dnskeygen(1M)
NAME
dnskeygen - generate public, private, and shared secret keys
for DNS
SYNOPSIS
dnskeygen [ [-DHR] size] [-F] [-zhu] [-a] [-c] [-p num] [-s
num] -n name
DESCRIPTION
The dnskeygen utility is a tool to generate and maintain
keys for DNS security with the Domain Name System ("DNS").
Use dnskeygen to generate public and private keys to authen-
ticate zone data or shared secret keys for request and tran-
saction signatures.
dnskeygen stores each key in two files:
K<name>+<algorithm>+<footprint>.private
and
K<name>+<algorithm>+<footprint>.key
The key is stored in a portable format within
K<name>+<alg>+<footprint>.private. The public key is stored
in K<name>+<alg>+<footprint>.private in the DNS zone file
format:
<name> IN KEY <flags><algorithm><protocol><exponent|modulus>
The underlying cryptographic math is done by the DNSSAFE and
Foundation Toolkit libraries.
OPTIONS
The dnskeygen utility supports the following options:
-D Generate a DSA/DSS key. The value of size must be one
of the following: 512, 576, 640, 704, 768, 832, 896,
960 or 1024.
-F Use a large exponent for key generation. Use for RSA
only.
-H Generate a HMAC-MD5 key. The value of size must be
between 128 and 504.
-R Generate an RSA key. The value of size must be
between 512 and 4096.
-a Cannot use key for authentication.
-c Cannot use key for encryption.
-h Generate host or service key.
-n name
Set the key's name to name.
-p num
Set the key's protocol field to num. The values for
num are as follows:
3 If -z or -h is specified (DNSSEC), this is the
default value.
2 Unless specified, the default value for all
other options.
1 Use this value for TLS.
4 Use this value for IPSEC.
255 Use this value for ANY.
-s num
Set the key's strength field to num. The default value
of num is 0.
-u Generate User key, for example, for email.
-z Generate Zone key for DNS validation.
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWcsu |
|_____________________________|_____________________________|
| Interface Stability | Standard Bind 8.2.4 |
|_____________________________|_____________________________|
SEE ALSO
attributes(5)
Eastlake III, D. and Kaufman, C. RFC 2065, Domain Name Sys-
tem Security Extension. Network Working Group. January 1997.
Vixie, P., Gudmundsson, O., Eastlake III, D., and Welling-
ton, B. RFC 2845, Secret Key Transaction Authentication for
DNS (TSIG). Network Working Group. May 2000.
Man(1) output converted with
man2html