NAME [Toc] [Back]
dnssec-keygen - key generation tool for DNSSEC
SYNOPSIS [Toc] [Back]
dnssec-keygen [-a algorithm] [-b keysize] [-e] [-g generator] [-h]
[-n nametype] [-p protocol-value] [-r randomdev]
[-s strength-value] [-t type] [-v level] name
DESCRIPTION [Toc] [Back]
dnssec-keygen generates keys for Secure DNS (DNSSEC) as defined in
RFC2535. It also generates keys for use in Transaction Signatures
(TSIG) which is defined in RFC2845.
Argument [Toc] [Back]
name Specifies the domain name for which the key is to
Options [Toc] [Back]
-a algorithm This option is used to specify the encryption
algorithm. The algorithm can be RSAMD5, DH, DSA or
HMAC-MD5. RSA can also be used, which is
equivalent to RSAMD5.
The algorithm argument identifying the encryption
algorithm is case-insensitive. DNSSEC specifies
DSA as a mandatory algorithm and RSA as a
recommended one. Implementations of TSIG must
-b keysize This option is used to determine the number of
bits in the key. The choice of key size depends
on the algorithm that is used.
If RSA algorithm is used, keysize must be between
512 and 2048 bits.
If the DH (Diffie-Hellman) algorithm is used,
keysize must be between 128 and 4096 bits.
If the DSA (Digital Signature Algorithm) is used,
keysize must be between 512 and 1024 bits and a
multiple of 64.
If the HMAC-MD5 algorithm is used, keysize should
be between 1 and 512 bits.
-e This option is used for generating RSA keys with a
large exponent value.
-g generator This option is used when creating Diffie-Hellman
keys. The -g option selects the Diffie-Hellman
Hewlett-Packard Company - 1 - HP-UX 11i Version 2: August 2003
generator that is to be used. The only supported
values for generator are 2 and 5. If no DiffieHellman
generator is supplied, a known prime from
RFC2539 will be used if possible; otherwise, 2
will be used as the generator.
-h A summary of the options and arguments to dnssec-
keygen is printed by this option.
-n nametype This option specifies how the generated key will
nametype can be either ZONE, HOST, ENTITY, or USER
to indicate that the key will be used for signing
a zone, host, entity or user; respectively. In
this context HOST and ENTITY are identical.
nametype is case-insensitive.
This option sets the protocol value for the
generated key to protocol-value. The default is 2
(email) for keys of the type USER and 3 (DNSSEC)
for all other key types. Other possible values
for this argument are listed in RFC2535 and its
-r randomdev This option overrides the behaviour of dnssec-
keygen to use random numbers to seed the process
of generating keys when the system does not have a
/dev/random device to generate random numbers.
The dnssec-keygen program will prompt for keyboard
input and use the time intervals between
keystrokes to provide randomness. With this
option it will use randomdev as a source of random
This option is used to set the key's strength
value. The generated key will sign DNS resource
records with a strength value of strength-value.
It should be a number in the range 0-15. The
default strength is zero. The key strength field
currently has no defined purpose in DNSSEC.
-t type This option indicates if the key is used for
authentication or confidentiality. type can be
either AUTHCONF, NOAUTHCONF, NOAUTH or NOCONF.
The default is AUTHCONF. If type is AUTHCONF, the
key can be used for authentication and
confidentiality. Setting type to NOAUTHCONF
indicates that the key cannot be used for
Hewlett-Packard Company - 2 - HP-UX 11i Version 2: August 2003
authentication or confidentiality. A value of
NOAUTH means the key can be used for
confidentiality but not for authentication.
Similarly, NOCONF defines that the key cannot be
used for confidentiality though it can be used for
-v level This option can be used to make dnssec-keygen more
verbose. As the debugging/tracing level
increases, dnssec-keygen generates increasingly
detailed reports about what it is doing. The
default level is zero.
Generated Keys [Toc] [Back]
When dnssec-keygen completes, it prints a string in the form
Knnnn.+aaa+iiiii on the standard output. This is an identification
string for the key it has generated. These strings can be supplied as
arguments to the dnssec-makekeyset utility.
The nnnn part is the dot-terminated domain name given by name. The
DNSSEC algorithm identifier is indicated by aaa: 001 for RSA, 002 for
Diffie-Hellman, 003 for DSA, or 157 for HMAC-MD5. iiiii is a fivedigit
number identifying the key.
dnssec-keygen creates two files. The file names are adapted from the
key identification string above. They have names in the form:
These contain the public and private parts of the key respectively.
The files generated by dnssec-keygen follow this naming convention to
make it easy for the signing tool dnssec-signzone to identify which
file(s) have to be read to find the necessary key(s) for generating or
The .key file contains a KEY resource record that can be inserted into
a zone file with a $INCLUDE statement. The private part of the key is
in the .private file. It contains details of the encryption algorithm
that was used and any relevant parameters: prime number, exponent,
modulus, subprime, etc. For obvious security reasons, this file does
not have general read permission. The private part of the key is used
by dnssec-signzone to generate signatures and the public part is used
to verify the signatures. Both .key and .private key files are
generated by symmetric encryption algorithm such as HMAC-MD5, even
though the public and private key are equivalent.
EXAMPLE [Toc] [Back]
To generate a 768-bit DSA key for the domain example.com, the
following command would be issued:
Hewlett-Packard Company - 3 - HP-UX 11i Version 2: August 2003
dnssec-keygen -a DSA -b 768 -n ZONE example.com
dnssec-keygen has printed the key identification string
Kexample.com.+003+26160, indicating a DSA key with identifier 26160.
It would have created the files
containing the public and private keys respectively for the generated
FILES [Toc] [Back]
SEE ALSO [Toc] [Back]
dnssec-makekeyset(1), dnssec-signkey(1), dnssec-signzone(1), RFC2535,
BUGS [Toc] [Back]
The naming convention for the public and private key files is a little
clumsy. It won't work for domain names that are longer than 236
characters because the .+aaa+iiiii.private suffix results in filenames
that are too long for most UNIX systems.
Hewlett-Packard Company - 4 - HP-UX 11i Version 2: August 2003 [ Back ]