360 lines
12 KiB
Plaintext
360 lines
12 KiB
Plaintext
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
|
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
|
|
[<!ENTITY mdash "—">]>
|
|
<!--
|
|
- Copyright (C) 2004, 2005, 2007 Internet Systems Consortium, Inc. ("ISC")
|
|
- Copyright (C) 2000-2003 Internet Software Consortium.
|
|
-
|
|
- Permission to use, copy, modify, and distribute this software for any
|
|
- purpose with or without fee is hereby granted, provided that the above
|
|
- copyright notice and this permission notice appear in all copies.
|
|
-
|
|
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
|
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
|
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
|
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
|
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
|
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
|
- PERFORMANCE OF THIS SOFTWARE.
|
|
-->
|
|
|
|
<!-- Id: dnssec-keygen.docbook,v 1.7.18.9 2007/01/29 23:57:20 marka Exp -->
|
|
<refentry id="man.dnssec-keygen">
|
|
<refentryinfo>
|
|
<date>June 30, 2000</date>
|
|
</refentryinfo>
|
|
|
|
<refmeta>
|
|
<refentrytitle><application>dnssec-keygen</application></refentrytitle>
|
|
<manvolnum>8</manvolnum>
|
|
<refmiscinfo>BIND9</refmiscinfo>
|
|
</refmeta>
|
|
|
|
<refnamediv>
|
|
<refname><application>dnssec-keygen</application></refname>
|
|
<refpurpose>DNSSEC key generation tool</refpurpose>
|
|
</refnamediv>
|
|
|
|
<docinfo>
|
|
<copyright>
|
|
<year>2004</year>
|
|
<year>2005</year>
|
|
<year>2007</year>
|
|
<holder>Internet Systems Consortium, Inc. ("ISC")</holder>
|
|
</copyright>
|
|
<copyright>
|
|
<year>2000</year>
|
|
<year>2001</year>
|
|
<year>2002</year>
|
|
<year>2003</year>
|
|
<holder>Internet Software Consortium.</holder>
|
|
</copyright>
|
|
</docinfo>
|
|
|
|
<refsynopsisdiv>
|
|
<cmdsynopsis>
|
|
<command>dnssec-keygen</command>
|
|
<arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
|
|
<arg choice="req">-b <replaceable class="parameter">keysize</replaceable></arg>
|
|
<arg choice="req">-n <replaceable class="parameter">nametype</replaceable></arg>
|
|
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
|
|
<arg><option>-e</option></arg>
|
|
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
|
|
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
|
|
<arg><option>-h</option></arg>
|
|
<arg><option>-k</option></arg>
|
|
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
|
|
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
|
|
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
|
|
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
|
|
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
|
|
<arg choice="req">name</arg>
|
|
</cmdsynopsis>
|
|
</refsynopsisdiv>
|
|
|
|
<refsect1>
|
|
<title>DESCRIPTION</title>
|
|
<para><command>dnssec-keygen</command>
|
|
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
|
|
and RFC <TBA\>. It can also generate keys for use with
|
|
TSIG (Transaction Signatures), as defined in RFC 2845.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>OPTIONS</title>
|
|
|
|
<variablelist>
|
|
<varlistentry>
|
|
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Selects the cryptographic algorithm. The value of
|
|
<option>algorithm</option> must be one of RSAMD5 (RSA) or RSASHA1,
|
|
DSA, DH (Diffie Hellman), or HMAC-MD5. These values
|
|
are case insensitive.
|
|
</para>
|
|
<para>
|
|
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
|
|
algorithm,
|
|
and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
|
|
</para>
|
|
<para>
|
|
Note 2: HMAC-MD5 and DH automatically set the -k flag.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-b <replaceable class="parameter">keysize</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Specifies the number of bits in the key. The choice of key
|
|
size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be
|
|
between
|
|
512 and 2048 bits. Diffie Hellman keys must be between
|
|
128 and 4096 bits. DSA keys must be between 512 and 1024
|
|
bits and an exact multiple of 64. HMAC-MD5 keys must be
|
|
between 1 and 512 bits.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-n <replaceable class="parameter">nametype</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Specifies the owner type of the key. The value of
|
|
<option>nametype</option> must either be ZONE (for a DNSSEC
|
|
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
|
|
a host (KEY)),
|
|
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
|
|
These values are
|
|
case insensitive.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-c <replaceable class="parameter">class</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Indicates that the DNS record containing the key should have
|
|
the specified class. If not specified, class IN is used.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-e</term>
|
|
<listitem>
|
|
<para>
|
|
If generating an RSAMD5/RSASHA1 key, use a large exponent.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-f <replaceable class="parameter">flag</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Set the specified flag in the flag field of the KEY/DNSKEY record.
|
|
The only recognized flag is KSK (Key Signing Key) DNSKEY.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-g <replaceable class="parameter">generator</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
If generating a Diffie Hellman key, use this generator.
