Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-keygen.docbook
CommitLineData
d4ef6505 1<!--
843d3896 2 - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d4ef6505 3 -
0c27b3fe
MA
4 - This Source Code Form is subject to the terms of the Mozilla Public
5 - License, v. 2.0. If a copy of the MPL was not distributed with this
6 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
843d3896
OS
7 -
8 - See the COPYRIGHT file distributed with this work for additional
9 - information regarding copyright ownership.
d4ef6505 10-->
2eeb74d1 11
14a656f9 12<!-- Converted by db4-upgrade version 1.0 -->
1b8ce3b3 13<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
14a656f9
EH
14 <info>
15 <date>2014-02-06</date>
16 </info>
0b062f49 17 <refentryinfo>
e939674d 18 <date>August 21, 2015</date>
14a656f9
EH
19 <corpname>ISC</corpname>
20 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
0b062f49
BW
21 </refentryinfo>
22
23 <refmeta>
24 <refentrytitle><application>dnssec-keygen</application></refentrytitle>
25 <manvolnum>8</manvolnum>
26 <refmiscinfo>BIND9</refmiscinfo>
27 </refmeta>
28
29 <refnamediv>
30 <refname><application>dnssec-keygen</application></refname>
31 <refpurpose>DNSSEC key generation tool</refpurpose>
32 </refnamediv>
33
268a4475
RA
34 <docinfo>
35 <copyright>
30e4fbdf
MA
36 <year>2000</year>
37 <year>2001</year>
38 <year>2002</year>
39 <year>2003</year>
268a4475
RA
40 <year>2004</year>
41 <year>2005</year>
c1a883f2 42 <year>2007</year>
3398334b 43 <year>2008</year>
dde86591 44 <year>2009</year>
f428e385 45 <year>2010</year>
207cee01 46 <year>2011</year>
99d8f5a7 47 <year>2012</year>
6ea23853 48 <year>2014</year>
a6ca1009 49 <year>2015</year>
1c6d1ca3 50 <year>2016</year>
6ce8a05f 51 <year>2017</year>
19b7c049 52 <year>2018</year>
dc64b706 53 <year>2019</year>
268a4475
RA
54 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
55 </copyright>
268a4475
RA
56 </docinfo>
57
0b062f49 58 <refsynopsisdiv>
14a656f9 59 <cmdsynopsis sepchar=" ">
0b062f49 60 <command>dnssec-keygen</command>
14a656f9
EH
61 <arg choice="opt" rep="norepeat"><option>-3</option></arg>
62 <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
1954f8d2
TF
63 <arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
64 <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
14a656f9
EH
65 <arg choice="opt" rep="norepeat"><option>-C</option></arg>
66 <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
67 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 68 <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
69 <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
70 <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
71 <arg choice="opt" rep="norepeat"><option>-G</option></arg>
72 <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
73 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
74 <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
75 <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
76 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
14a656f9 77 <arg choice="opt" rep="norepeat"><option>-k</option></arg>
e939674d 78 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
1954f8d2 79 <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
14a656f9 80 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 81 <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
82 <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
83 <arg choice="opt" rep="norepeat"><option>-q</option></arg>
84 <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
85 <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
86 <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
87 <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
14a656f9 88 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
e939674d 89 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f9 90 <arg choice="req" rep="norepeat">name</arg>
0b062f49
BW
91 </cmdsynopsis>
92 </refsynopsisdiv>
93
14a656f9 94 <refsection><info><title>DESCRIPTION</title></info>
30eec077 95
268a4475
RA
96 <para><command>dnssec-keygen</command>
97 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
561a29af 98 and RFC 4034. It can also generate keys for use with
553ead32
EH
99 TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
100 (Transaction Key) as defined in RFC 2930.
0b062f49 101 </para>
41eeb37b
EH
102 <para>
103 The <option>name</option> of the key is specified on the command
104 line. For DNSSEC keys, this must match the name of the zone for
105 which the key is being generated.
