dnssec-keygen.1 (2010 09)
d
dnssec-keygen(1) dnssec-keygen(1)
(BIND 9.3)
strength value of strength-value. It should be a number in the range
0-15. The default
strength is
0. The key strength field currently has no defined purpose in DNSSEC.
-t type Indicate if the key is used for authentication or confidentiality. type can be one of
AUTHCONF The key can be used for authentication and confidentiality.
NOAUTHCONF The key cannot be used for authentication or confidentiality.
NOAUTH The key can be used for confidentiality but not for authentication.
NOCONF The key cannot be used for confidentiality, although it can be used for authen-
tication.
The default is
AUTHCONF.
-v level Set the verbosity level. As the debugging/tracing level increases,
dnssec-keygen generates
increasingly detailed reports about what it is doing. The default level is 0.
Operands
name The domain name for which the key is to be generated.
Generated Keys
When
dnssec-keygen completes, it prints an identification string on standard output for the key it has
generated, in the form
Knnnn.+aaa+iiiii
The fields are:
nnnn The dot-terminated domain name given by name.
aaa The DNSSEC algorithm identifier.
iiiii A five-digit number identifying the key.
dnssec-keygen creates two files. The file names are adapted from the key identification string above,
in the form:
Knnnn.+aaa+iiiii.key
Knnnn.+aaa+iiiii.private
These contain the public and private parts of the key respectively. The files generated by
dnssec-
keygen follow this naming convention to make it easy for the signing tool dnssec-signzone
to iden-
tify which files have to be read to find the necessary keys for generating or validating signatures.
The
.key file contains a DNSKEY resource record that can be inserted into a zone file with a
$INCLUDE
statement. The private part of the key is in the .private file. It contains details of the encryption
algorithm that was used and any relevant parameters. For obvious security reasons, the .private
file
does not have general read permission. Both
.key and .private key files are generated by a sym-
metric encryption algorithm, such as HMAC-MD5, even though the public and private key are equivalent.
EXAMPLES
To generate a 768-bit DSA key for the domain
example.com, issue the command:
$ dnssec-keygen -a DSA -b 768 -n ZONE example.com
dnssec-keygen prints the key identification string
Kexample.com.+003+26160
indicating a DSA key with identifier 26160. It creates the files
Kexample.com.+003+26160.key
Kexample.com.+003+26160.private
which contain the public and private keys, respectively, for the generated DSA key.
AUTHOR
dnssec-keygen was developed by the Internet Systems Consortium (ISC).
2 Hewlett-Packard Company − 2 − HP-UX 11i Version 3: September 2010