Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎


     dnssec-keygen - DNSSEC key generation tool

     dnssec-keygen -a algorithm -b keysize -n nametype [-ehk]
         [-c class] [-f flag] [-g generator] [-p protocol]
         [-r randomdev] [-s strength] [-t type] [-v level] name

     The dnssec-keygen utility generates keys for DNSSEC  (Secure
     DNS),  as defined in RFC 2535. It can also generate keys for
     use with TSIG (Transaction Signatures), as  defined  in  RFC

     The following options are supported:

     -a algorithm    Select  the  cryptographic  algorithm.   The
                     value  of  algorithm  must  be one of RSAMD5
                     (RSA) or RSASHA1, DSA, DH (Diffie  Hellman),
                     or  HMAC-MD5. These values are case insensi-
                     tive. For DNSSEC, RSASHA1 is a mandatory  to
                     implement  algorithm and DSA is recommended.
                     For TSIG, HMAC-MD5  is  mandatory.  HMAC-MD5
                     and DH automatically set the -k flag.

     -b keysize      Specify the number of bits in the  key.  The
                     choice  of key size depends on the algorithm
                     used.  RSAMD5  and  RSASHA1  keys  must   be
                     between  512  and  2048 bits. Diffie Hellman
                     keys must be between 128 and 4096 bits.  DSA
                     keys  must  be between 512 and 1024 bits and
                     an exact multiple of 64.  HMAC-MD5 keys must
                     be between 1 and 512 bits.

     -c class        Indicate that the DNS record containing  the
                     key  should have the specified class. If not
                     specified, class IN is used.

     -e              Use a large exponent if generating an RSAMD5
                     or RSASHA1 key.

     -f flag         Set the specified flag in the flag field  of
                     the  KEY/DNSKEY  record. The only recognized
                     flag is KSK (Key Signing Key) DNSKEY.

     -g generator    Use this generator if  generating  a  Diffie
                     Hellman  key. Allowed values are 2 and 5. If
                     no generator is  specified,  a  known  prime
                     from RFC 2539 will be used if possible; oth-
                     erwise the default is 2.

     -h              Print a short summary  of  the  options  and
                     arguments to dnssec-keygen.

     -k              Generate  KEY  records  rather  than  DNSKEY

     -n nametype     Specify the owner type of the key. The value
                     of  nametype  must  either  be  ZONE  (for a
                     DNSSEC zone key), HOST or ENTITY (for a  key
                     associated  with  a user) or OTHER (DNSKEY).
                     These values are case insensitive.

     -p protocol     Set the protocol  value  for  the  generated
                     key.  The  protocol  argument  is  a  number
                     between 0 and 255. The default is 3 (DNSSEC)
                     Other  possible values for this argument are
                     listed in RFC 2535 and its successors.

     -r randomdev    Specify the source  of  randomness.  If  the
                     operating   system   does   not   provide  a
                     /dev/random  or   equivalent   device,   the
                     default  source  of  randomness  is keyboard
                     input. The randomdev argument specifies  the
                     name  of a character device or file contain-
                     ing random data to be used  instead  of  the
                     default.  The  special  value keyboard indi-
                     cates that keyboard input should be used.

     -s strength     Specify the strength value of the  key.  The
                     strength  argument is a number between 0 and
                     15, and currently has no defined purpose  in

     -t type         Indicate the use of the key.  type  must  be
                     one  of  AUTHCONF,  NOAUTHCONF,  NOAUTH,  or
                     NOCONF. The default is AUTHCONF. AUTH refers
                     to  the  ability  to  authenticate data, and
                     CONF the ability to encrypt data.

     -v level        Set the debugging level.

     When  dnssec-keygen  completes  successfully,  it  prints  a
     string  of the form Knnnn.+aaa+iiiii to the standard output.
     This is an identification string for the  key  it  has  gen-

         o    nnnn is the key name.

         o    aaa is the numeric representation of the algorithm.

         o    iiiii is the key identifier (or footprint).

     The dnssec-keygen utility  creates  two  files,  with  names
     based on the printed string.

         o    Knnnn.+aaa+iiiii.key contains the public key.

         o    Knnnn.+aaa+iiiii.private contains the private key.

     The .key file contains a DNS KEY record that can be inserted
     into a zone file (directly or with a $INCLUDE statement).

     The .private file contains algorithm  specific  fields.  For
     obvious  security  reasons,  this file does not have general
     read permission.

     Both .key and .private files  are  generated  for  symmetric
     encryption  algorithm such as HMAC-MD5, even though the pub-
     lic and private key are equivalent.

     Example  1  Generate  a  768-bit  DSA  key  for  the  domain

     To generate a 768-bit DSA key for  the  domain  example.com,
     the following command would be issued:

       dnssec-keygen -a DSA -b 768 -n ZONE example.com

     The command would print a string of the form:


     Example 2 Create the files  Kexample.com.+003+26160.key  and

     In the following example, dnssec-keygen  creates  the  files
     Kexample.com.+003+26160.key                              and

     See attributes(5) for descriptions of the  following  attri-

    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    | Availability                | SUNWbind                    |
    | Interface Stability         | Volatile                    |

     dnssec-signzone(1M), attributes(5)

     RFC 2535, RFC 2845, RFC 2539

     BIND 9 Administrator Reference Manual

     Source for BIND9 is available in the SUNWbind9S package.

Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.