106 </para>
45afdb26
EH
107 <para>
108 The <command>dnssec-keymgr</command> command acts as a wrapper
109 around <command>dnssec-keygen</command>, generating and updating keys
110 as needed to enforce defined security policies such as key rollover
111 scheduling. Using <command>dnssec-keymgr</command> may be preferable
112 to direct use of <command>dnssec-keygen</command>.
113 </para>
14a656f9 114 </refsection>
0b062f49 115
14a656f9 116 <refsection><info><title>OPTIONS</title></info>
30eec077 117
0b062f49
BW
118
119 <variablelist>
1954f8d2
TF
120
121 <varlistentry>
122 <term>-3</term>
123 <listitem>
124 <para>
125 Use an NSEC3-capable algorithm to generate a DNSSEC key.
126 If this option is used with an algorithm that has both
127 NSEC and NSEC3 versions, then the NSEC3 version will be
128 used; for example, <command>dnssec-keygen -3a RSASHA1</command>
129 specifies the NSEC3RSASHA1 algorithm.
130 </para>
131 </listitem>
132 </varlistentry>
133
0b062f49 134 <varlistentry>
e939674d
MA
135 <term>-a <replaceable class="parameter">algorithm</replaceable></term>
136 <listitem>
137 <para>
138 Selects the cryptographic algorithm. For DNSSEC keys, the value
e69dc0db 139 of <option>algorithm</option> must be one of RSASHA1,
d6c50674 140 NSEC3RSASHA1, RSASHA256, RSASHA512,
45afdb26 141 ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
7bbb0349
EH
142 TKEY, the value must be DH (Diffie Hellman); specifying
143 his value will automatically set the <option>-T KEY</option>
144 option as well.
21761bfe 145 </para>
e939674d 146 <para>
45afdb26
EH
147 These values are case insensitive. In some cases, abbreviations
148 are supported, such as ECDSA256 for ECDSAP256SHA256 and
d6c50674 149 ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
45afdb26 150 along with the <option>-3</option> option, then NSEC3RSASHA1
d6c50674 151 will be used instead.
e939674d
MA
152 </para>
153 <para>
80788e72
EH
154 This parameter <emphasis>must</emphasis> be specified except
155 when using the <option>-S</option> option, which copies the
156 algorithm from the predecessor key.
157 </para>
158 <para>
159 In prior releases, HMAC algorithms could be generated for
160 use as TSIG keys, but that feature has been removed as of
161 BIND 9.13.0. Use <command>tsig-keygen</command> to generate
162 TSIG keys.
e939674d
MA
163 </para>
164 </listitem>
0b062f49
BW
165 </varlistentry>
166
167 <varlistentry>
e939674d
MA
168 <term>-b <replaceable class="parameter">keysize</replaceable></term>
169 <listitem>
170 <para>
171 Specifies the number of bits in the key. The choice of key
172 size depends on the algorithm used. RSA keys must be
1954f8d2
TF
173 between 1024 and 4096 bits. Diffie Hellman keys must be between
174 128 and 4096 bits. Elliptic curve algorithms don't need this
175 parameter.
e939674d
MA
176 </para>
177 <para>
45afdb26
EH
178 If the key size is not specified, some algorithms have
179 pre-defined defaults. For example, RSA keys for use as
180 DNSSEC zone signing keys have a default size of 1024 bits;
181 RSA keys for use as key signing keys (KSKs, generated with
182 <option>-f KSK</option>) default to 2048 bits.
e939674d
MA
183 </para>
184 </listitem>
0b062f49
BW
185 </varlistentry>
186
553ead32 187 <varlistentry>
e939674d
MA
188 <term>-C</term>
189 <listitem>
190 <para>
1954f8d2
TF
191 Compatibility mode: generates an old-style key, without any
192 timing metadata. By default, <command>dnssec-keygen</command>
193 will include the key's creation date in the metadata stored with
194 the private key, and other dates may be set there as well
195 (publication date, activation date, etc). Keys that include this
196 data may be incompatible with older versions of BIND; the
553ead32 197 <option>-C</option> option suppresses them.
e939674d
MA
198 </para>
199 </listitem>
553ead32
EH
200 </varlistentry>
201
0b062f49 202 <varlistentry>
e939674d
MA
203 <term>-c <replaceable class="parameter">class</replaceable></term>
204 <listitem>
205 <para>
206 Indicates that the DNS record containing the key should have
207 the specified class. If not specified, class IN is used.
