Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-keygen.docbook
CommitLineData
d4ef6505 1<!--
843d3896 2 - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
d4ef6505 3 -
0c27b3fe
MA
4 - This Source Code Form is subject to the terms of the Mozilla Public
5 - License, v. 2.0. If a copy of the MPL was not distributed with this
6 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
843d3896
OS
7 -
8 - See the COPYRIGHT file distributed with this work for additional
9 - information regarding copyright ownership.
d4ef6505 10-->
2eeb74d1 11
14a656f9 12<!-- Converted by db4-upgrade version 1.0 -->
1b8ce3b3 13<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keygen">
14a656f9
EH
14 <info>
15 <date>2014-02-06</date>
16 </info>
0b062f49 17 <refentryinfo>
e939674d 18 <date>August 21, 2015</date>
14a656f9
EH
19 <corpname>ISC</corpname>
20 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
0b062f49
BW
21 </refentryinfo>
22
23 <refmeta>
24 <refentrytitle><application>dnssec-keygen</application></refentrytitle>
25 <manvolnum>8</manvolnum>
26 <refmiscinfo>BIND9</refmiscinfo>
27 </refmeta>
28
29 <refnamediv>
30 <refname><application>dnssec-keygen</application></refname>
31 <refpurpose>DNSSEC key generation tool</refpurpose>
32 </refnamediv>
33
268a4475
RA
34 <docinfo>
35 <copyright>
30e4fbdf
MA
36 <year>2000</year>
37 <year>2001</year>
38 <year>2002</year>
39 <year>2003</year>
268a4475
RA
40 <year>2004</year>
41 <year>2005</year>
c1a883f2 42 <year>2007</year>
3398334b 43 <year>2008</year>
dde86591 44 <year>2009</year>
f428e385 45 <year>2010</year>
207cee01 46 <year>2011</year>
99d8f5a7 47 <year>2012</year>
6ea23853 48 <year>2014</year>
a6ca1009 49 <year>2015</year>
1c6d1ca3 50 <year>2016</year>
6ce8a05f 51 <year>2017</year>
19b7c049 52 <year>2018</year>
dc64b706 53 <year>2019</year>
268a4475
RA
54 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
55 </copyright>
268a4475
RA
56 </docinfo>
57
0b062f49 58 <refsynopsisdiv>
14a656f9 59 <cmdsynopsis sepchar=" ">
0b062f49 60 <command>dnssec-keygen</command>
14a656f9
EH
61 <arg choice="opt" rep="norepeat"><option>-3</option></arg>
62 <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
1954f8d2
TF
63 <arg rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
64 <arg choice="opt" rep="norepeat"><option>-b <replaceable class="parameter">keysize</replaceable></option></arg>
14a656f9
EH
65 <arg choice="opt" rep="norepeat"><option>-C</option></arg>
66 <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
67 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 68 <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
69 <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
70 <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
71 <arg choice="opt" rep="norepeat"><option>-G</option></arg>
72 <arg choice="opt" rep="norepeat"><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
73 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
74 <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
75 <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
76 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
14a656f9 77 <arg choice="opt" rep="norepeat"><option>-k</option></arg>
e939674d 78 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
1954f8d2 79 <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
14a656f9 80 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 81 <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
82 <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
83 <arg choice="opt" rep="norepeat"><option>-q</option></arg>
84 <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
85 <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
86 <arg choice="opt" rep="norepeat"><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
87 <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
14a656f9 88 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
e939674d 89 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f9 90 <arg choice="req" rep="norepeat">name</arg>
0b062f49
BW
91 </cmdsynopsis>
92 </refsynopsisdiv>
93
14a656f9 94 <refsection><info><title>DESCRIPTION</title></info>
30eec077 95
268a4475
RA
96 <para><command>dnssec-keygen</command>
97 generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
561a29af 98 and RFC 4034. It can also generate keys for use with
553ead32
EH
99 TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
100 (Transaction Key) as defined in RFC 2930.
0b062f49 101 </para>
41eeb37b
EH
102 <para>
103 The <option>name</option> of the key is specified on the command
104 line. For DNSSEC keys, this must match the name of the zone for
105 which the key is being generated.
106 </para>
45afdb26
EH
107 <para>
108 The <command>dnssec-keymgr</command> command acts as a wrapper
109 around <command>dnssec-keygen</command>, generating and updating keys
110 as needed to enforce defined security policies such as key rollover
111 scheduling. Using <command>dnssec-keymgr</command> may be preferable
112 to direct use of <command>dnssec-keygen</command>.
