*nix Documentation Project
·  Home
 +   man pages
·  Linux HOWTOs
·  FreeBSD Tips
·  *niX Forums

  man pages->HP-UX 11i man pages -> dnssec-keygen (1)              


 dnssec-keygen(1)                                           dnssec-keygen(1)

 NAME    [Toc]    [Back]
      dnssec-keygen - key generation tool for DNSSEC

 SYNOPSIS    [Toc]    [Back]
      dnssec-keygen [-a algorithm] [-b keysize] [-e] [-g generator] [-h]
           [-n nametype] [-p protocol-value] [-r randomdev]
           [-s strength-value] [-t type] [-v level] name

 DESCRIPTION    [Toc]    [Back]
      dnssec-keygen generates keys for Secure DNS (DNSSEC) as defined in
      RFC2535.  It also generates keys for use in Transaction Signatures
      (TSIG) which is defined in RFC2845.

    Argument    [Toc]    [Back]
           name           Specifies the domain name for which the key is to
                          be generated.

    Options    [Toc]    [Back]
           -a algorithm   This option is used to specify the encryption
                          algorithm. The algorithm can be RSAMD5, DH, DSA or
                          HMAC-MD5.  RSA can also be used, which is
                          equivalent to RSAMD5.

                          The algorithm argument identifying the encryption
                          algorithm is case-insensitive.  DNSSEC specifies
                          DSA as a mandatory algorithm and RSA as a
                          recommended one.  Implementations of TSIG must
                          support HMAC-MD5.

           -b keysize     This option is used to determine the number of
                          bits in the key.  The choice of key size depends
                          on the algorithm that is used.

                          If RSA algorithm is used, keysize must be between
                          512 and 2048 bits.

                          If the DH (Diffie-Hellman) algorithm is used,
                          keysize must be between 128 and 4096 bits.

                          If the DSA (Digital Signature Algorithm) is used,
                          keysize must be between 512 and 1024 bits and a
                          multiple of 64.

                          If the HMAC-MD5 algorithm is used, keysize should
                          be between 1 and 512 bits.

           -e             This option is used for generating RSA keys with a
                          large exponent value.

           -g generator   This option is used when creating Diffie-Hellman
                          keys.  The -g option selects the Diffie-Hellman

 Hewlett-Packard Company            - 1 -   HP-UX 11i Version 2: August 2003

 dnssec-keygen(1)                                           dnssec-keygen(1)

                          generator that is to be used.  The only supported
                          values for generator are 2 and 5.  If no DiffieHellman
 generator is supplied, a known prime from
                          RFC2539 will be used if possible; otherwise, 2
                          will be used as the generator.

           -h             A summary of the options and arguments to dnssec-
                          keygen is printed by this option.

           -n nametype    This option specifies how the generated key will
                          be used.

                          nametype can be either ZONE, HOST, ENTITY, or USER
                          to indicate that the key will be used for signing
                          a zone, host, entity or user; respectively.  In
                          this context HOST and ENTITY are identical.
                          nametype is case-insensitive.

           -p protocol-value
                          This option sets the protocol value for the
                          generated key to protocol-value.  The default is 2
                          (email) for keys of the type USER and 3 (DNSSEC)
                          for all other key types.  Other possible values
                          for this argument are listed in RFC2535 and its

           -r randomdev   This option overrides the behaviour of dnssec-
                          keygen to use random numbers to seed the process
                          of generating keys when the system does not have a
                          /dev/random device to generate random numbers.
                          The dnssec-keygen program will prompt for keyboard
                          input and use the time intervals between
                          keystrokes to provide randomness.  With this
                          option it will use randomdev as a source of random

           -s strength-value
                          This option is used to set the key's strength
                          value.  The generated key will sign DNS resource
                          records with a strength value of strength-value.
                          It should be a number in the range 0-15.  The
                          default strength is zero.  The key strength field
                          currently has no defined purpose in DNSSEC.

