB\fIinterval\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-k\fR] [\fB\-L\ \fR\fB\fIttl\fR\fR] [\fB\-P\ \fR\fB\fIdate/offset\fR\fR] [\fB\-P\ sync\ \fR\fB\fIdate/offset\fR\fR] [\fB\-p\ \fR\fB\fIprotocol\fR\fR] [\fB\-q\fR] [\fB\-R\ \fR\fB\fIdate/offset\fR\fR] [\fB\-S\ \fR\fB\fIkey\fR\fR] [\fB\-s\ \fR\fB\fIstrength\fR\fR] [\fB\-t\ \fR\fB\fItype\fR\fR] [\fB\-V\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-z\fR] {name}
43 44
.SH "DESCRIPTION"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
45
\fBdnssec\-keygen\fR
Tinderbox User's avatar
Tinderbox User committed
46
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034\&. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
47 48 49
.PP
The
\fBname\fR
Tinderbox User's avatar
Tinderbox User committed
50
of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
Tinderbox User's avatar
Tinderbox User committed
51 52 53 54 55 56 57 58
.PP
The
\fBdnssec\-keymgr\fR
command acts as a wrapper around
\fBdnssec\-keygen\fR, generating and updating keys as needed to enforce defined security policies such as key rollover scheduling\&. Using
\fBdnssec\-keymgr\fR
may be preferable to direct use of
\fBdnssec\-keygen\fR\&.
59
.SH "OPTIONS"
Automatic Updater's avatar
regen  
Automatic Updater committed
60
.PP
Rob Austein's avatar
regen  
Rob Austein committed
61
\-a \fIalgorithm\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
62
.RS 4
Tinderbox User's avatar
Tinderbox User committed
63
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
Automatic Updater's avatar
regen  
Automatic Updater committed
64
\fBalgorithm\fR
Tinderbox User's avatar
Tinderbox User committed
65
must be one of RSAMD5, RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TKEY, the value must be DH (Diffie Hellman); specifying his value will automatically set the
Tinderbox User's avatar
Tinderbox User committed
66
\fB\-T KEY\fR
Tinderbox User's avatar
Tinderbox User committed
67 68
option as well\&.
.sp
Tinderbox User's avatar
Tinderbox User committed
69
These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 is specified along with the
Automatic Updater's avatar
regen  
Automatic Updater committed
70
\fB\-3\fR
Tinderbox User's avatar
Tinderbox User committed
71
option, then NSEC3RSASHA1 will be used instead\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
72
.sp
Tinderbox User's avatar
Tinderbox User committed
73 74 75
This parameter
\fImust\fR
be specified except when using the
Tinderbox User's avatar
Tinderbox User committed
76
\fB\-S\fR
Tinderbox User's avatar
Tinderbox User committed
77 78 79 80 81
option, which copies the algorithm from the predecessor key\&.
.sp
In prior releases, HMAC algorithms could be generated for use as TSIG keys, but that feature has been removed as of BIND 9\&.13\&.0\&. Use
\fBtsig\-keygen\fR
to generate TSIG keys\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
82 83
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
84
\-b \fIkeysize\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
85
.RS 4
Tinderbox User's avatar
Tinderbox User committed
86
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
87
.sp
Tinderbox User's avatar
Tinderbox User committed
88 89
If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
\fB\-f KSK\fR) default to 2048 bits\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
90 91
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
92
\-n \fInametype\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
93
.RS 4
Tinderbox User's avatar
Tinderbox User committed
94
Specifies the owner type of the key\&. The value of
Automatic Updater's avatar
regen  
Automatic Updater committed
95
\fBnametype\fR
Tinderbox User's avatar
Tinderbox User committed
96
must either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY)\&. These values are case insensitive\&. Defaults to ZONE for DNSKEY generation\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
97 98
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
99 100
\-3
.RS 4
Tinderbox User's avatar
Tinderbox User committed
101 102 103
Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
\fBdnssec\-keygen \-3a RSASHA1\fR
specifies the NSEC3RSASHA1 algorithm\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
104 105 106 107
.RE
.PP
\-C
.RS 4
Tinderbox User's avatar
Tinderbox User committed
108
Compatibility mode: generates an old\-style key, without any metadata\&. By default,
Automatic Updater's avatar
regen  
Automatic Updater committed
109
\fBdnssec\-keygen\fR
Tinderbox User's avatar
Tinderbox User committed
110
will include the key\*(Aqs creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc)\&. Keys that include this data may be incompatible with older versions of BIND; the
Automatic Updater's avatar
regen  
Automatic Updater committed
111
\fB\-C\fR
Tinderbox User's avatar
Tinderbox User committed
112
option suppresses them\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
113 114
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
115
\-c \fIclass\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
116
.RS 4
Tinderbox User's avatar
Tinderbox User committed
117
Indicates that the DNS record containing the key should have the specified class\&. If not specified, class IN is used\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
118 119
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
120 121
\-E \fIengine\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
122
Specifies the cryptographic hardware to use, when applicable\&.