113 </para>
14a656f9 114 </refsection>
0b062f49 115
14a656f9 116 <refsection><info><title>OPTIONS</title></info>
30eec077 117
0b062f49
BW
118
119 <variablelist>
1954f8d2
TF
120
121 <varlistentry>
122 <term>-3</term>
123 <listitem>
124 <para>
125 Use an NSEC3-capable algorithm to generate a DNSSEC key.
126 If this option is used with an algorithm that has both
127 NSEC and NSEC3 versions, then the NSEC3 version will be
128 used; for example, <command>dnssec-keygen -3a RSASHA1</command>
129 specifies the NSEC3RSASHA1 algorithm.
130 </para>
131 </listitem>
132 </varlistentry>
133
0b062f49 134 <varlistentry>
e939674d
MA
135 <term>-a <replaceable class="parameter">algorithm</replaceable></term>
136 <listitem>
137 <para>
138 Selects the cryptographic algorithm. For DNSSEC keys, the value
e69dc0db 139 of <option>algorithm</option> must be one of RSASHA1,
d6c50674 140 NSEC3RSASHA1, RSASHA256, RSASHA512,
45afdb26 141 ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
7bbb0349
EH
142 TKEY, the value must be DH (Diffie Hellman); specifying
143 his value will automatically set the <option>-T KEY</option>
144 option as well.
21761bfe 145 </para>
e939674d 146 <para>
45afdb26
EH
147 These values are case insensitive. In some cases, abbreviations
148 are supported, such as ECDSA256 for ECDSAP256SHA256 and
d6c50674 149 ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
45afdb26 150 along with the <option>-3</option> option, then NSEC3RSASHA1
d6c50674 151 will be used instead.
e939674d
MA
152 </para>
153 <para>
80788e72
EH
154 This parameter <emphasis>must</emphasis> be specified except
155 when using the <option>-S</option> option, which copies the
156 algorithm from the predecessor key.
157 </para>
158 <para>
159 In prior releases, HMAC algorithms could be generated for
160 use as TSIG keys, but that feature has been removed as of
161 BIND 9.13.0. Use <command>tsig-keygen</command> to generate
162 TSIG keys.
e939674d
MA
163 </para>
164 </listitem>
0b062f49
BW
165 </varlistentry>
166
167 <varlistentry>
e939674d
MA
168 <term>-b <replaceable class="parameter">keysize</replaceable></term>
169 <listitem>
170 <para>
171 Specifies the number of bits in the key. The choice of key
172 size depends on the algorithm used. RSA keys must be
1954f8d2
TF
173 between 1024 and 4096 bits. Diffie Hellman keys must be between
174 128 and 4096 bits. Elliptic curve algorithms don't need this
175 parameter.
e939674d
MA
176 </para>
177 <para>
45afdb26 178 If the key size is not specified, some algorithms have
24f23e7f
TF
179 pre-defined defaults. For instance, RSA keys have a default
180 size of 2048 bits.
e939674d
MA
181 </para>
182 </listitem>
0b062f49
BW
183 </varlistentry>
184
553ead32 185 <varlistentry>
e939674d
MA
186 <term>-C</term>
187 <listitem>
188 <para>
1954f8d2
TF
189 Compatibility mode: generates an old-style key, without any
190 timing metadata. By default, <command>dnssec-keygen</command>
191 will include the key's creation date in the metadata stored with
192 the private key, and other dates may be set there as well
193 (publication date, activation date, etc). Keys that include this
194 data may be incompatible with older versions of BIND; the
553ead32 195 <option>-C</option> option suppresses them.
e939674d
MA
196 </para>
197 </listitem>
553ead32
EH
198 </varlistentry>
199
0b062f49 200 <varlistentry>
e939674d
MA
201 <term>-c <replaceable class="parameter">class</replaceable></term>
202 <listitem>
203 <para>
204 Indicates that the DNS record containing the key should have
205 the specified class. If not specified, class IN is used.
