HP-UX Reference (11i v2 03/08) - 1 User Commands A-M (vol 1)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

201

202

203

204

205

206

207

208

209

210

dnssec-keygen(1) dnssec-keygen(1)

NAME

dnssec-keygen - key generation tool for DNSSEC

SYNOPSIS

dnssec-keygen

[-a algorithm ][-b keysize][-e][

-g generator ][-h][-n nametype ]

[

-p protocol-value][

-r randomdev ][-s strength-value][

-t type ][

-v level ] name

DESCRIPTION

dnssec-keygen

generates keys for Secure DNS (DNSSEC) as deﬁned in RFC2535. It also generates

keys for use in Transaction Signatures (TSIG) which is deﬁned in RFC2845.

Argument

name Speciﬁes the domain name for which the key is to be generated.

Options

-a algorithm This option is used to specify the encryption algorithm. The algorithm can be

RSAMD5, DH, DSA or HMAC-MD5

. RSA can also be used, which is equivalent to

RSAMD5.

The algorithm argument identifying the encryption algorithm is case-insensitive.

DNSSEC speciﬁes DSA as a mandatory algorithm and RSA as a recommended one.

Implementations of TSIG must support HMAC-MD5.

-b keysize This option is used to determine the number of bits in the key. The choice of key

size depends on the algorithm that is used.

RSA algorithm is used, keysize must be between 512 and 2048 bits.

If the

DH (Difﬁe-Hellman) algorithm is used, keysize must be between 128 and 4096

bits.

If the

DSA (Digital Signature Algorithm) is used, keysize must be between 512 and

1024 bits and a multiple of 64.

If the

HMAC-MD5 algorithm is used, keysize should be between 1 and 512 bits.

-e This option is used for generating RSA keys with a large exponent value.

-g generator This option is used when creating Difﬁe-Hellman keys. The -g option selects the

Difﬁe-Hellman generator that is to be used. The only supported values for genera-

tor are 2 and 5. If no Difﬁe-Hellman generator is supplied, a known prime from

RFC2539 will be used if possible; otherwise, 2 will be used as the generator.

-h A summary of the options and arguments to dnssec-keygen

is printed by this

option.

-n nametype This option speciﬁes how the generated key will be used.

nametype can be either

ZONE, HOST, ENTITY,orUSER to indicate that the key will

be used for signing a zone, host, entity or user; respectively. In this context HOST

and ENTITY are identical. nametype is case-insensitive.

-p protocol-value

This option sets the protocol value for the generated key to protocol-value. The

default is 2 (email) for keys of the type USER and 3 (DNSSEC) for all other key

types. Other possible values for this argument are listed in RFC2535 and its suc-

cessors.

-r randomdev This option overrides the behaviour of dnssec-keygen to use random numbers to

seed the process of generating keys when the system does not have a

/dev/random device to generate random numbers. The dnssec-keygen pro-

gram will prompt for keyboard input and use the time intervals between keystrokes

to provide randomness. With this option it will use randomdev as a source of ran-

dom data.

-s strength-value

This option is used to set the key’s strength value. The generated key will sign DNS

resource records with a strength value of strength-value. It should be a number in

the range 0-15. The default strength is zero. The key strength ﬁeld currently has

no deﬁned purpose in DNSSEC.

HP-UX 11i Version 2: August 2003 − 1 − Hewlett-Packard Company Section 1−−183