Tinderbox User's avatar
Tinderbox User committed
123
.sp
Tinderbox User's avatar
Tinderbox User committed
124
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module\&. When BIND is built with native PKCS#11 cryptography (\-\-enable\-native\-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "\-\-with\-pkcs11"\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
125 126
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
127
\-f \fIflag\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
128
.RS 4
Tinderbox User's avatar
Tinderbox User committed
129
Set the specified flag in the flag field of the KEY/DNSKEY record\&. The only recognized flags are KSK (Key Signing Key) and REVOKE\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
130 131
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
132 133
\-G
.RS 4
Tinderbox User's avatar
Tinderbox User committed
134
Generate a key, but do not publish it or sign with it\&. This option is incompatible with \-P and \-A\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
135 136
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
137
\-g \fIgenerator\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
138
.RS 4
Tinderbox User's avatar
Tinderbox User committed
139
If generating a Diffie Hellman key, use this generator\&. Allowed values are 2 and 5\&. If no generator is specified, a known prime from RFC 2539 will be used if possible; otherwise the default is 2\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
140 141
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
142
\-h
Automatic Updater's avatar
regen  
Automatic Updater committed
143 144
.RS 4
Prints a short summary of the options and arguments to
Tinderbox User's avatar
Tinderbox User committed
145
\fBdnssec\-keygen\fR\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
146 147
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
148 149
\-K \fIdirectory\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
150
Sets the directory in which the key files are to be written\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
151 152
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
153
\-k
Automatic Updater's avatar
regen  
Automatic Updater committed
154
.RS 4
Tinderbox User's avatar
Tinderbox User committed
155
Deprecated in favor of \-T KEY\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
156 157
.RE
.PP
Automatic Updater's avatar
Automatic Updater committed
158 159
\-L \fIttl\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
160
Sets the default TTL to use for this key when it is converted into a DNSKEY RR\&. If the key is imported into a zone, this is the TTL that will be used for it, unless there was already a DNSKEY RRset in place, in which case the existing TTL would take precedence\&. If this value is not set and there is no existing DNSKEY RRset, the TTL will default to the SOA TTL\&. Setting the default TTL to
Automatic Updater's avatar
Automatic Updater committed
161 162 163
0
or
none
Tinderbox User's avatar
Tinderbox User committed
164
is the same as leaving it unset\&.
Automatic Updater's avatar
Automatic Updater committed
165 166
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
167
\-p \fIprotocol\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
168
.RS 4
Tinderbox User's avatar
Tinderbox User committed
169
Sets the protocol value for the generated key\&. The protocol is a number between 0 and 255\&. The default is 3 (DNSSEC)\&. Other possible values for this argument are listed in RFC 2535 and its successors\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
170 171
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
172 173
\-q
.RS 4
Tinderbox User's avatar
Tinderbox User committed
174
Quiet mode: Suppresses unnecessary output, including progress indication\&. Without this option, when
Automatic Updater's avatar
regen  
Automatic Updater committed
175 176
\fBdnssec\-keygen\fR
is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to
Tinderbox User's avatar
Tinderbox User committed
177 178
stderr
indicating the progress of the key generation\&. A \*(Aq\&.\*(Aq indicates that a random number has been found which passed an initial sieve test; \*(Aq+\*(Aq means a number has passed a single round of the Miller\-Rabin primality test; a space means that the number has passed all the tests and is a satisfactory key\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
179 180
.RE
.PP
Automatic Updater's avatar
Automatic Updater committed
181 182
\-S \fIkey\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
183
Create a new key which is an explicit successor to an existing key\&. The name, algorithm, size, and type of the key will be set to match the existing key\&. The activation date of the new key will be set to the inactivation date of the existing one\&. The publication date will be set to the activation date minus the prepublication interval, which defaults to 30 days\&.
