summaryrefslogtreecommitdiffstats
path: root/doc/man/dnssec-keygen.8in
diff options
context:
space:
mode:
Diffstat (limited to 'doc/man/dnssec-keygen.8in')
-rw-r--r--doc/man/dnssec-keygen.8in331
1 files changed, 331 insertions, 0 deletions
diff --git a/doc/man/dnssec-keygen.8in b/doc/man/dnssec-keygen.8in
new file mode 100644
index 0000000..84d4d68
--- /dev/null
+++ b/doc/man/dnssec-keygen.8in
@@ -0,0 +1,331 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-KEYGEN" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-keygen \- DNSSEC key generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-keygen\fP [\fB\-3\fP] [\fB\-A\fP date/offset] [\fB\-a\fP algorithm] [\fB\-b\fP keysize] [\fB\-C\fP] [\fB\-c\fP class] [\fB\-D\fP date/offset] [\fB\-d\fP bits] [\fB\-D\fP sync date/offset] [\fB\-E\fP engine] [\fB\-f\fP flag] [\fB\-G\fP] [\fB\-g\fP generator] [\fB\-h\fP] [\fB\-I\fP date/offset] [\fB\-i\fP interval] [\fB\-K\fP directory] [\fB\-k\fP policy] [\fB\-L\fP ttl] [\fB\-l\fP file] [\fB\-n\fP nametype] [\fB\-P\fP date/offset] [\fB\-P\fP sync date/offset] [\fB\-p\fP protocol] [\fB\-q\fP] [\fB\-R\fP date/offset] [\fB\-S\fP key] [\fB\-s\fP strength] [\fB\-T\fP rrtype] [\fB\-t\fP type] [\fB\-V\fP] [\fB\-v\fP level] {name}
+.SH DESCRIPTION
+.sp
+\fBdnssec\-keygen\fP generates keys for DNSSEC (Secure DNS), as defined in
+\fI\%RFC 2535\fP and \fI\%RFC 4034\fP\&. It can also generate keys for use with TSIG
+(Transaction Signatures) as defined in \fI\%RFC 2845\fP, or TKEY (Transaction
+Key) as defined in \fI\%RFC 2930\fP\&.
+.sp
+The \fBname\fP of the key is specified on the command line. For DNSSEC
+keys, this must match the name of the zone for which the key is being
+generated.
+.sp
+The \fBdnssec\-keymgr\fP command acts as a wrapper
+around \fBdnssec\-keygen\fP, generating and updating keys
+as needed to enforce defined security policies such as key rollover
+scheduling. Using \fBdnssec\-keymgr\fP may be preferable
+to direct use of \fBdnssec\-keygen\fP\&.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-3\fP
+This option uses an NSEC3\-capable algorithm to generate a DNSSEC key. If this
+option is used with an algorithm that has both NSEC and NSEC3
+versions, then the NSEC3 version is selected; for example,
+\fBdnssec\-keygen \-3 \-a RSASHA1\fP specifies the NSEC3RSASHA1 algorithm.
+.TP
+.B \fB\-a algorithm\fP
+This option selects the cryptographic algorithm. For DNSSEC keys, the value of
+\fBalgorithm\fP must be one of RSASHA1, NSEC3RSASHA1, RSASHA256,
+RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448. For
+TKEY, the value must be DH (Diffie\-Hellman); specifying this value
+automatically sets the \fB\-T KEY\fP option as well.
+.sp
+These values are case\-insensitive. In some cases, abbreviations are
+supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
+ECDSAP384SHA384. If RSASHA1 is specified along with the \fB\-3\fP
+option, NSEC3RSASHA1 is used instead.
+.sp
+This parameter \fImust\fP be specified except when using the \fB\-S\fP
+option, which copies the algorithm from the predecessor key.
+.sp
+In prior releases, HMAC algorithms could be generated for use as TSIG
+keys, but that feature was removed in BIND 9.13.0. Use
+\fBtsig\-keygen\fP to generate TSIG keys.
+.TP
+.B \fB\-b keysize\fP
+This option specifies the number of bits in the key. The choice of key size
+depends on the algorithm used: RSA keys must be between 1024 and 4096
+bits; Diffie\-Hellman keys must be between 128 and 4096 bits. Elliptic
+curve algorithms do not need this parameter.
+.sp
+If the key size is not specified, some algorithms have pre\-defined
+defaults. For example, RSA keys for use as DNSSEC zone\-signing keys
+have a default size of 1024 bits; RSA keys for use as key\-signing
+keys (KSKs, generated with \fB\-f KSK\fP) default to 2048 bits.
+.TP
+.B \fB\-C\fP
+This option enables compatibility mode, which generates an old\-style key, without any timing
+metadata. By default, \fBdnssec\-keygen\fP includes the key\(aqs
+creation date in the metadata stored with the private key; other
+dates may be set there as well, including publication date, activation date,
+etc. Keys that include this data may be incompatible with older
+versions of BIND; the \fB\-C\fP option suppresses them.
+.TP
+.B \fB\-c class\fP
+This option indicates that the DNS record containing the key should have the
+specified class. If not specified, class IN is used.