206 </para>
207 </listitem>
0b062f49
BW
208 </varlistentry>
209
8b78c993 210 <varlistentry>
e939674d
MA
211 <term>-E <replaceable class="parameter">engine</replaceable></term>
212 <listitem>
213 <para>
214 Specifies the cryptographic hardware to use, when applicable.
215 </para>
216 <para>
217 When BIND is built with OpenSSL PKCS#11 support, this defaults
218 to the string "pkcs11", which identifies an OpenSSL engine
219 that can drive a cryptographic accelerator or hardware service
220 module. When BIND is built with native PKCS#11 cryptography
221 (--enable-native-pkcs11), it defaults to the path of the PKCS#11
222 provider library specified via "--with-pkcs11".
223 </para>
224 </listitem>
8b78c993
FD
225 </varlistentry>
226
b0c15bd9 227 <varlistentry>
e939674d
MA
228 <term>-f <replaceable class="parameter">flag</replaceable></term>
229 <listitem>
230 <para>
231 Set the specified flag in the flag field of the KEY/DNSKEY record.
232 The only recognized flags are KSK (Key Signing Key) and REVOKE.
233 </para>
234 </listitem>
b0c15bd9
MA
235 </varlistentry>
236
b843f577 237 <varlistentry>
e939674d
MA
238 <term>-G</term>
239 <listitem>
240 <para>
241 Generate a key, but do not publish it or sign with it. This
242 option is incompatible with -P and -A.
243 </para>
244 </listitem>
b843f577
EH
245 </varlistentry>
246
0b062f49 247 <varlistentry>
e939674d
MA
248 <term>-g <replaceable class="parameter">generator</replaceable></term>
249 <listitem>
250 <para>
251 If generating a Diffie Hellman key, use this generator.
252 Allowed values are 2 and 5. If no generator
253 is specified, a known prime from RFC 2539 will be used
254 if possible; otherwise the default is 2.
255 </para>
256 </listitem>
0b062f49
BW
257 </varlistentry>
258
259 <varlistentry>
e939674d
MA
260 <term>-h</term>
261 <listitem>
262 <para>
263 Prints a short summary of the options and arguments to
264 <command>dnssec-keygen</command>.
265 </para>
266 </listitem>
0b062f49
BW
267 </varlistentry>
268
553ead32 269 <varlistentry>
e939674d
MA
270 <term>-K <replaceable class="parameter">directory</replaceable></term>
271 <listitem>
272 <para>
273 Sets the directory in which the key files are to be written.
274 </para>
275 </listitem>
553ead32
EH
276 </varlistentry>
277
61bcc232 278 <varlistentry>
e939674d
MA
279 <term>-L <replaceable class="parameter">ttl</replaceable></term>
280 <listitem>
281 <para>
282 Sets the default TTL to use for this key when it is converted
283 into a DNSKEY RR. If the key is imported into a zone,
284 this is the TTL that will be used for it, unless there was
285 already a DNSKEY RRset in place, in which case the existing TTL
286 would take precedence. If this value is not set and there
287 is no existing DNSKEY RRset, the TTL will default to the
288 SOA TTL. Setting the default TTL to <literal>0</literal>
289 or <literal>none</literal> is the same as leaving it unset.
290 </para>
291 </listitem>
61bcc232
EH
292 </varlistentry>
293
1954f8d2
TF
294 <varlistentry>
295 <term>-n <replaceable class="parameter">nametype</replaceable></term>
296 <listitem>
297 <para>
298 Specifies the owner type of the key. The value of
299 <option>nametype</option> must either be ZONE (for a DNSSEC
300 zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
301 with a host (KEY)), USER (for a key associated with a
302 user(KEY)) or OTHER (DNSKEY). These values are case
303 insensitive. Defaults to ZONE for DNSKEY generation.
304 </para>
305 </listitem>
306 </varlistentry>
307
0b062f49 308 <varlistentry>
e939674d
MA
309 <term>-p <replaceable class="parameter">protocol</replaceable></term>
310 <listitem>
311 <para>
1954f8d2
TF
312 Sets the protocol value for the generated key, for use
313 with <option>-T KEY</option>. The protocol is a number between 0
314 and 255. The default is 3 (DNSSEC). Other possible values for
315 this argument are listed in RFC 2535 and its successors.
e939674d
MA
316 </para>
317 </listitem>
0b062f49
BW
318 </varlistentry>
319
c6d2578f 320 <varlistentry>
e939674d
MA
321 <term>-q</term>
322 <listitem>
323 <para>
324 Quiet mode: Suppresses unnecessary output, including
325 progress indication. Without this option, when
326 <command>dnssec-keygen</command> is run interactively
327 to generate an RSA or DSA key pair, it will print a string
328 of symbols to <filename>stderr</filename> indicating the
329 progress of the key generation. A '.' indicates that a
330 random number has been found which passed an initial
331 sieve test; '+' means a number has passed a single
332 round of the Miller-Rabin primality test; a space
333 means that the number has passed all the tests and is
334 a satisfactory key.
