HP-UX Reference (11i v2 07/12) - 1 User Commands A-M (vol 1)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

241

242

243

244

245

246

247

248

249

250

dnssec-keygen(1) dnssec-keygen(1)

NAME

dnssec-keygen - key generation tool for DNSSEC

SYNOPSIS

dnssec-keygen

[-a algorithm][-b keysize][-e][

-g generator][-h][-n nametype]

[

-p protocol-value][

-r randomdev][-s strength-value][

-t type][

-v level] name

DESCRIPTION

dnssec-keygen

generates keys for Secure DNS (DNSSEC) as deﬁned in RFC2535. It also generates

keys for use in Transaction Signatures (TSIG) which is deﬁned in RFC2845.

Argument

name Speciﬁes the domain name for which the key is to be generated.

Options

-a algorithm This option is used to specify the encryption algorithm. The algorithm can be

RSAMD5, DH, DSA or HMAC-MD5

. RSA can also be used, which is equivalent to

RSAMD5.

The algorithm argument identifying the encryption algorithm is case-insensitive.

DNSSEC speciﬁes DSA as a mandatory algorithm and RSA as a recommended one.

Implementations of TSIG must support HMAC-MD5.

-b keysize This option is used to determine the number of bits in the key. The choice of key size

depends on the algorithm that is used.

If RSA algorithm is used, keysize must be between 512 and 2048 bits.

If the DH (Difﬁe-Hellman) algorithm is used, keysize must be between 128 and 4096

bits.

If the DSA (Digital Signature Algorithm) is used, keysize must be between 512 and

1024 bits and a multiple of 64.

If the HMAC-MD5 algorithm is used, keysize should be between 1 and 512 bits.

-e This option is used for generating RSA keys with a large exponent value.

-g generator This option is used when creating Difﬁe-Hellman keys. The -g option selects the

Difﬁe-Hellman generator that is to be used. The only supported values for generator

are 2 and 5. If no Difﬁe-Hellman generator is supplied, a known prime from RFC2539

will be used if possible; otherwise, 2 will be used as the generator.

-h A summary of the options and arguments to dnssec-keygen

is printed by this

option.

-n nametype This option speciﬁes how the generated key will be used.

nametype can be either ZONE, HOST, ENTITY,orUSER to indicate that the key will

be used for signing a zone, host, entity or user; respectively. In this context

HOST

and ENTITY are identical. nametype is case-insensitive.

-p protocol-value

This option sets the protocol value for the generated key to protocol-value. The

default is 2 (email) for keys of the type USER and 3 (DNSSEC) for all other key types.

Other possible values for this argument are listed in RFC2535 and its successors.

-r randomdev

This option overrides the behaviour of dnssec-keygen to use random numbers to

seed the process of generating keys when the system does not have a /dev/random

device to generate random numbers. The dnssec-keygen program will prompt for

keyboard input and use the time intervals between keystrokes to provide randomness.

With this option it will use randomdev as a source of random data.

-s strength-value

This option is used to set the key’s strength value. The generated key will sign DNS

resource records with a strength value of strength-value. It should be a number in the

range 0-15. The default strength is zero. The key strength ﬁeld currently has no

deﬁned purpose in DNSSEC.

HP-UX 11i Version 2: December 2007 Update − 1 − Hewlett-Packard Company 247