HP-UX Reference (11i v1 05/09) - 1 User Commands A-M (vol 1)
d
dnssec-keygen(1) dnssec-keygen(1)
-t type This option indicates if the key is used for authentication or confidentiality. type can
be either
AUTHCONF, NOAUTHCONF , NOAUTH or
NOCONF. The default is AUTH-
CONF
. If type is AUTHCONF, the key can be used for authentication and
confidentiality. Setting type to NOAUTHCONF indicates that the key cannot be used
for authentication or confidentiality. A value of
NOAUTH means the key can be used
for confidentiality but not for authentication. Similarly,
NOCONF defines that the key
cannot be used for confidentiality though it can be used for authentication.
-v level This option can be used to make
dnssec-keygen more verbose. As the
debugging/tracing level increases,
dnssec-keygen
generates increasingly detailed
reports about what it is doing. The default level is zero.
Generated Keys
When
dnssec-keygen
completes, it prints a string in the form Knnnn.+aaa+iiiii on the standard out-
put. This is an identification string for the key it has generated. These strings can be supplied as argu-
ments to the
dnssec-makekeyset
utility.
The nnnn part is the dot-terminated domain name given by name. The DNSSEC algorithm identifier is
indicated by aaa: 001 for RSA, 002 for Diffie-Hellman, 003 for DSA, or 157 for HMAC-MD5. iiiii is a five-
digit number identifying the key.
dnssec-keygen creates two files. The file names are adapted from the key identification string above.
They have names in the form:
Knnnn.+aaa+iiiii.
key and
Knnnn.+aaa+iiiii.
private.
These contain the public and private parts of the key respectively. The files generated by
dnssec-
keygen
follow this naming convention to make it easy for the signing tool dnssec-signzone
to iden-
tify which file(s) have to be read to find the necessary key(s) for generating or validating signatures.
The
.key file contains a KEY resource record that can be inserted into a zone file with a
$INCLUDE state-
ment. The private part of the key is in the
.private file. It contains details of the encryption algorithm
that was used and any relevant parameters: prime number, exponent, modulus, subprime, etc. For obvious
security reasons, this file does not have general read permission. The private part of the key is used by
dnssec-signzone to generate signatures and the public part is used to verify the signatures. Both
.key and .private key files are generated by symmetric encryption algorithm such as HMAC-MD5,
even though the public and private key are equivalent.
EXAMPLE
To generate a 768-bit DSA key for the domain example.com , the following command would be issued:
dnssec-keygen -a DSA -b 768 -n ZONE example.com
dnssec-keygen
has printed the key identification string
Kexample.com.+003+26160, indicating a
DSA key with identifier 26160. It would have created the files
Kexample.com.+003+26160.key
and
Kexample.com.+003+26160.private
containing the public and private keys respectively for the generated DSA key.
FILES
/dev/random
SEE ALSO
dnssec-makekeyset(1), dnssec-signkey(1), dnssec-signzone(1), RFC2535, RFC2845, RFC2539.
BUGS
The naming convention for the public and private key files is a little clumsy. It won’t work for domain
names that are longer than 236 characters because the .+aaa+iiiii
.private suffix results in filenames
that are too long for most UNIX systems.
Section 1−−186 Hewlett-Packard Company − 2 − HP-UX 11i Version 1: September 2005