Automatic Updater's avatar
Automatic Updater committed
184 185
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
186
\-s \fIstrength\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
187
.RS 4
Tinderbox User's avatar
Tinderbox User committed
188
Specifies the strength value of the key\&. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
189 190
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
191 192
\-T \fIrrtype\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
193
Specifies the resource record type to use for the key\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
194
\fBrrtype\fR
Tinderbox User's avatar
Tinderbox User committed
195
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
Tinderbox User's avatar
Tinderbox User committed
196 197 198
Specifying any TSIG algorithm (HMAC\-* or DH) with
\fB\-a\fR
forces this option to KEY\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
199 200
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
201
\-t \fItype\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
202
.RS 4
Tinderbox User's avatar
Tinderbox User committed
203
Indicates the use of the key\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
204
\fBtype\fR
Tinderbox User's avatar
Tinderbox User committed
205
must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF\&. The default is AUTHCONF\&. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
206 207
.RE
.PP
Rob Austein's avatar
regen  
Rob Austein committed
208
\-v \fIlevel\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
209
.RS 4
Tinderbox User's avatar
Tinderbox User committed
210
Sets the debugging level\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
211
.RE
Tinderbox User's avatar
Tinderbox User committed
212 213 214
.PP
\-V
.RS 4
Tinderbox User's avatar
Tinderbox User committed
215
Prints version information\&.
Tinderbox User's avatar
Tinderbox User committed
216
.RE
Automatic Updater's avatar
regen  
Automatic Updater committed
217 218
.SH "TIMING OPTIONS"
.PP
Tinderbox User's avatar
Tinderbox User committed
219
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS\&. If the argument begins with a \*(Aq+\*(Aq or \*(Aq\-\*(Aq, it is interpreted as an offset from the present time\&. For convenience, if such an offset is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the offset is computed in years (defined as 365 24\-hour days, ignoring leap years), months (defined as 30 24\-hour days), weeks, days, hours, or minutes, respectively\&. Without a suffix, the offset is computed in seconds\&. To explicitly prevent a date from being set, use \*(Aqnone\*(Aq or \*(Aqnever\*(Aq\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
220 221 222
.PP
\-P \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
223
Sets the date on which a key is to be published to the zone\&. After that date, the key will be included in the zone but will not be used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
224 225
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
226 227 228 229 230
\-P sync \fIdate/offset\fR
.RS 4
Sets the date on which CDS and CDNSKEY records that match this key are to be published to the zone\&.
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
231 232
\-A \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
233
Sets the date on which the key is to be activated\&. After that date, the key will be included in the zone and used to sign it\&. If not set, and if the \-G option has not been used, the default is "now"\&. If set, if and \-P is not set, then the publication date will be set to the activation date minus the prepublication interval\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
234 235 236 237
.RE
.PP
\-R \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
238
Sets the date on which the key is to be revoked\&. After that date, the key will be flagged as revoked\&. It will be included in the zone and will be used to sign it\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
239 240
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
241
\-I \fIdate/offset\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
242
.RS 4
Tinderbox User's avatar
Tinderbox User committed
243
Sets the date on which the key is to be retired\&. After that date, the key will still be included in the zone, but it will not be used to sign it\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
244 245 246 247
.RE
.PP
\-D \fIdate/offset\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
248
Sets the date on which the key is to be deleted\&. After that date, the key will no longer be included in the zone\&. (It may remain in the key repository, however\&.)
Automatic Updater's avatar
regen  
Automatic Updater committed
249
.RE
Automatic Updater's avatar
Automatic Updater committed
250
.PP
Tinderbox User's avatar
Tinderbox User committed
251 252 253 254 255
\-D sync \fIdate/offset\fR
.RS 4
Sets the date on which the CDS and CDNSKEY records that match this key are to be deleted\&.
.RE
.PP
Automatic Updater's avatar
Automatic Updater committed
256 257
\-i \fIinterval\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
258
Sets the prepublication interval for a key\&. If set, then the publication and activation dates must be separated by at least this much time\&. If the activation date is specified but the publication date isn\*(Aqt, then the publication date will default to this much time before the activation date; conversely, if the publication date is specified but activation date isn\*(Aqt, then activation will be set to this much time after publication\&.
