HP-UX Reference (11i v3 07/02) - 1 User Commands A-M (vol 1)

ManualsBrandsHP ManualsSoftwareHP-UX Reference Manuals

221

222

223

224

225

226

227

228

229

230

dnssec-keygen(1) dnssec-keygen(1)

(BIND 9.3)

NAME

dnssec-keygen - key generation tool for DNSSEC

SYNOPSIS

dnssec-keygen

[-ehk][-a algorithm][-b

keysize][-c class][-f ﬂag][-g

generator]

[

-n nametype][-p

protocol-value][-r

randomdev][-s strength-value][

-t type]

[

-v level] name

DESCRIPTION

dnssec-keygen

generates keys for Secure DNS (DNSSEC) as deﬁned in RFC 2535. It also generates

keys for use in Transaction Signatures (TSIG), which are deﬁned in RFC 2845.

Options

dnssec-keygen

recognizes the following options:

-a algorithm

Specify the encryption algorithm. The algorithm can be

RSAMD5 (RSA), RSASHA1, DH, DSA or

HMAC-MD5. algorithm is case-insensitive.

DNSSEC speciﬁes RSASHA1 as a mandatory algorithm and DSA as a recommended one. Imple-

mentations of TSIG must support HMAC-MD5.

-b keysize

Determine the number of bits in the key. The choice of key size depends on the algorithm that is

used.

For the RSAMD5 or RSASHA1 algorithm, keysize must be between 512 and 2048 bits.

For the DH (Difﬁe-Hellman) algorithm, keysize must be between 128 and 4096 bits.

For the DSA (Digital Signature) algorithm, keysize must be between 512 and 1024 bits and a

multiple of 64.

For the HMAC-MD5 algorithm, keysize must be between 1 and 512 bits.

-c class Set the class for the DNS record containing the key. The default class is

IN (Internet). Other

values for class are

CH (Chaosnet) and HS (Hesiod).

-e Generate RSAMD5 and RSASHA1 keys with a large exponent value.

-f flag Set the speciﬁed ﬂag in the ﬂag ﬁeld of the KEY or DNSKEY record. The only recognized ﬂag is

KSK (Key Signing Key) for DNSKEY.

-g generator

Select the generator to be used when creating Difﬁe-Hellman keys. The only supported values

for generator are 2 and 5. If no Difﬁe-Hellman generator is supplied, a known prime from RFC

2539 is used, if possible; otherwise, 2 is used as the generator.

-h Print a summary of the dnssec-keygen

options and operands.

-k Generate KEY records rather than DNSKEY records.

-n nametype

Specify how the generated key will be used.

nametype can be either ZONE, HOST, ENTITY,orUSER to indicate that the key will be used for

signing a zone, host, entity, or user, respectively. In this context, HOST and ENTITY are

equivalent. nametype is case-insensitive.

-p protocol-value

Set the protocol value for the generated key to protocol-value. The default is 3 (DNSSEC).

Other possible values for this argument are listed in RFC 2535 and its successors.

-r randomdev

Override the behavior of dnssec-keygen to use random numbers to seed the process of gen-

erating keys when the system does not have a /dev/random device to generate random

numbers. The dnssec-keygen program prompts for keyboard input and uses the time inter-

vals between keystrokes to provide randomness. With this option, it uses randomdev as a source

of random data.

228 Hewlett-Packard Company − 1 − HP-UX 11i Version 3: February 2007