+.TP
+.B \fB\-d bits\fP
+This option specifies the key size in bits. For the algorithms RSASHA1, NSEC3RSASA1, RSASHA256, and
+RSASHA512 the key size must be between 1024 and 4096 bits; DH size is between 128
+and 4096 bits. This option is ignored for algorithms ECDSAP256SHA256,
+ECDSAP384SHA384, ED25519, and ED448.
+.TP
+.B \fB\-E engine\fP
+This option specifies the cryptographic hardware to use, when applicable.
+.sp
+When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
+engine identifier that drives the cryptographic accelerator or
+hardware service module (usually \fBpkcs11\fP). When BIND is
+built with native PKCS#11 cryptography (\fB\-\-enable\-native\-pkcs11\fP), it
+defaults to the path of the PKCS#11 provider library specified via
+\fB\-\-with\-pkcs11\fP\&.
+.TP
+.B \fB\-f flag\fP
+This option sets the specified flag in the flag field of the KEY/DNSKEY record.
+The only recognized flags are KSK (Key\-Signing Key) and REVOKE.
+.TP
+.B \fB\-G\fP
+This option generates a key, but does not publish it or sign with it. This option is
+incompatible with \fB\-P\fP and \fB\-A\fP\&.
+.TP
+.B \fB\-g generator\fP
+This option indicates the generator to use if generating a Diffie\-Hellman key. Allowed
+values are 2 and 5. If no generator is specified, a known prime from
+\fI\%RFC 2539\fP is used if possible; otherwise the default is 2.
+.TP
+.B \fB\-h\fP
+This option prints a short summary of the options and arguments to
+\fBdnssec\-keygen\fP\&.
+.TP
+.B \fB\-K directory\fP
+This option sets the directory in which the key files are to be written.
+.TP
+.B \fB\-k policy\fP
+This option creates keys for a specific \fBdnssec\-policy\fP\&. If a policy uses multiple keys,
+\fBdnssec\-keygen\fP generates multiple keys. This also
+creates a \(dq.state\(dq file to keep track of the key state.
+.sp
+This option creates keys according to the \fBdnssec\-policy\fP configuration, hence
+it cannot be used at the same time as many of the other options that
+\fBdnssec\-keygen\fP provides.
+.TP
+.B \fB\-L ttl\fP
+This option sets the default TTL to use for this key when it is converted into a
+DNSKEY RR. This is the TTL used when the key is imported into a zone,
+unless there was already a DNSKEY RRset in
+place, in which case the existing TTL takes precedence. If this
+value is not set and there is no existing DNSKEY RRset, the TTL
+defaults to the SOA TTL. Setting the default TTL to \fB0\fP or \fBnone\fP
+is the same as leaving it unset.
+.TP
+.B \fB\-l file\fP
+This option provides a configuration file that contains a \fBdnssec\-policy\fP statement
+(matching the policy set with \fB\-k\fP).
+.TP
+.B \fB\-n nametype\fP
+This option specifies the owner type of the key. The value of \fBnametype\fP must
+either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
+(for a key associated with a host (KEY)), USER (for a key associated
+with a user (KEY)), or OTHER (DNSKEY). These values are
+case\-insensitive. The default is ZONE for DNSKEY generation.
+.TP
+.B \fB\-p protocol\fP
+This option sets the protocol value for the generated key, for use with
+\fB\-T KEY\fP\&. The protocol is a number between 0 and 255. The default
+is 3 (DNSSEC). Other possible values for this argument are listed in
+\fI\%RFC 2535\fP and its successors.
+.TP
+.B \fB\-q\fP
+This option sets quiet mode, which suppresses unnecessary output, including progress
+indication. Without this option, when \fBdnssec\-keygen\fP is run
+interactively to generate an RSA or DSA key pair, it prints a
+string of symbols to \fBstderr\fP indicating the progress of the key
+generation. A \fB\&.\fP indicates that a random number has been found which
+passed an initial sieve test; \fB+\fP means a number has passed a single
+round of the Miller\-Rabin primality test; and a space ( ) means that the
+number has passed all the tests and is a satisfactory key.
+.TP
+.B \fB\-S key\fP
+This option creates a new key which is an explicit successor to an existing key.
+The name, algorithm, size, and type of the key are set to match
+the existing key. The activation date of the new key is set to
+the inactivation date of the existing one. The publication date is
+set to the activation date minus the prepublication interval,
+which defaults to 30 days.
+.TP
+.B \fB\-s strength\fP
+This option specifies the strength value of the key. The strength is a number
+between 0 and 15, and currently has no defined purpose in DNSSEC.
+.TP
+.B \fB\-T rrtype\fP
+This option specifies the resource record type to use for the key. \fBrrtype\fP
+must be either DNSKEY or KEY. The default is DNSKEY when using a
+DNSSEC algorithm, but it can be overridden to KEY for use with
+SIG(0).
