dnssec-keygen.1 (2010 09)
d
dnssec-keygen(1) dnssec-keygen(1)
(BIND 9.3)
NAME
dnssec-keygen - key generation tool for DNSSEC
SYNOPSIS
dnssec-keygen
[-ehk][-a algorithm ][-b
keysize ][-c class ][-f flag][-g generator ]
[
-n nametype ][-p
protocol-value][-r
randomdev ][-s strength-value][
-t type ]
[
-v level ] name
DESCRIPTION
dnssec-keygen
generates keys for Secure DNS (DNSSEC) as defined in RFC 2535. It also generates
keys for use in Transaction Signatures (TSIG), which are defined in RFC 2845.
Options
dnssec-keygen
recognizes the following options:
-a algorithm
Specify the encryption algorithm. The algorithm can be
RSAMD5 (RSA), RSASHA1, DH, DSA
or HMAC-MD5. algorithm is case-insensitive.
DNSSEC specifies
RSASHA1 as a mandatory algorithm and
DSA as a recommended one.
Implementations of TSIG must support
HMAC-MD5.
-b keysize
Determine the number of bits in the key. The choice of key size depends on the algorithm that
is used.
For the
RSAMD5 or RSASHA1 algorithm, keysize must be between 512 and 2048 bits.
For the
DH (Diffie-Hellman) algorithm, keysize must be between 128 and 4096 bits.
For the
DSA (Digital Signature) algorithm, keysize must be between 512 and 1024 bits and a
multiple of 64.
For the
HMAC-MD5 algorithm, keysize must be between 1 and 512 bits.
-c class Set the class for the DNS record containing the key. The default class is
IN (Internet). Other
values for class are
CH (Chaosnet) and HS (Hesiod).
-e Generate RSAMD5 and RSASHA1 keys with a large exponent value.
-f flag Set the specified flag in the flag field of the KEY or DNSKEY record. The only recognized flag
is KSK (Key Signing Key) for DNSKEY.
-g generator
Select the generator to be used when creating Diffie-Hellman keys. The only supported values
for generator are 2 and 5. If no Diffie-Hellman generator is supplied, a known prime from
RFC 2539 is used, if possible; otherwise, 2 is used as the generator.
-h Print a summary of the dnssec-keygen options and operands.
-k Generate KEY records rather than DNSKEY records.
-n nametype
Specify how the generated key will be used.
nametype can be either
ZONE, HOST, ENTITY,orUSER to indicate that the key will be used
for signing a zone, host, entity, or user, respectively. In this context, HOST and ENTITY are
equivalent. nametype is case-insensitive.
-p protocol-value
Set the protocol value for the generated key to protocol-value. The default is 3 (DNSSEC).
Other possible values for this argument are listed in RFC 2535 and its successors.
-r randomdev
Override the behavior of dnssec-keygen to use random numbers to seed the process of gen-
erating keys when the system does not have a /dev/random device to generate random
numbers. The dnssec-keygen program prompts for keyboard input and uses the time
intervals between keystrokes to provide randomness. With this option, it uses randomdev as a
source of random data.
-s strength-value
Set the key’s strength value. The generated key will sign DNS resource records with a
HP-UX 11i Version 3: September 2010 − 1 − Hewlett-Packard Company 1