1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
|
.\" Copyright (c) 2004 by Internet Systems Consortium, Inc. ("ISC")
.\" Copyright (c) 1996,1999 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES
.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR
.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT
.\" OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
.\"
.\" $Id: dnskeygen.1,v 8.9 2004/01/16 01:04:00 vixie Exp $
.\"
.Dd December 2, 1998
.Dt DNSKEYGEN @CMD_EXT_U@
.Os BSD 4
.Sh NAME
.Nm dnskeygen
.Nd "generate public, private, and shared secret keys for DNS Security"
.Sh SYNOPSIS
.Nm dnskeygen
.Oo
.Fl Op Cm DHR
.Ar size
.Oc
.Op Fl F
.Op Fl Cm zhu
.Op Fl Cm a
.Op Fl Cm c
.Op Fl Cm p Ar num
.Op Fl Cm s Ar num
.Fl n Ar name
.Sh DESCRIPTION
.Ic Dnskeygen
(DNS Key Generator) is a tool to generate and maintain keys for DNS Security
within the DNS (Domain Name System).
.Nm Dnskeygen
can generate public and private keys to authenticate zone data, and shared
secret keys to be used for Request/Transaction signatures.
.Bl -tag -width Fl
.It Fl D
Dnskeygen will generate a
.Ic DSA/DSS
key.
.Dq size
must be one of [512, 576, 640, 704, 768, 832, 896, 960, 1024].
.It Fl H
Dnskeygen will generate an
.Ic HMAC-MD5
key.
.Dq size
must be between 128 and 504.
.It Fl R
Dnskeygen will generate an
.Ic RSA
key.
.Dq size
must be between 512 and 4096.
.It Fl F
.Ic ( RSA only )
Use a large exponent for key generation.
.It Fl z Fl h Fl u
These flags define the type of key being generated: Zone (DNS validation) key,
Host (host or service) key or User (e.g. email) key, respectively.
Each key is only allowed to be one of these.
.It Fl a
Indicates that the key
.Ic CANNOT
be used for authentication.
.It Fl c
Indicates that the key
.Ic CANNOT
be used for encryption.
.It Fl p Ar num
Sets the key's protocol field to
.Ar num ;
the default is
.Ic 3
(DNSSEC) if
.Dq Fl z
or
.Dq Fl h
is specified and
.Ic 2
(EMAIL) otherwise. Other accepted values are
.Ic 1
(TLS),
.Ic 4
(IPSEC), and
.Ic 255
(ANY).
.It Fl s Ar num
Sets the key's strength field to
.Ar num ;
the default is
.Sy 0 .
.It Fl n Ar name
Sets the key's name to
.Ar name .
.El
.Ss DETAILS
.Ic Dnskeygen
stores each key in two files:
.Pa K<name>+<alg>+<footprint>.private
and
.Pa K<name>+<alg>+<footprint>.key
The file
.Pa K<name>+<alg>+<footprint>.private
contains the private key in a portable format. The file
.Pa K<name>+<alg>+<footprint>.key
contains the public key in the DNS zone file format:
.Pp
.D1 Ar <name> IN KEY <flags> <algorithm> <protocol> <exponent|modulus>
.Pp
.Sh ENVIRONMENT
No environmental variables are used.
.Sh SEE ALSO
.Em RFC 2065
on secure DNS and the
.Em TSIG
Internet Draft.
.Sh AUTHOR
Olafur Gudmundsson (ogud@tis.com).
.Sh ACKNOWLEDGMENTS
The underlying cryptographic math is done by the DNSSAFE and/or Foundation
Toolkit libraries.
.Sh BUGS
None are known at this time
|
