diff options
Diffstat (limited to 'bin/dnssec/dnssec-keygen.html')
| -rw-r--r-- | bin/dnssec/dnssec-keygen.html | 575 |
1 files changed, 575 insertions, 0 deletions
diff --git a/bin/dnssec/dnssec-keygen.html b/bin/dnssec/dnssec-keygen.html new file mode 100644 index 00000000..bbec232c --- /dev/null +++ b/bin/dnssec/dnssec-keygen.html @@ -0,0 +1,575 @@ +<!-- + - Copyright (C) 2001 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM + - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL + - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL + - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING + - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, + - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION + - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-keygen.html,v 1.3 2001/04/10 21:50:27 bwelling Exp $ --> + +<HTML +><HEAD +><TITLE +>dnssec-keygen</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.61 +"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="AEN1" +><SPAN +CLASS="APPLICATION" +>dnssec-keygen</SPAN +></A +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN9" +></A +><H2 +>Name</H2 +><SPAN +CLASS="APPLICATION" +>dnssec-keygen</SPAN +> -- DNSSEC key generation tool</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN13" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>dnssec-keygen</B +> {-a <TT +CLASS="REPLACEABLE" +><I +>algorithm</I +></TT +>} {-b <TT +CLASS="REPLACEABLE" +><I +>keysize</I +></TT +>} {-n <TT +CLASS="REPLACEABLE" +><I +>nametype</I +></TT +>} [<TT +CLASS="OPTION" +>-c <TT +CLASS="REPLACEABLE" +><I +>class</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-e</TT +>] [<TT +CLASS="OPTION" +>-g <TT +CLASS="REPLACEABLE" +><I +>generator</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-h</TT +>] [<TT +CLASS="OPTION" +>-p <TT +CLASS="REPLACEABLE" +><I +>protocol</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-r <TT +CLASS="REPLACEABLE" +><I +>randomdev</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-s <TT +CLASS="REPLACEABLE" +><I +>strength</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-t <TT +CLASS="REPLACEABLE" +><I +>type</I +></TT +></TT +>] [<TT +CLASS="OPTION" +>-v <TT +CLASS="REPLACEABLE" +><I +>level</I +></TT +></TT +>] {name}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN48" +></A +><H2 +>DESCRIPTION</H2 +><P +> <B +CLASS="COMMAND" +>dnssec-keygen</B +> generates keys for DNSSEC + (Secure DNS), as defined in RFC 2535. It can also generate + keys for use with TSIG (Transaction Signatures), as + defined in RFC 2845. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN52" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-a <TT +CLASS="REPLACEABLE" +><I +>algorithm</I +></TT +></DT +><DD +><P +> Selects the cryptographic algorithm. The value of + <TT +CLASS="OPTION" +>algorithm</TT +> must be one of RSAMD5 or RSA, + DSA, DH (Diffie Hellman), or HMAC-MD5. These values + are case insensitive. + </P +><P +> Note that for DNSSEC, DSA is a mandatory to implement algorithm, + and RSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </P +></DD +><DT +>-b <TT +CLASS="REPLACEABLE" +><I +>keysize</I +></TT +></DT +><DD +><P +> Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSA keys must be between + 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC-MD5 keys must be + between 1 and 512 bits. + </P +></DD +><DT +>-n <TT +CLASS="REPLACEABLE" +><I +>nametype</I +></TT +></DT +><DD +><P +> Specifies the owner type of the key. The value of + <TT +CLASS="OPTION" +>nametype</TT +> must either be ZONE (for a DNSSEC + zone key), HOST or ENTITY (for a key associated with a host), + or USER (for a key associated with a user). These values are + case insensitive. + </P +></DD +><DT +>-c <TT +CLASS="REPLACEABLE" +><I +>class</I +></TT +></DT +><DD +><P +> Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </P +></DD +><DT +>-e</DT +><DD +><P +> If generating an RSA key, use a large exponent. + </P +></DD +><DT +>-g <TT +CLASS="REPLACEABLE" +><I +>generator</I +></TT +></DT +><DD +><P +> If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + </P +></DD +><DT +>-h</DT +><DD +><P +> Prints a short summary of the options and arguments to + <B +CLASS="COMMAND" +>dnssec-keygen</B +>. + </P +></DD +><DT +>-p <TT +CLASS="REPLACEABLE" +><I +>protocol</I +></TT +></DT +><DD +><P +> Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 2 (email) for + keys of type USER and 3 (DNSSEC) for all other key types. + Other possible values for this argument are listed in + RFC 2535 and its successors. + </P +></DD +><DT +>-r <TT +CLASS="REPLACEABLE" +><I +>randomdev</I +></TT +></DT +><DD +><P +> Specifies the source of randomness. If the operating + system does not provide a <TT +CLASS="FILENAME" +>/dev/random</TT +> + or equivalent device, the default source of randomness + is keyboard input. <TT +CLASS="FILENAME" +>randomdev</TT +> specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <TT +CLASS="FILENAME" +>keyboard</TT +> indicates that keyboard + input should be used. + </P +></DD +><DT +>-s <TT +CLASS="REPLACEABLE" +><I +>strength</I +></TT +></DT +><DD +><P +> Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + </P +></DD +><DT +>-t <TT +CLASS="REPLACEABLE" +><I +>type</I +></TT +></DT +><DD +><P +> Indicates the use of the key. <TT +CLASS="OPTION" +>type</TT +> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </P +></DD +><DT +>-v <TT +CLASS="REPLACEABLE" +><I +>level</I +></TT +></DT +><DD +><P +> Sets the debugging level. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN121" +></A +><H2 +>GENERATED KEYS</H2 +><P +> When <B +CLASS="COMMAND" +>dnssec-keygen</B +> completes successfully, + it prints a string of the form <TT +CLASS="FILENAME" +>Knnnn.+aaa+iiiii</TT +> + to the standard output. This is an identification string for + the key it has generated. These strings can be used as arguments + to <B +CLASS="COMMAND" +>dnssec-makekeyset</B +>. + </P +><P +></P +><UL +><LI +><P +> <TT +CLASS="FILENAME" +>nnnn</TT +> is the key name. + </P +></LI +><LI +><P +> <TT +CLASS="FILENAME" +>aaa</TT +> is the numeric representation of the + algorithm. + </P +></LI +><LI +><P +> <TT +CLASS="FILENAME" +>iiiii</TT +> is the key identifier (or footprint). + </P +></LI +></UL +><P +> <B +CLASS="COMMAND" +>dnssec-keygen</B +> creates two file, with names based + on the printed string. <TT +CLASS="FILENAME" +>Knnnn.+aaa+iiiii.key</TT +> + contains the public key, and + <TT +CLASS="FILENAME" +>Knnnn.+aaa+iiiii.private</TT +> contains the private + key. + </P +><P +> The <TT +CLASS="FILENAME" +>.key</TT +> file contains a DNS KEY record that + can be inserted into a zone file (directly or with a $INCLUDE + statement). + </P +><P +> The <TT +CLASS="FILENAME" +>.private</TT +> file contains algorithm specific + fields. For obvious security reasons, this file does not have + general read permission. + </P +><P +> Both <TT +CLASS="FILENAME" +>.key</TT +> and <TT +CLASS="FILENAME" +>.private</TT +> + files are generated for symmetric encryption algorithm such as + HMAC-MD5, even though the public and private key are equivalent. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN148" +></A +><H2 +>EXAMPLE</H2 +><P +> To generate a 768-bit DSA key for the domain + <TT +CLASS="USERINPUT" +><B +>example.com</B +></TT +>, the following command would be + issued: + </P +><P +> <TT +CLASS="USERINPUT" +><B +>dnssec-keygen -a DSA -b 768 -n ZONE example.com</B +></TT +> + </P +><P +> The command would print a string of the form: + </P +><P +> <TT +CLASS="USERINPUT" +><B +>Kexample.com.+003+26160</B +></TT +> + </P +><P +> In this example, <B +CLASS="COMMAND" +>dnssec-keygen</B +> creates + the files <TT +CLASS="FILENAME" +>Kexample.com.+003+26160.key</TT +> and + <TT +CLASS="FILENAME" +>Kexample.com.+003+26160.private</TT +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN161" +></A +><H2 +>SEE ALSO</H2 +><P +> <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>dnssec-makekeyset</SPAN +>(8)</SPAN +>, + <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>dnssec-signkey</SPAN +>(8)</SPAN +>, + <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>dnssec-signzone</SPAN +>(8)</SPAN +>, + <I +CLASS="CITETITLE" +>BIND 9 Administrator Reference Manual</I +>, + <I +CLASS="CITETITLE" +>RFC 2535</I +>, + <I +CLASS="CITETITLE" +>RFC 2845</I +>, + <I +CLASS="CITETITLE" +>RFC 2539</I +>. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN177" +></A +><H2 +>AUTHOR</H2 +><P +> Internet Software Consortium + </P +></DIV +></BODY +></HTML +>
\ No newline at end of file |