table of contents
- stretch 1:9.10.3.dfsg.P4-12.3+deb9u4
- testing 1:9.11.5.P4+dfsg-5
- stretch-backports 1:9.11.5.P4+dfsg-5~bpo9+1
- unstable 1:9.11.5.P4+dfsg-5.1
- experimental 1:9.13.3-1
DNSSEC-KEYGEN(8) | BIND9 | DNSSEC-KEYGEN(8) |
NAME¶
dnssec-keygen - DNSSEC key generation toolSYNOPSIS¶
dnssec-keygen [-a algorithm] [-b keysize] [-n nametype] [-3] [-A date/offset] [-C] [-c class] [-D date/offset] [-E engine] [-f flag] [-G] [-g generator] [-h] [-I date/offset] [-i interval] [-K directory] [-L ttl] [-k] [-P date/offset] [-p protocol] [-q] [-R date/offset] [-r randomdev] [-S key] [-s strength] [-t type] [-v level] [-V] [-z] {name}
DESCRIPTION¶
dnssec-keygen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.The name of the key is specified on the command line. For DNSSEC keys, this must match the name of the zone for which the key is being generated.
OPTIONS¶
-a algorithmIf no algorithm is specified, then RSASHA1 will be used by default, unless the -3 option is specified, in which case NSEC3RSASHA1 will be used instead. (If -3 is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3.)
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is mandatory.
Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512 automatically set the -T KEY option.
-b keysize
The key size does not need to be specified if using a default algorithm. The default key size is 1024 bits for zone signing keys (ZSK's) and 2048 bits for key signing keys (KSK's, generated with -f KSK). However, if an algorithm is explicitly specified with the -a, then there is no default key size, and the -b must be used.
-n nametype
-3
-C
-c class
-E engine
When BIND is built with OpenSSL PKCS#11 support, this defaults to the string "pkcs11", which identifies an OpenSSL engine that can drive a cryptographic accelerator or hardware service module. When BIND is built with native PKCS#11 cryptography (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified via "--with-pkcs11".
-f flag
-G
-g generator
-h
-K directory
-k
-L ttl
-p protocol
-q
-r randomdev
-S key
-s strength
-T rrtype
-t type
-v level
-V
TIMING OPTIONS¶
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24-hour days, ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To explicitly prevent a date from being set, use 'none' or 'never'.-P date/offset
-A date/offset
-R date/offset
-I date/offset
-D date/offset
-i interval
If the key is being created as an explicit successor to another key, then the default prepublication interval is 30 days; otherwise it is zero.
As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.
GENERATED KEYS¶
When dnssec-keygen completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to the standard output. This is an identification string for the key it has generated.- •
- nnnn is the key name.
- •
- aaa is the numeric representation of the algorithm.
- •
- iiiii is the key identifier (or footprint).
dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private key.
The .key file contains a DNS KEY record that can be inserted into a zone file (directly or with a $INCLUDE statement).
The .private file contains algorithm-specific fields. For obvious security reasons, this file does not have general read permission.
Both .key and .private files are generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and private key are equivalent.
EXAMPLE¶
To generate a 768-bit DSA key for the domain example.com, the following command would be issued:dnssec-keygen -a DSA -b 768 -n ZONE example.com
The command would print a string of the form:
Kexample.com.+003+26160
In this example, dnssec-keygen creates the files Kexample.com.+003+26160.key and Kexample.com.+003+26160.private.
SEE ALSO¶
dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 2539, RFC 2845, RFC 4034.AUTHOR¶
Internet Systems ConsortiumCOPYRIGHT¶
Copyright © 2004, 2005, 2007-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")Copyright © 2000-2003 Internet Software Consortium.
February 6, 2014 | BIND9 |