335 </para>
336 </listitem>
c6d2578f
MA
337 </varlistentry>
338
c6f4972c 339 <varlistentry>
e939674d
MA
340 <term>-S <replaceable class="parameter">key</replaceable></term>
341 <listitem>
342 <para>
343 Create a new key which is an explicit successor to an
344 existing key. The name, algorithm, size, and type of the
345 key will be set to match the existing key. The activation
346 date of the new key will be set to the inactivation date of
347 the existing one. The publication date will be set to the
348 activation date minus the prepublication interval, which
349 defaults to 30 days.
350 </para>
351 </listitem>
c6f4972c
MA
352 </varlistentry>
353
0b062f49 354 <varlistentry>
e939674d
MA
355 <term>-s <replaceable class="parameter">strength</replaceable></term>
356 <listitem>
357 <para>
358 Specifies the strength value of the key. The strength is
359 a number between 0 and 15, and currently has no defined
360 purpose in DNSSEC.
361 </para>
362 </listitem>
0b062f49
BW
363 </varlistentry>
364
553ead32 365 <varlistentry>
e939674d
MA
366 <term>-T <replaceable class="parameter">rrtype</replaceable></term>
367 <listitem>
368 <para>
369 Specifies the resource record type to use for the key.
370 <option>rrtype</option> must be either DNSKEY or KEY. The
371 default is DNSKEY when using a DNSSEC algorithm, but it can be
372 overridden to KEY for use with SIG(0).
e939674d
MA
373 </para>
374 </listitem>
553ead32
EH
375 </varlistentry>
376
0b062f49 377 <varlistentry>
e939674d
MA
378 <term>-t <replaceable class="parameter">type</replaceable></term>
379 <listitem>
380 <para>
1954f8d2
TF
381 Indicates the use of the key, for use with <option>-T
382 KEY</option>. <option>type</option> must be one of AUTHCONF,
383 NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
384 refers to the ability to authenticate data, and CONF the ability
385 to encrypt data.
e939674d
MA
386 </para>
387 </listitem>
0b062f49
BW
388 </varlistentry>
389
390 <varlistentry>
1954f8d2 391 <term>-V</term>
e939674d
MA
392 <listitem>
393 <para>
1954f8d2 394 Prints version information.
e939674d
MA
395 </para>
396 </listitem>
0b062f49
BW
397 </varlistentry>
398
42782931 399 <varlistentry>
1954f8d2 400 <term>-v <replaceable class="parameter">level</replaceable></term>
e939674d 401 <listitem>
42782931 402 <para>
1954f8d2 403 Sets the debugging level.
42782931 404 </para>
e939674d 405 </listitem>
42782931
MS
406 </varlistentry>
407
0b062f49 408 </variablelist>
14a656f9 409 </refsection>
0b062f49 410
14a656f9 411 <refsection><info><title>TIMING OPTIONS</title></info>
30eec077 412
553ead32
EH
413
414 <para>
415 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
416 If the argument begins with a '+' or '-', it is interpreted as
eab9975b
EH
417 an offset from the present time. For convenience, if such an offset
418 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
419 then the offset is computed in years (defined as 365 24-hour days,
420 ignoring leap years), months (defined as 30 24-hour days), weeks,
421 days, hours, or minutes, respectively. Without a suffix, the offset
a165a17a
EH
422 is computed in seconds. To explicitly prevent a date from being
423 set, use 'none' or 'never'.
553ead32
EH
424 </para>
425
426 <variablelist>
427 <varlistentry>
e939674d
MA
428 <term>-P <replaceable class="parameter">date/offset</replaceable></term>
429 <listitem>
430 <para>
431 Sets the date on which a key is to be published to the zone.
432 After that date, the key will be included in the zone but will
433 not be used to sign it. If not set, and if the -G option has
434 not been used, the default is "now".