Automatic Updater's avatar
Automatic Updater committed
259
.sp
Tinderbox User's avatar
Tinderbox User committed
260
If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero\&.
Automatic Updater's avatar
Automatic Updater committed
261
.sp
Tinderbox User's avatar
Tinderbox User committed
262
As with date offsets, if the argument is followed by one of the suffixes \*(Aqy\*(Aq, \*(Aqmo\*(Aq, \*(Aqw\*(Aq, \*(Aqd\*(Aq, \*(Aqh\*(Aq, or \*(Aqmi\*(Aq, then the interval is measured in years, months, weeks, days, hours, or minutes, respectively\&. Without a suffix, the interval is measured in seconds\&.
Automatic Updater's avatar
Automatic Updater committed
263
.RE
264 265
.SH "GENERATED KEYS"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
266 267 268
When
\fBdnssec\-keygen\fR
completes successfully, it prints a string of the form
Tinderbox User's avatar
Tinderbox User committed
269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306
Knnnn\&.+aaa+iiiii
to the standard output\&. This is an identification string for the key it has generated\&.
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
nnnn
is the key name\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
aaa
is the numeric representation of the algorithm\&.
.RE
.sp
.RS 4
.ie n \{\
\h'-04'\(bu\h'+03'\c
.\}
.el \{\
.sp -1
.IP \(bu 2.3
.\}
iiiii
is the key identifier (or footprint)\&.
.RE
Brian Wellington's avatar
Brian Wellington committed
307
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
308
\fBdnssec\-keygen\fR
Tinderbox User's avatar
Tinderbox User committed
309 310
creates two files, with names based on the printed string\&.
Knnnn\&.+aaa+iiiii\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
311
contains the public key, and
Tinderbox User's avatar
Tinderbox User committed
312 313
Knnnn\&.+aaa+iiiii\&.private
contains the private key\&.
314
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
315
The
Tinderbox User's avatar
Tinderbox User committed
316 317
\&.key
file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement)\&.
Brian Wellington's avatar
Brian Wellington committed
318
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
319
The
Tinderbox User's avatar
Tinderbox User committed
320 321
\&.private
file contains algorithm\-specific fields\&. For obvious security reasons, this file does not have general read permission\&.
Brian Wellington's avatar
Brian Wellington committed
322
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
323
Both
Tinderbox User's avatar
Tinderbox User committed
324
\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
325
and
Tinderbox User's avatar
Tinderbox User committed
326
\&.private
Tinderbox User's avatar
Tinderbox User committed
327
files are generated for symmetric cryptography algorithms such as HMAC\-MD5, even though the public and private key are equivalent\&.
328 329
.SH "EXAMPLE"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
330
To generate a 768\-bit DSA key for the domain
Tinderbox User's avatar
Tinderbox User committed
331
\fBexample\&.com\fR, the following command would be issued:
332
.PP
Tinderbox User's avatar
Tinderbox User committed
333
\fBdnssec\-keygen \-a DSA \-b 768 \-n ZONE example\&.com\fR
334 335 336
.PP
The command would print a string of the form:
.PP
Tinderbox User's avatar
Tinderbox User committed
337
\fBKexample\&.com\&.+003+26160\fR
338
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
339 340 341
In this example,
\fBdnssec\-keygen\fR
creates the files
Tinderbox User's avatar
Tinderbox User committed
342
Kexample\&.com\&.+003+26160\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
343
and
Tinderbox User's avatar
Tinderbox User committed
344
Kexample\&.com\&.+003+26160\&.private\&.
345 346
.SH "SEE ALSO"
.PP
Tinderbox User's avatar
Tinderbox User committed
347
\fBdnssec-signzone\fR(8),
Automatic Updater's avatar
regen  
Automatic Updater committed
348 349 350
BIND 9 Administrator Reference Manual,
RFC 2539,
RFC 2845,
Tinderbox User's avatar
Tinderbox User committed
351
RFC 4034\&.
352 353
.SH "AUTHOR"
.PP
Tinderbox User's avatar
Tinderbox User committed
354
\fBInternet Systems Consortium, Inc\&.\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
355 356
.SH "COPYRIGHT"
.br
Tinderbox User's avatar
Tinderbox User committed
357
Copyright \(co 2000-2005, 2007-2012, 2014-2018 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
regen  
Automatic Updater committed
358
.br