208 </para>
209 </listitem>
0b062f49
BW
210 </varlistentry>
211
8b78c993 212 <varlistentry>
e939674d
MA
213 <term>-E <replaceable class="parameter">engine</replaceable></term>
214 <listitem>
215 <para>
216 Specifies the cryptographic hardware to use, when applicable.
217 </para>
218 <para>
219 When BIND is built with OpenSSL PKCS#11 support, this defaults
220 to the string "pkcs11", which identifies an OpenSSL engine
221 that can drive a cryptographic accelerator or hardware service
222 module. When BIND is built with native PKCS#11 cryptography
223 (--enable-native-pkcs11), it defaults to the path of the PKCS#11
224 provider library specified via "--with-pkcs11".
225 </para>
226 </listitem>
8b78c993
FD
227 </varlistentry>
228
b0c15bd9 229 <varlistentry>
e939674d
MA
230 <term>-f <replaceable class="parameter">flag</replaceable></term>
231 <listitem>
232 <para>
233 Set the specified flag in the flag field of the KEY/DNSKEY record.
234 The only recognized flags are KSK (Key Signing Key) and REVOKE.
235 </para>
236 </listitem>
b0c15bd9
MA
237 </varlistentry>
238
b843f577 239 <varlistentry>
e939674d
MA
240 <term>-G</term>
241 <listitem>
242 <para>
243 Generate a key, but do not publish it or sign with it. This
244 option is incompatible with -P and -A.
245 </para>
246 </listitem>
b843f577
EH
247 </varlistentry>
248
0b062f49 249 <varlistentry>
e939674d
MA
250 <term>-g <replaceable class="parameter">generator</replaceable></term>
251 <listitem>
252 <para>
253 If generating a Diffie Hellman key, use this generator.
254 Allowed values are 2 and 5. If no generator
255 is specified, a known prime from RFC 2539 will be used
256 if possible; otherwise the default is 2.
257 </para>
258 </listitem>
0b062f49
BW
259 </varlistentry>
260
261 <varlistentry>
e939674d
MA
262 <term>-h</term>
263 <listitem>
264 <para>
265 Prints a short summary of the options and arguments to
266 <command>dnssec-keygen</command>.
267 </para>
268 </listitem>
0b062f49
BW
269 </varlistentry>
270
553ead32 271 <varlistentry>
e939674d
MA
272 <term>-K <replaceable class="parameter">directory</replaceable></term>
273 <listitem>
274 <para>
275 Sets the directory in which the key files are to be written.
276 </para>
277 </listitem>
553ead32
EH
278 </varlistentry>
279
61bcc232 280 <varlistentry>
e939674d
MA
281 <term>-L <replaceable class="parameter">ttl</replaceable></term>
282 <listitem>
283 <para>
284 Sets the default TTL to use for this key when it is converted
285 into a DNSKEY RR. If the key is imported into a zone,
286 this is the TTL that will be used for it, unless there was
287 already a DNSKEY RRset in place, in which case the existing TTL
288 would take precedence. If this value is not set and there
289 is no existing DNSKEY RRset, the TTL will default to the
290 SOA TTL. Setting the default TTL to <literal>0</literal>
291 or <literal>none</literal> is the same as leaving it unset.
292 </para>
293 </listitem>
61bcc232
EH
294 </varlistentry>
295
1954f8d2
TF
296 <varlistentry>
297 <term>-n <replaceable class="parameter">nametype</replaceable></term>
298 <listitem>
299 <para>
300 Specifies the owner type of the key. The value of
301 <option>nametype</option> must either be ZONE (for a DNSSEC
302 zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
303 with a host (KEY)), USER (for a key associated with a
304 user(KEY)) or OTHER (DNSKEY). These values are case
305 insensitive. Defaults to ZONE for DNSKEY generation.
