dnssec-keygen man page on OpenIndiana

Man page or keyword search:  
man Server   20441 pages
apropos Keyword Search (all sections)
Output format
OpenIndiana logo
[printable version]

dnssec-keygen(1M)	System Administration Commands	     dnssec-keygen(1M)

NAME
       dnssec-keygen - DNSSEC key generation tool

SYNOPSIS
       dnssec-keygen -a algorithm -b keysize -n nametype [-ehk]
	    [-c class] [-f flag] [-g generator] [-p protocol]
	    [-r randomdev] [-s strength] [-t type] [-v level] name

DESCRIPTION
       The  dnssec-keygen  utility  generates keys for DNSSEC (Secure DNS), as
       defined in RFC 2535 and RFC 4034. It can also  generate	keys  for  use
       with TSIG (Transaction Signatures), as defined in RFC 2845.

OPTIONS
       The following options are supported:

       -a algorithm

	   Select  the cryptographic algorithm. The value of algorithm must be
	   one of RSAMD5 (RSA) or RSASHA1,  DSA,  NSEC3RSASHA1,	 NSEC3DSA,  DH
	   (Diffie-Hellman), or HMAC-MD5. These values are case insensitive.

	   For	DNSSEC,	 RSASHA1 is a mandatory-to-implement algorithm and DSA
	   is recommended. For TSIG, HMAC-MD5 is mandatory.

	   Note -

	     HMAC-MD5 and DH automatically set the -k flag.

       -b keysize

	   Specify the number of bits in the  key.  The	 choice	 of  key  size
	   depends  on	the  algorithm	used.  RSAMD5 and RSASHA1 keys must be
	   between 512 and 2048 bits. Diffie-Hellman keys must be between  128
	   and	4096  bits.  DSA keys must be between 512 and 1024 bits and an
	   exact multiple of 64. HMAC-MD5 keys must be between 1 and 512 bits.

       -c class

	   Indicate that the DNS record containing the	key  should  have  the
	   specified class. If not specified, class IN is used.

       -e

	   Use a large exponent if generating an RSAMD5 or RSASHA1 key.

       -f flag

	   Set	the specified flag in the flag field of the KEY/DNSKEY record.
	   The only recognized flag is KSK (Key Signing Key) DNSKEY.

       -g generator

	   Use this generator if generating a Diffie Hellman key. Allowed val‐
	   ues	are  2 and 5. If no generator is specified, a known prime from
	   RFC 2539 will be used if possible; otherwise the default is 2.

       -h

	   Print a short summary of the options and arguments  to  dnssec-key‐
	   gen.

       -k

	   Generate KEY records rather than DNSKEY records.

       -n nametype

	   Specify  the	 owner	type  of  the  key. The value of nametype must
	   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
	   (for	 a  key associated with a host (KEY)), USER (for a key associ‐
	   ated with a user(KEY)), or OTHER (DNSKEY). These  values  are  case
	   insensitive. Defaults to ZONE for DNSKEY generation.

       -p protocol

	   Set the protocol value for the generated key. The protocol argument
	   is a number between 0 and 255. The default is 3 (DNSSEC) Other pos‐
	   sible  values for this argument are listed in RFC 2535 and its suc‐
	   cessors.

       -r randomdev

	   Specify the source of randomness. If the operating system does  not
	   provide  a  /dev/random or equivalent device, the default source of
	   randomness is keyboard input. randomdev specifies  the  name	 of  a
	   character  device or file containing random data to be used instead
	   of the default. The special value "keyboard"	 indicates  that  key‐
	   board input should be used.

       -s strength

	   Specify  the	 strength value of the key. The strength argument is a
	   number between 0 and 15, and currently has no  defined  purpose  in
	   DNSSEC.

       -t type

	   Indicate  the use of the key. type must be one of AUTHCONF, NOAUTH‐
	   CONF, NOAUTH, or NOCONF. The default is AUTHCONF.  AUTH  refers  to
	   the	ability	 to authenticate data, and CONF the ability to encrypt
	   data.

       -v level

	   Set the debugging level.

GENERATED KEYS
       When dnssec-keygen completes successfully, it prints a  string  of  the
       form Knnnn.+aaa+iiiii to the standard output. This is an identification
       string for the key it has generated.

	   o	  nnnn is the key name.

	   o	  aaa is the numeric representation of the algorithm.

	   o	  iiiii is the key identifier (or footprint).

       The dnssec-keygen utility creates two files, with names	based  on  the
       printed string.

	   o	  Knnnn.+aaa+iiiii.key contains the public key.

	   o	  Knnnn.+aaa+iiiii.private contains the private key.

       The  .key  file	contains  a DNS KEY record that can be inserted into a
       zone file (directly or with a $INCLUDE statement).

       The .private file contains algorithm specific fields. For obvious secu‐
       rity reasons, this file does not have general read permission.

       Both  .key  and	.private  files are generated for symmetric encryption
       algorithm such as HMAC-MD5, even though the public and private key  are
       equivalent.

EXAMPLES
       Example 1 Generating a 768-bit DSA Key

       To generate a 768-bit DSA key for the domain example.com, the following
       command would be issued:

	 dnssec-keygen -a DSA -b 768 -n ZONE example.com

       The command would print a string of the form:

	 Kexample.com.+003+26160

       The following files would be created:

	 Kexample.com.+003+26160.key
	 Kexample.com.+003+26160.private

ATTRIBUTES
       See attributes(5) for descriptions of the following attributes:

       ┌─────────────────────────────┬─────────────────────────────┐
       │      ATTRIBUTE TYPE	     │	    ATTRIBUTE VALUE	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Availability		     │service/network/dns/bind	   │
       ├─────────────────────────────┼─────────────────────────────┤
       │Interface Stability	     │Volatile			   │
       └─────────────────────────────┴─────────────────────────────┘

SEE ALSO
       dnssec-signzone(1M), attributes(5)

       RFC 2539, RFC 2845, RFC 4033

       See the BIND 9 Administrator's Reference Manual. As of the date of pub‐
       lication	  of   this   man   page,   this   document  is	 available  at
       https://www.isc.org/software/bind/documentation.

SunOS 5.11			  11 Jan 2010		     dnssec-keygen(1M)
[top]

List of man pages available for OpenIndiana

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net