diff options
| author | Tom Rhodes <trhodes@FreeBSD.org> | 2004-09-19 01:30:24 +0000 |
|---|---|---|
| committer | Tom Rhodes <trhodes@FreeBSD.org> | 2004-09-19 01:30:24 +0000 |
| commit | b1e4bd53e00e9694dd378a884abd3f2dd790190d (patch) | |
| tree | 97706b7f62557da0a2539b026e5cf66008ddf8c6 /contrib/bind9/bin/dnssec/dnssec-keygen.html | |
Notes
Diffstat (limited to 'contrib/bind9/bin/dnssec/dnssec-keygen.html')
| -rw-r--r-- | contrib/bind9/bin/dnssec/dnssec-keygen.html | 544 |
1 files changed, 544 insertions, 0 deletions
diff --git a/contrib/bind9/bin/dnssec/dnssec-keygen.html b/contrib/bind9/bin/dnssec/dnssec-keygen.html new file mode 100644 index 000000000000..734c914ba617 --- /dev/null +++ b/contrib/bind9/bin/dnssec/dnssec-keygen.html @@ -0,0 +1,544 @@ +<!-- + - Copyright (C) 2004 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2001-2003 Internet Software Consortium. + - + - Permission to use, copy, modify, and distribute this software for any + - purpose with or without fee is hereby granted, provided that the above + - copyright notice and this permission notice appear in all copies. + - + - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + - PERFORMANCE OF THIS SOFTWARE. +--> + +<!-- $Id: dnssec-keygen.html,v 1.5.2.1.4.6 2004/08/22 23:38:58 marka Exp $ --> + +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>dnssec-keygen</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"></HEAD +><BODY +CLASS="REFENTRY" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><H1 +><A +NAME="AEN1" +></A +><SPAN +CLASS="APPLICATION" +>dnssec-keygen</SPAN +></H1 +><DIV +CLASS="REFNAMEDIV" +><A +NAME="AEN9" +></A +><H2 +>Name</H2 +><SPAN +CLASS="APPLICATION" +>dnssec-keygen</SPAN +> -- DNSSEC key generation tool</DIV +><DIV +CLASS="REFSYNOPSISDIV" +><A +NAME="AEN13" +></A +><H2 +>Synopsis</H2 +><P +><B +CLASS="COMMAND" +>dnssec-keygen</B +> {-a <VAR +CLASS="REPLACEABLE" +>algorithm</VAR +>} {-b <VAR +CLASS="REPLACEABLE" +>keysize</VAR +>} {-n <VAR +CLASS="REPLACEABLE" +>nametype</VAR +>} [<VAR +CLASS="OPTION" +>-c <VAR +CLASS="REPLACEABLE" +>class</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-e</VAR +>] [<VAR +CLASS="OPTION" +>-f <VAR +CLASS="REPLACEABLE" +>flag</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-g <VAR +CLASS="REPLACEABLE" +>generator</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-h</VAR +>] [<VAR +CLASS="OPTION" +>-k</VAR +>] [<VAR +CLASS="OPTION" +>-p <VAR +CLASS="REPLACEABLE" +>protocol</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-r <VAR +CLASS="REPLACEABLE" +>randomdev</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-s <VAR +CLASS="REPLACEABLE" +>strength</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-t <VAR +CLASS="REPLACEABLE" +>type</VAR +></VAR +>] [<VAR +CLASS="OPTION" +>-v <VAR +CLASS="REPLACEABLE" +>level</VAR +></VAR +>] {name}</P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN53" +></A +><H2 +>DESCRIPTION</H2 +><P +> <B +CLASS="COMMAND" +>dnssec-keygen</B +> generates keys for DNSSEC + (Secure DNS), as defined in RFC 2535 and RFC <TBA\>. It can also generate + keys for use with TSIG (Transaction Signatures), as + defined in RFC 2845. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN57" +></A +><H2 +>OPTIONS</H2 +><P +></P +><DIV +CLASS="VARIABLELIST" +><DL +><DT +>-a <VAR +CLASS="REPLACEABLE" +>algorithm</VAR +></DT +><DD +><P +> Selects the cryptographic algorithm. The value of + <VAR +CLASS="OPTION" +>algorithm</VAR +> must be one of RSAMD5 (RSA) or RSASHA1, + DSA, DH (Diffie Hellman), or HMAC-MD5. These values + are case insensitive. + </P +><P +> Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, + and DSA is recommended. For TSIG, HMAC-MD5 is mandatory. + </P +><P +> Note 2: HMAC-MD5 and DH automatically set the -k flag. + </P +></DD +><DT +>-b <VAR +CLASS="REPLACEABLE" +>keysize</VAR +></DT +><DD +><P +> Specifies the number of bits in the key. The choice of key + size depends on the algorithm used. RSAMD5 / RSASHA1 keys must be between + 512 and 2048 bits. Diffie Hellman keys must be between + 128 and 4096 bits. DSA keys must be between 512 and 1024 + bits and an exact multiple of 64. HMAC-MD5 keys must be + between 1 and 512 bits. + </P +></DD +><DT +>-n <VAR +CLASS="REPLACEABLE" +>nametype</VAR +></DT +><DD +><P +> Specifies the owner type of the key. The value of + <VAR +CLASS="OPTION" +>nametype</VAR +> must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). These values are + case insensitive. + </P +></DD +><DT +>-c <VAR +CLASS="REPLACEABLE" +>class</VAR +></DT +><DD +><P +> Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. + </P +></DD +><DT +>-e</DT +><DD +><P +> If generating an RSAMD5/RSASHA1 key, use a large exponent. + </P +></DD +><DT +>-f <VAR +CLASS="REPLACEABLE" +>flag</VAR +></DT +><DD +><P +> Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. + </P +></DD +><DT +>-g <VAR +CLASS="REPLACEABLE" +>generator</VAR +></DT +><DD +><P +> If generating a Diffie Hellman key, use this generator. + Allowed values are 2 and 5. If no generator + is specified, a known prime from RFC 2539 will be used + if possible; otherwise the default is 2. + </P +></DD +><DT +>-h</DT +><DD +><P +> Prints a short summary of the options and arguments to + <B +CLASS="COMMAND" +>dnssec-keygen</B +>. + </P +></DD +><DT +>-k</DT +><DD +><P +> Generate KEY records rather than DNSKEY records. + </P +></DD +><DT +>-p <VAR +CLASS="REPLACEABLE" +>protocol</VAR +></DT +><DD +><P +> Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. + </P +></DD +><DT +>-r <VAR +CLASS="REPLACEABLE" +>randomdev</VAR +></DT +><DD +><P +> Specifies the source of randomness. If the operating + system does not provide a <TT +CLASS="FILENAME" +>/dev/random</TT +> + or equivalent device, the default source of randomness + is keyboard input. <TT +CLASS="FILENAME" +>randomdev</TT +> specifies + the name of a character device or file containing random + data to be used instead of the default. The special value + <TT +CLASS="FILENAME" +>keyboard</TT +> indicates that keyboard + input should be used. + </P +></DD +><DT +>-s <VAR +CLASS="REPLACEABLE" +>strength</VAR +></DT +><DD +><P +> Specifies the strength value of the key. The strength is + a number between 0 and 15, and currently has no defined + purpose in DNSSEC. + </P +></DD +><DT +>-t <VAR +CLASS="REPLACEABLE" +>type</VAR +></DT +><DD +><P +> Indicates the use of the key. <VAR +CLASS="OPTION" +>type</VAR +> must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. + </P +></DD +><DT +>-v <VAR +CLASS="REPLACEABLE" +>level</VAR +></DT +><DD +><P +> Sets the debugging level. + </P +></DD +></DL +></DIV +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN136" +></A +><H2 +>GENERATED KEYS</H2 +><P +> When <B +CLASS="COMMAND" +>dnssec-keygen</B +> completes successfully, + it prints a string of the form <TT +CLASS="FILENAME" +>Knnnn.+aaa+iiiii</TT +> + to the standard output. This is an identification string for + the key it has generated. These strings can be used as arguments + to <B +CLASS="COMMAND" +>dnssec-makekeyset</B +>. + </P +><P +></P +><UL +><LI +><P +> <TT +CLASS="FILENAME" +>nnnn</TT +> is the key name. + </P +></LI +><LI +><P +> <TT +CLASS="FILENAME" +>aaa</TT +> is the numeric representation of the + algorithm. + </P +></LI +><LI +><P +> <TT +CLASS="FILENAME" +>iiiii</TT +> is the key identifier (or footprint). + </P +></LI +></UL +><P +> <B +CLASS="COMMAND" +>dnssec-keygen</B +> creates two file, with names based + on the printed string. <TT +CLASS="FILENAME" +>Knnnn.+aaa+iiiii.key</TT +> + contains the public key, and + <TT +CLASS="FILENAME" +>Knnnn.+aaa+iiiii.private</TT +> contains the private + key. + </P +><P +> The <TT +CLASS="FILENAME" +>.key</TT +> file contains a DNS KEY record that + can be inserted into a zone file (directly or with a $INCLUDE + statement). + </P +><P +> The <TT +CLASS="FILENAME" +>.private</TT +> file contains algorithm specific + fields. For obvious security reasons, this file does not have + general read permission. + </P +><P +> Both <TT +CLASS="FILENAME" +>.key</TT +> and <TT +CLASS="FILENAME" +>.private</TT +> + files are generated for symmetric encryption algorithm such as + HMAC-MD5, even though the public and private key are equivalent. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN163" +></A +><H2 +>EXAMPLE</H2 +><P +> To generate a 768-bit DSA key for the domain + <KBD +CLASS="USERINPUT" +>example.com</KBD +>, the following command would be + issued: + </P +><P +> <KBD +CLASS="USERINPUT" +>dnssec-keygen -a DSA -b 768 -n ZONE example.com</KBD +> + </P +><P +> The command would print a string of the form: + </P +><P +> <KBD +CLASS="USERINPUT" +>Kexample.com.+003+26160</KBD +> + </P +><P +> In this example, <B +CLASS="COMMAND" +>dnssec-keygen</B +> creates + the files <TT +CLASS="FILENAME" +>Kexample.com.+003+26160.key</TT +> and + <TT +CLASS="FILENAME" +>Kexample.com.+003+26160.private</TT +> + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN176" +></A +><H2 +>SEE ALSO</H2 +><P +> <SPAN +CLASS="CITEREFENTRY" +><SPAN +CLASS="REFENTRYTITLE" +>dnssec-signzone</SPAN +>(8)</SPAN +>, + <I +CLASS="CITETITLE" +>BIND 9 Administrator Reference Manual</I +>, + <I +CLASS="CITETITLE" +>RFC 2535</I +>, + <I +CLASS="CITETITLE" +>RFC 2845</I +>, + <I +CLASS="CITETITLE" +>RFC 2539</I +>. + </P +></DIV +><DIV +CLASS="REFSECT1" +><A +NAME="AEN186" +></A +><H2 +>AUTHOR</H2 +><P +> Internet Systems Consortium + </P +></DIV +></BODY +></HTML +> |