dnskeygen(1M)

NAME

     dnskeygen - generate public, private, and shared secret keys
     for DNS

SYNOPSIS

     dnskeygen [ [-DHR] size] [-F] [-zhu] [-a] [-c] [-p num]  [-s
     num] -n   name

DESCRIPTION

     The dnskeygen utility is a tool  to  generate  and  maintain
     keys  for  DNS security with the Domain Name System ("DNS").
     Use dnskeygen to generate public and private keys to authen-
     ticate zone data or shared secret keys for request and tran-
     saction signatures.

     dnskeygen stores each key in two files:

     K<name>+<algorithm>+<footprint>.private

     and

     K<name>+<algorithm>+<footprint>.key

     The  key   is   stored   in   a   portable   format   within
     K<name>+<alg>+<footprint>.private.  The public key is stored
     in K<name>+<alg>+<footprint>.private in the  DNS  zone  file
     format:

     <name> IN KEY <flags><algorithm><protocol><exponent|modulus>

     The underlying cryptographic math is done by the DNSSAFE and
     Foundation Toolkit libraries.

OPTIONS

     The dnskeygen utility supports the following options:

     -D    Generate a DSA/DSS key. The value of size must be  one
           of  the  following: 512, 576, 640, 704, 768, 832, 896,
           960 or 1024.

     -F     Use a large exponent for key generation. Use for  RSA
           only.

     -H     Generate a HMAC-MD5 key. The value of  size  must  be
           between 128 and 504.

     -R     Generate an RSA  key.  The  value  of  size  must  be
           between 512 and 4096.

     -a     Cannot use key for authentication.

     -c     Cannot use key for encryption.
     -h     Generate host or service key.

     -n name
            Set the key's name to name.

     -p num
            Set the key's protocol field to num. The  values  for
           num are as follows:

           3     If -z or -h is specified (DNSSEC), this  is  the
                 default value.

           2     Unless specified,  the  default  value  for  all
                 other options.

           1     Use this value for TLS.

           4     Use this value for IPSEC.

           255   Use this value for ANY.

     -s num
           Set the key's strength field to num. The default value
           of num is 0.

     -u    Generate User key, for example, for email.

     -z    Generate Zone key for DNS validation.

ATTRIBUTES

     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWcsu                     |
    |_____________________________|_____________________________|
    | Interface Stability         | Standard Bind 8.2.4         |
    |_____________________________|_____________________________|

SEE ALSO

     attributes(5)

     Eastlake III, D. and Kaufman, C. RFC 2065, Domain Name  Sys-
     tem Security Extension. Network Working Group. January 1997.

     Vixie, P., Gudmundsson, O., Eastlake III, D.,  and  Welling-
     ton,  B. RFC 2845, Secret Key Transaction Authentication for
     DNS (TSIG). Network Working Group. May 2000.
Man(1) output converted with man2html