306 </para>
307 </listitem>
308 </varlistentry>
309
0b062f49 310 <varlistentry>
e939674d
MA
311 <term>-p <replaceable class="parameter">protocol</replaceable></term>
312 <listitem>
313 <para>
1954f8d2
TF
314 Sets the protocol value for the generated key, for use
315 with <option>-T KEY</option>. The protocol is a number between 0
316 and 255. The default is 3 (DNSSEC). Other possible values for
317 this argument are listed in RFC 2535 and its successors.
e939674d
MA
318 </para>
319 </listitem>
0b062f49
BW
320 </varlistentry>
321
c6d2578f 322 <varlistentry>
e939674d
MA
323 <term>-q</term>
324 <listitem>
325 <para>
326 Quiet mode: Suppresses unnecessary output, including
327 progress indication. Without this option, when
328 <command>dnssec-keygen</command> is run interactively
329 to generate an RSA or DSA key pair, it will print a string
330 of symbols to <filename>stderr</filename> indicating the
331 progress of the key generation. A '.' indicates that a
332 random number has been found which passed an initial
333 sieve test; '+' means a number has passed a single
334 round of the Miller-Rabin primality test; a space
335 means that the number has passed all the tests and is
336 a satisfactory key.
337 </para>
338 </listitem>
c6d2578f
MA
339 </varlistentry>
340
c6f4972c 341 <varlistentry>
e939674d
MA
342 <term>-S <replaceable class="parameter">key</replaceable></term>
343 <listitem>
344 <para>
345 Create a new key which is an explicit successor to an
346 existing key. The name, algorithm, size, and type of the
347 key will be set to match the existing key. The activation
348 date of the new key will be set to the inactivation date of
349 the existing one. The publication date will be set to the
350 activation date minus the prepublication interval, which
351 defaults to 30 days.
352 </para>
353 </listitem>
c6f4972c
MA
354 </varlistentry>
355
0b062f49 356 <varlistentry>
e939674d
MA
357 <term>-s <replaceable class="parameter">strength</replaceable></term>
358 <listitem>
359 <para>
360 Specifies the strength value of the key. The strength is
361 a number between 0 and 15, and currently has no defined
362 purpose in DNSSEC.
363 </para>
364 </listitem>
0b062f49
BW
365 </varlistentry>
366
553ead32 367 <varlistentry>
e939674d
MA
368 <term>-T <replaceable class="parameter">rrtype</replaceable></term>
369 <listitem>
370 <para>
371 Specifies the resource record type to use for the key.
372 <option>rrtype</option> must be either DNSKEY or KEY. The
373 default is DNSKEY when using a DNSSEC algorithm, but it can be
374 overridden to KEY for use with SIG(0).
e939674d
MA
375 </para>
376 </listitem>
553ead32
EH
377 </varlistentry>
378
0b062f49 379 <varlistentry>
e939674d
MA
380 <term>-t <replaceable class="parameter">type</replaceable></term>
381 <listitem>
382 <para>
1954f8d2
TF
383 Indicates the use of the key, for use with <option>-T
384 KEY</option>. <option>type</option> must be one of AUTHCONF,
385 NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
386 refers to the ability to authenticate data, and CONF the ability
387 to encrypt data.
e939674d
MA
388 </para>
389 </listitem>
0b062f49
BW
390 </varlistentry>
391
392 <varlistentry>
1954f8d2 393 <term>-V</term>
e939674d
MA
394 <listitem>
395 <para>
1954f8d2 396 Prints version information.
e939674d
MA
397 </para>
398 </listitem>
0b062f49
BW
399 </varlistentry>
400
42782931 401 <varlistentry>
1954f8d2 402 <term>-v <replaceable class="parameter">level</replaceable></term>
e939674d 403 <listitem>
42782931 404 <para>
1954f8d2 405 Sets the debugging level.
