From f50ae72ec3417cae55dd4e085991c01af9fdc5f1 Mon Sep 17 00:00:00 2001 From: Martin Nagy Date: Wed, 11 Feb 2009 20:37:59 +0100 Subject: Initial commit --- bin/dnssec/dnssec-keygen.docbook | 360 +++++++++++++++++++++++++++++++++++++++ 1 file changed, 360 insertions(+) create mode 100644 bin/dnssec/dnssec-keygen.docbook (limited to 'bin/dnssec/dnssec-keygen.docbook') diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook new file mode 100644 index 0000000..c267a1b --- /dev/null +++ b/bin/dnssec/dnssec-keygen.docbook @@ -0,0 +1,360 @@ +]> + + + + + + June 30, 2000 + + + + dnssec-keygen + 8 + BIND9 + + + + dnssec-keygen + DNSSEC key generation tool + + + + + 2004 + 2005 + 2007 + 2008 + Internet Systems Consortium, Inc. ("ISC") + + + 2000 + 2001 + 2002 + 2003 + Internet Software Consortium. + + + + + + dnssec-keygen + -a algorithm + -b keysize + -n nametype + + + + + + + + + + + + name + + + + + DESCRIPTION + dnssec-keygen + generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC 4034. It can also generate keys for use with + TSIG (Transaction Signatures), as defined in RFC 2845. + + + + + OPTIONS + + + + -a algorithm + + + Selects the cryptographic algorithm. The value of + must be one of RSAMD5 (RSA) or RSASHA1, + DSA, NSEC3RSASHA1, NSEC3DSA, DH (Diffie Hellman), or HMAC-MD5. + These values are case insensitive. + + + Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is + mandatory. + + + Note 2: HMAC-MD5 and DH automatically set the -k flag. + + + + + + -b keysize + + + Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be + between + 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC-MD5 keys must be + between 1 and 512 bits. + + + + + + -n nametype + + + Specifies the owner type of the key. The value of + must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are case insensitive. Defaults to ZONE for DNSKEY + generation. + + + + + + -c class + + + Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + + + + + + -e + + + If generating an RSAMD5/RSASHA1 key, use a large exponent. + + + + + + -f flag + + + Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + + + + + + -g generator + + + If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + + + + + + -h + + + Prints a short summary of the options and arguments to + dnssec-keygen. + + + + + + -k + + + Generate KEY records rather than DNSKEY records. + + + + + + -p protocol + + + Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + + + + + + -r randomdev + + + Specifies the source of randomness. If the operating + system does not provide a /dev/random + or equivalent device, the default source of randomness + is keyboard input. randomdev + specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + keyboard indicates that keyboard + input should be used. + + + + + + -s strength + + + Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + + + + + + -t type + + + Indicates the use of the key. must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + + + + + + -v level + + + Sets the debugging level. + + + + + + + + + GENERATED KEYS + + When dnssec-keygen completes + successfully, + it prints a string of the form Knnnn.+aaa+iiiii + to the standard output. This is an identification string for + the key it has generated. + + + + nnnn is the key name. + + + + aaa is the numeric representation + of the + algorithm. + + + + iiiii is the key identifier (or + footprint). + + + + dnssec-keygen + creates two files, with names based + on the printed string. Knnnn.+aaa+iiiii.key + contains the public key, and + Knnnn.+aaa+iiiii.private contains the + private + key. + + + The .key file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). + + + The .private file contains + algorithm-specific + fields. For obvious security reasons, this file does not have + general read permission. + + + Both .key and .private + files are generated for symmetric encryption algorithms such as + HMAC-MD5, even though the public and private key are equivalent. + + + + + EXAMPLE + + To generate a 768-bit DSA key for the domain + example.com, the following command would be + issued: + + dnssec-keygen -a DSA -b 768 -n ZONE example.com + + + The command would print a string of the form: + + Kexample.com.+003+26160 + + + In this example, dnssec-keygen creates + the files Kexample.com.+003+26160.key + and + Kexample.com.+003+26160.private. + + + + + SEE ALSO + + dnssec-signzone8 + , + BIND 9 Administrator Reference Manual, + RFC 2539, + RFC 2845, + RFC 4033. + + + + + AUTHOR + Internet Systems Consortium + + + + -- cgit