Charles Steinkuehler's LEAF/LRP Website




     dnskeygen [-[DHR] size] [-F] -[zhu] [-a] [-c] [-p num] [-s num] -n name


     Dnskeygen (DNS Key Generator) is a tool to generate and maintain keys for
     DNS Security within the DNS (Domain Name System).  Dnskeygen can generate
     public and private keys to authenticate zone data, and shared secret keys
     to be used for Request/Transaction signatures.

     -D          Dnskeygen will generate a DSA/DSS key.  ``size'' must be one
                 of [512, 576, 640, 704, 768, 832, 896, 960, 1024].

     -H          Dnskeygen will generate an HMAC-MD5 key.  ``size'' must be
                 between 128 and 504.

     -R          Dnskeygen will generate an RSA key.  ``size'' must be between
                 512 and 4096.

     -F          (RSA only) Use a large exponent for key generation.

     -z -h -u    These flags define the type of key being generated: Zone (DNS
                 validation) key, Host (host or service) key or User (e.g.
                 email) key, respectively.  Each key is only allowed to be one
                 of these.

     -a          Indicates that the key CANNOT be used for authentication.

     -c          Indicates that the key CANNOT be used for encryption.

     -p num      Sets the key's protocol field to num ; the default is 3
                 (DNSSEC) if ``-z'' or ``-h'' is specified and 2 (EMAIL) oth­
                 erwise.  Other accepted values are 1 (TLS), 4 (IPSEC), and
                 255 (ANY).

     -s num      Sets the key's strength field to num; the default is 0.

     -n name     Sets the key's name to name.

     Dnskeygen stores each key in two files: K<name>+<alg>+<footprint>.private
     and K<name>+<alg>+<footprint>.key The file
     K<name>+<alg>+<footprint>.private contains the private key in a portable
     format.  The file K<name>+<alg>+<footprint>.key contains the public key
     in the DNS zone file format:

           <name> IN KEY <flags> <algorithm> <protocol> <exponent|modulus>


     No environmental variables are used.


     RFC 2065 on secure DNS and the TSIG Internet Draft.


Man(1) output converted with man2html