|
|
Allowed values are 2 and 5. If no generator
|
|
is specified, a known prime from RFC 2539 will be used
|
|
if possible; otherwise the default is 2.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-h</term>
|
|
<listitem>
|
|
<para>
|
|
Prints a short summary of the options and arguments to
|
|
<command>dnssec-keygen</command>.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-k</term>
|
|
<listitem>
|
|
<para>
|
|
Generate KEY records rather than DNSKEY records.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-p <replaceable class="parameter">protocol</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Sets the protocol value for the generated key. The protocol
|
|
is a number between 0 and 255. The default is 3 (DNSSEC).
|
|
Other possible values for this argument are listed in
|
|
RFC 2535 and its successors.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-r <replaceable class="parameter">randomdev</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Specifies the source of randomness. If the operating
|
|
system does not provide a <filename>/dev/random</filename>
|
|
or equivalent device, the default source of randomness
|
|
is keyboard input. <filename>randomdev</filename>
|
|
specifies
|
|
the name of a character device or file containing random
|
|
data to be used instead of the default. The special value
|
|
<filename>keyboard</filename> indicates that keyboard
|
|
input should be used.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-s <replaceable class="parameter">strength</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Specifies the strength value of the key. The strength is
|
|
a number between 0 and 15, and currently has no defined
|
|
purpose in DNSSEC.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-t <replaceable class="parameter">type</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Indicates the use of the key. <option>type</option> must be
|
|
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
|
|
is AUTHCONF. AUTH refers to the ability to authenticate
|
|
data, and CONF the ability to encrypt data.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
<varlistentry>
|
|
<term>-v <replaceable class="parameter">level</replaceable></term>
|
|
<listitem>
|
|
<para>
|
|
Sets the debugging level.
|
|
</para>
|
|
</listitem>
|
|
</varlistentry>
|
|
|
|
</variablelist>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>GENERATED KEYS</title>
|
|
<para>
|
|
When <command>dnssec-keygen</command> completes
|
|
successfully,
|
|
it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
|
|
to the standard output. This is an identification string for
|
|
the key it has generated.
|
|
</para>
|
|
<itemizedlist>
|
|
<listitem>
|
|
<para><filename>nnnn</filename> is the key name.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><filename>aaa</filename> is the numeric representation
|
|
of the
|
|
algorithm.
|
|
</para>
|
|
</listitem>
|
|
<listitem>
|
|
<para><filename>iiiii</filename> is the key identifier (or
|
|
footprint).
|
|
</para>
|
|
</listitem>
|
|
</itemizedlist>
|
|
<para><command>dnssec-keygen</command>
|
|
creates two file, with names based
|
|
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
|
|
contains the public key, and
|
|
<filename>Knnnn.+aaa+iiiii.private</filename> contains the
|
|
private
|
|
key.
|
|
</para>
|
|
<para>
|
|
The <filename>.key</filename> file contains a DNS KEY record
|
|
that
|
|
can be inserted into a zone file (directly or with a $INCLUDE
|
|
statement).
|
|
</para>
|
|
<para>
|
|
The <filename>.private</filename> file contains algorithm
|
|
specific
|
|
fields. For obvious security reasons, this file does not have
|
|
general read permission.
|
|
</para>
|
|
<para>
|
|
Both <filename>.key</filename> and <filename>.private</filename>
|
|
files are generated for symmetric encryption algorithm such as
|
|
HMAC-MD5, even though the public and private key are equivalent.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>EXAMPLE</title>
|
|
<para>
|
|
To generate a 768-bit DSA key for the domain
|
|
<userinput>example.com</userinput>, the following command would be
|
|
issued:
|
|
</para>
|
|
<para><userinput>dnssec-keygen -a DSA -b 768 -n ZONE example.com</userinput>
|
|
</para>
|
|
<para>
|
|
The command would print a string of the form:
|
|
</para>
|
|
<para><userinput>Kexample.com.+003+26160</userinput>
|
|
</para>
|
|
<para>
|
|
In this example, <command>dnssec-keygen</command> creates
|
|
the files <filename>Kexample.com.+003+26160.key</filename>
|
|
and
|
|
<filename>Kexample.com.+003+26160.private</filename>
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>SEE ALSO</title>
|
|
<para><citerefentry>
|
|
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
|
|
</citerefentry>,
|
|
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
|
|
<citetitle>RFC 2535</citetitle>,
|
|
<citetitle>RFC 2845</citetitle>,
|
|
<citetitle>RFC 2539</citetitle>.
|
|
</para>
|
|
</refsect1>
|
|
|
|
<refsect1>
|
|
<title>AUTHOR</title>
|
|
<para><corpauthor>Internet Systems Consortium</corpauthor>
|
|
</para>
|
|
</refsect1>
|
|
|
|
</refentry><!--
|
|
- Local variables:
|
|
- mode: sgml
|
|
- End:
|
|
-->
|