42782931 406 </para>
e939674d 407 </listitem>
42782931
MS
408 </varlistentry>
409
0b062f49 410 </variablelist>
14a656f9 411 </refsection>
0b062f49 412
14a656f9 413 <refsection><info><title>TIMING OPTIONS</title></info>
30eec077 414
553ead32
EH
415
416 <para>
417 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
418 If the argument begins with a '+' or '-', it is interpreted as
eab9975b
EH
419 an offset from the present time. For convenience, if such an offset
420 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
421 then the offset is computed in years (defined as 365 24-hour days,
422 ignoring leap years), months (defined as 30 24-hour days), weeks,
423 days, hours, or minutes, respectively. Without a suffix, the offset
a165a17a
EH
424 is computed in seconds. To explicitly prevent a date from being
425 set, use 'none' or 'never'.
553ead32
EH
426 </para>
427
428 <variablelist>
429 <varlistentry>
e939674d
MA
430 <term>-P <replaceable class="parameter">date/offset</replaceable></term>
431 <listitem>
432 <para>
433 Sets the date on which a key is to be published to the zone.
434 After that date, the key will be included in the zone but will
435 not be used to sign it. If not set, and if the -G option has
436 not been used, the default is "now".
437 </para>
438 </listitem>
553ead32
EH
439 </varlistentry>
440
441 <varlistentry>
e939674d
MA
442 <term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
443 <listitem>
444 <para>
445 Sets the date on which CDS and CDNSKEY records that match this
446 key are to be published to the zone.
447 </para>
448 </listitem>
553ead32
EH
449 </varlistentry>
450
451 <varlistentry>
e939674d
MA
452 <term>-A <replaceable class="parameter">date/offset</replaceable></term>
453 <listitem>
454 <para>
455 Sets the date on which the key is to be activated. After that
456 date, the key will be included in the zone and used to sign
457 it. If not set, and if the -G option has not been used, the
458 default is "now". If set, if and -P is not set, then
459 the publication date will be set to the activation date
460 minus the prepublication interval.
461 </para>
462 </listitem>
553ead32
EH
463 </varlistentry>
464
465 <varlistentry>
e939674d
MA
466 <term>-R <replaceable class="parameter">date/offset</replaceable></term>
467 <listitem>
468 <para>
469 Sets the date on which the key is to be revoked. After that
470 date, the key will be flagged as revoked. It will be included
471 in the zone and will be used to sign it.
472 </para>
473 </listitem>
553ead32
EH
474 </varlistentry>
475
476 <varlistentry>
e939674d
MA
477 <term>-I <replaceable class="parameter">date/offset</replaceable></term>
478 <listitem>
479 <para>
480 Sets the date on which the key is to be retired. After that
481 date, the key will still be included in the zone, but it
482 will not be used to sign it.
483 </para>
484 </listitem>
485 </varlistentry>
486
487 <varlistentry>
488 <term>-D <replaceable class="parameter">date/offset</replaceable></term>
489 <listitem>
490 <para>
491 Sets the date on which the key is to be deleted. After that
492 date, the key will no longer be included in the zone. (It
493 may remain in the key repository, however.)
494 </para>
495 </listitem>
496 </varlistentry>
497
498 <varlistentry>
499 <term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
500 <listitem>
501 <para>
502 Sets the date on which the CDS and CDNSKEY records that match this
503 key are to be deleted.
504 </para>
505 </listitem>
553ead32 506 </varlistentry>
c6f4972c
MA
507
508 <varlistentry>
45afdb26
EH
509 <term>-i <replaceable class="parameter">interval</replaceable></term>
510 <listitem>
511 <para>
512 Sets the prepublication interval for a key. If set, then
513 the publication and activation dates must be separated by at least
514 this much time. If the activation date is specified but the
515 publication date isn't, then the publication date will default
516 to this much time before the activation date; conversely, if
517 the publication date is specified but activation date isn't,
518 then activation will be set to this much time after publication.
519 </para>
520 <para>
521 If the key is being created as an explicit successor to another
522 key, then the default prepublication interval is 30 days;
523 otherwise it is zero.