+.TP
+.B \fB\-t type\fP
+This option indicates the type of the key for use with \fB\-T KEY\fP\&. \fBtype\fP
+must be one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
+is AUTHCONF. AUTH refers to the ability to authenticate data, and
+CONF to the ability to encrypt data.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.UNINDENT
+.SH TIMING OPTIONS
+.sp
+Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
+argument begins with a \fB+\fP or \fB\-\fP, it is interpreted as an offset from
+the present time. For convenience, if such an offset is followed by one
+of the suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, then the offset is
+computed in years (defined as 365 24\-hour days, ignoring leap years),
+months (defined as 30 24\-hour days), weeks, days, hours, or minutes,
+respectively. Without a suffix, the offset is computed in seconds. To
+explicitly prevent a date from being set, use \fBnone\fP or \fBnever\fP\&.
+.INDENT 0.0
+.TP
+.B \fB\-P date/offset\fP
+This option sets the date on which a key is to be published to the zone. After
+that date, the key is included in the zone but is not used
+to sign it. If not set, and if the \fB\-G\fP option has not been used, the
+default is the current date.
+.TP
+.B \fB\-P sync date/offset\fP
+This option sets the date on which CDS and CDNSKEY records that match this key
+are to be published to the zone.
+.TP
+.B \fB\-A date/offset\fP
+This option sets the date on which the key is to be activated. After that date,
+the key is included in the zone and used to sign it. If not set,
+and if the \fB\-G\fP option has not been used, the default is the current date. If set,
+and \fB\-P\fP is not set, the publication date is set to the
+activation date minus the prepublication interval.
+.TP
+.B \fB\-R date/offset\fP
+This option sets the date on which the key is to be revoked. After that date, the
+key is flagged as revoked. It is included in the zone and
+is used to sign it.
+.TP
+.B \fB\-I date/offset\fP
+This option sets the date on which the key is to be retired. After that date, the
+key is still included in the zone, but it is not used to
+sign it.
+.TP
+.B \fB\-D date/offset\fP
+This option sets the date on which the key is to be deleted. After that date, the
+key is no longer included in the zone. (However, it may remain in the key
+repository.)
+.TP
+.B \fB\-D sync date/offset\fP
+This option sets the date on which the CDS and CDNSKEY records that match this
+key are to be deleted.
+.TP
+.B \fB\-i interval\fP
+This option sets the prepublication interval for a key. If set, then the
+publication and activation dates must be separated by at least this
+much time. If the activation date is specified but the publication
+date is not, the publication date defaults to this much time
+before the activation date; conversely, if the publication date is
+specified but not the activation date, activation is set to
+this much time after publication.
+.sp
+If the key is being created as an explicit successor to another key,
+then the default prepublication interval is 30 days; otherwise it is
+zero.
+.sp
+As with date offsets, if the argument is followed by one of the
+suffixes \fBy\fP, \fBmo\fP, \fBw\fP, \fBd\fP, \fBh\fP, or \fBmi\fP, the interval is
+measured in years, months, weeks, days, hours, or minutes,
+respectively. Without a suffix, the interval is measured in seconds.
+.UNINDENT
+.SH GENERATED KEYS
+.sp
+When \fBdnssec\-keygen\fP completes successfully, it prints a string of the
+form \fBKnnnn.+aaa+iiiii\fP to the standard output. This is an
+identification string for the key it has generated.
+.INDENT 0.0
+.IP \(bu 2
+\fBnnnn\fP is the key name.
+.IP \(bu 2
+\fBaaa\fP is the numeric representation of the algorithm.
+.IP \(bu 2
+\fBiiiii\fP is the key identifier (or footprint).
+.UNINDENT
+.sp
+\fBdnssec\-keygen\fP creates two files, with names based on the printed
+string. \fBKnnnn.+aaa+iiiii.key\fP contains the public key, and
+\fBKnnnn.+aaa+iiiii.private\fP contains the private key.
+.sp
+The \fB\&.key\fP file contains a DNSKEY or KEY record. When a zone is being
+signed by \fBnamed\fP or \fBdnssec\-signzone \-S\fP, DNSKEY records are
+included automatically. In other cases, the \fB\&.key\fP file can be
+inserted into a zone file manually or with an \fB$INCLUDE\fP statement.
+.sp
+The \fB\&.private\fP file contains algorithm\-specific fields. For obvious
+security reasons, this file does not have general read permission.
+.SH EXAMPLE
+.sp
+To generate an ECDSAP256SHA256 zone\-signing key for the zone
+\fBexample.com\fP, issue the command:
+.sp
+\fBdnssec\-keygen \-a ECDSAP256SHA256 example.com\fP
+.sp
+The command prints a string of the form:
+.sp
+\fBKexample.com.+013+26160\fP
+.sp
+In this example, \fBdnssec\-keygen\fP creates the files
+\fBKexample.com.+013+26160.key\fP and \fBKexample.com.+013+26160.private\fP\&.
+.sp
+To generate a matching key\-signing key, issue the command:
+.sp
+\fBdnssec\-keygen \-a ECDSAP256SHA256 \-f KSK example.com\fP
+.SH SEE ALSO
+.sp
+\fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, \fI\%RFC 2539\fP,
+\fI\%RFC 2845\fP, \fI\%RFC 4034\fP\&.
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.