           -t type        This option indicates if the key is used for
                          authentication or confidentiality.  type can be
                          either AUTHCONF, NOAUTHCONF, NOAUTH or NOCONF.
                          The default is AUTHCONF.  If type is AUTHCONF, the
                          key can be used for authentication and
                          confidentiality.  Setting type to NOAUTHCONF
                          indicates that the key cannot be used for

 Hewlett-Packard Company            - 2 -   HP-UX 11i Version 2: August 2003

 dnssec-keygen(1)                                           dnssec-keygen(1)

                          authentication or confidentiality.  A value of
                          NOAUTH means the key can be used for
                          confidentiality but not for authentication.
                          Similarly, NOCONF defines that the key cannot be
                          used for confidentiality though it can be used for

           -v level       This option can be used to make dnssec-keygen more
                          verbose.  As the debugging/tracing level
                          increases, dnssec-keygen generates increasingly
                          detailed reports about what it is doing.  The
                          default level is zero.

    Generated Keys    [Toc]    [Back]
      When dnssec-keygen completes, it prints a string in the form
      Knnnn.+aaa+iiiii on the standard output.  This is an identification
      string for the key it has generated.  These strings can be supplied as
      arguments to the dnssec-makekeyset utility.

      The nnnn part is the dot-terminated domain name given by name.  The
      DNSSEC algorithm identifier is indicated by aaa: 001 for RSA, 002 for
      Diffie-Hellman, 003 for DSA, or 157 for HMAC-MD5.  iiiii is a fivedigit
 number identifying the key.

      dnssec-keygen creates two files.  The file names are adapted from the
      key identification string above.  They have names in the form:

           Knnnn.+aaa+iiiii.key and


      These contain the public and private parts of the key respectively.
      The files generated by dnssec-keygen follow this naming convention to
      make it easy for the signing tool dnssec-signzone to identify which
      file(s) have to be read to find the necessary key(s) for generating or
      validating signatures.

      The .key file contains a KEY resource record that can be inserted into
      a zone file with a $INCLUDE statement.  The private part of the key is
      in the .private file.  It contains details of the encryption algorithm
      that was used and any relevant parameters: prime number, exponent,
      modulus, subprime, etc.  For obvious security reasons, this file does
      not have general read permission.  The private part of the key is used
      by dnssec-signzone to generate signatures and the public part is used
      to verify the signatures.  Both .key and .private key files are
      generated by symmetric encryption algorithm such as HMAC-MD5, even
      though the public and private key are equivalent.

 EXAMPLE    [Toc]    [Back]
      To generate a 768-bit DSA key for the domain example.com, the
      following command would be issued:

 Hewlett-Packard Company            - 3 -   HP-UX 11i Version 2: August 2003

 dnssec-keygen(1)                                           dnssec-keygen(1)

           dnssec-keygen -a DSA -b 768 -n ZONE example.com

      dnssec-keygen has printed the key identification string
      Kexample.com.+003+26160, indicating a DSA key with identifier 26160.
      It would have created the files

           Kexample.com.+003+26160.key and


      containing the public and private keys respectively for the generated
      DSA key.

 FILES    [Toc]    [Back]

 SEE ALSO    [Toc]    [Back]
      dnssec-makekeyset(1), dnssec-signkey(1), dnssec-signzone(1), RFC2535,
      RFC2845, RFC2539.

 BUGS    [Toc]    [Back]
      The naming convention for the public and private key files is a little
      clumsy.  It won't work for domain names that are longer than 236
      characters because the .+aaa+iiiii.private suffix results in filenames
      that are too long for most UNIX systems.

 Hewlett-Packard Company            - 4 -   HP-UX 11i Version 2: August 2003
[ Back ]
 Similar pages
Name OS Title
dnssec-signzone HP-UX DNSSEC zone signing tool
dnssec-signkey HP-UX DNSSEC keyset signing tool
rndc-confgen HP-UX rndc key generation tool
rndc-confgen OpenBSD rndc key generation tool
dnssec-makekeyset HP-UX used to produce a set of DNSSEC keys
siginfo IRIX signal generation information
siginfo Tru64 Details of signal generation
fsirand FreeBSD randomize inode generation numbers
ssh-keygen OpenBSD authentication key generation, management and conversion
glTexGendv Tru64 control the generation of texture coordinates
Copyright © 2004-2005 DeniX Solutions SRL
newsletter delivery service