524 </para>
525 <para>
526 As with date offsets, if the argument is followed by one of
527 the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
528 interval is measured in years, months, weeks, days, hours,
529 or minutes, respectively. Without a suffix, the interval is
530 measured in seconds.
531 </para>
532 </listitem>
c6f4972c
MA
533 </varlistentry>
534
553ead32 535 </variablelist>
14a656f9 536 </refsection>
553ead32
EH
537
538
14a656f9 539 <refsection><info><title>GENERATED KEYS</title></info>
30eec077 540
0b062f49 541 <para>
268a4475
RA
542 When <command>dnssec-keygen</command> completes
543 successfully,
544 it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
545 to the standard output. This is an identification string for
79399226 546 the key it has generated.
0b062f49 547 </para>
8ffa8320
BW
548 <itemizedlist>
549 <listitem>
e939674d
MA
550 <para><filename>nnnn</filename> is the key name.
551 </para>
8ffa8320
BW
552 </listitem>
553 <listitem>
e939674d
MA
554 <para><filename>aaa</filename> is the numeric representation
555 of the
556 algorithm.
557 </para>
8ffa8320
BW
558 </listitem>
559 <listitem>
e939674d
MA
560 <para><filename>iiiii</filename> is the key identifier (or
561 footprint).
562 </para>
8ffa8320
BW
563 </listitem>
564 </itemizedlist>
30eec077 565 <para><command>dnssec-keygen</command>
561a29af 566 creates two files, with names based
268a4475
RA
567 on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
568 contains the public key, and
569 <filename>Knnnn.+aaa+iiiii.private</filename> contains the
570 private
571 key.
0b062f49
BW
572 </para>
573 <para>
acc3fa04
TF
574 The <filename>.key</filename> file contains a DNSKEY or KEY record.
575 When a zone is being signed by <command>named</command>
576 or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
577 records are included automatically. In other cases,
578 the <filename>.key</filename> file can be inserted into a zone file
579 manually or with a <userinput>$INCLUDE</userinput> statement.
0b062f49
BW
580 </para>
581 <para>
561a29af
MA
582 The <filename>.private</filename> file contains
583 algorithm-specific
268a4475
RA
584 fields. For obvious security reasons, this file does not have
585 general read permission.
0b062f49 586 </para>
14a656f9 587 </refsection>
0b062f49 588
14a656f9 589 <refsection><info><title>EXAMPLE</title></info>
30eec077 590
0b062f49 591 <para>
1954f8d2
TF
592 To generate an ECDSAP256SHA256 zone-signing key for the zone
593 <userinput>example.com</userinput>, issue the command:
0b062f49 594 </para>
1954f8d2
TF
595 <para>
596 <userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
0b062f49
BW
597 </para>
598 <para>
268a4475 599 The command would print a string of the form:
0b062f49 600 </para>
07370798 601 <para><userinput>Kexample.com.+013+26160</userinput>
0b062f49
BW
602 </para>
603 <para>
268a4475 604 In this example, <command>dnssec-keygen</command> creates
07370798 605 the files <filename>Kexample.com.+013+26160.key</filename>
268a4475 606 and
07370798 607 <filename>Kexample.com.+013+26160.private</filename>.
0b062f49 608 </para>
1954f8d2
TF
609 <para>
610 To generate a matching key-signing key, issue the command:
611 </para>
612 <para>
613 <userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
614 </para>
14a656f9 615 </refsection>
0b062f49 616
14a656f9 617 <refsection><info><title>SEE ALSO</title></info>
30eec077 618
268a4475 619 <para><citerefentry>
e939674d 620 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
0b062f49
BW
621 </citerefentry>,
622 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
733531b6 623 <citetitle>RFC 2539</citetitle>,
0b062f49 624 <citetitle>RFC 2845</citetitle>,
cc6cddfd 625 <citetitle>RFC 4034</citetitle>.
0b062f49 626 </para>
14a656f9 627 </refsection>
0b062f49 628
14a656f9 629</refentry>