435 </para>
436 </listitem>
553ead32
EH
437 </varlistentry>
438
439 <varlistentry>
e939674d
MA
440 <term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
441 <listitem>
442 <para>
443 Sets the date on which CDS and CDNSKEY records that match this
444 key are to be published to the zone.
445 </para>
446 </listitem>
553ead32
EH
447 </varlistentry>
448
449 <varlistentry>
e939674d
MA
450 <term>-A <replaceable class="parameter">date/offset</replaceable></term>
451 <listitem>
452 <para>
453 Sets the date on which the key is to be activated. After that
454 date, the key will be included in the zone and used to sign
455 it. If not set, and if the -G option has not been used, the
456 default is "now". If set, if and -P is not set, then
457 the publication date will be set to the activation date
458 minus the prepublication interval.
459 </para>
460 </listitem>
553ead32
EH
461 </varlistentry>
462
463 <varlistentry>
e939674d
MA
464 <term>-R <replaceable class="parameter">date/offset</replaceable></term>
465 <listitem>
466 <para>
467 Sets the date on which the key is to be revoked. After that
468 date, the key will be flagged as revoked. It will be included
469 in the zone and will be used to sign it.
470 </para>
471 </listitem>
553ead32
EH
472 </varlistentry>
473
474 <varlistentry>
e939674d
MA
475 <term>-I <replaceable class="parameter">date/offset</replaceable></term>
476 <listitem>
477 <para>
478 Sets the date on which the key is to be retired. After that
479 date, the key will still be included in the zone, but it
480 will not be used to sign it.
481 </para>
482 </listitem>
483 </varlistentry>
484
485 <varlistentry>
486 <term>-D <replaceable class="parameter">date/offset</replaceable></term>
487 <listitem>
488 <para>
489 Sets the date on which the key is to be deleted. After that
490 date, the key will no longer be included in the zone. (It
491 may remain in the key repository, however.)
492 </para>
493 </listitem>
494 </varlistentry>
495
496 <varlistentry>
497 <term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
498 <listitem>
499 <para>
500 Sets the date on which the CDS and CDNSKEY records that match this
501 key are to be deleted.
502 </para>
503 </listitem>
553ead32 504 </varlistentry>
c6f4972c
MA
505
506 <varlistentry>
45afdb26
EH
507 <term>-i <replaceable class="parameter">interval</replaceable></term>
508 <listitem>
509 <para>
510 Sets the prepublication interval for a key. If set, then
511 the publication and activation dates must be separated by at least
512 this much time. If the activation date is specified but the
513 publication date isn't, then the publication date will default
514 to this much time before the activation date; conversely, if
515 the publication date is specified but activation date isn't,
516 then activation will be set to this much time after publication.
517 </para>
518 <para>
519 If the key is being created as an explicit successor to another
520 key, then the default prepublication interval is 30 days;
521 otherwise it is zero.
522 </para>
523 <para>
524 As with date offsets, if the argument is followed by one of
525 the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
526 interval is measured in years, months, weeks, days, hours,
527 or minutes, respectively. Without a suffix, the interval is
528 measured in seconds.
529 </para>
530 </listitem>
c6f4972c
MA
531 </varlistentry>
532
553ead32 533 </variablelist>
14a656f9 534 </refsection>
553ead32
EH
535
536
14a656f9 537 <refsection><info><title>GENERATED KEYS</title></info>
30eec077 538
0b062f49 539 <para>
268a4475
RA
540 When <command>dnssec-keygen</command> completes
541 successfully,
542 it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
543 to the standard output. This is an identification string for
79399226 544 the key it has generated.
0b062f49 545 </para>
8ffa8320
BW
546 <itemizedlist>
547 <listitem>
e939674d
MA
548 <para><filename>nnnn</filename> is the key name.
549 </para>
8ffa8320
BW
550 </listitem>
551 <listitem>
e939674d
MA
552 <para><filename>aaa</filename> is the numeric representation
553 of the
554 algorithm.
555 </para>
8ffa8320
BW
556 </listitem>
557 <listitem>
e939674d
MA
558 <para><filename>iiiii</filename> is the key identifier (or
559 footprint).
560 </para>
8ffa8320
BW
561 </listitem>
562 </itemizedlist>
30eec077 563 <para><command>dnssec-keygen</command>
561a29af 564 creates two files, with names based
268a4475
RA
565 on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
566 contains the public key, and
567 <filename>Knnnn.+aaa+iiiii.private</filename> contains the
568 private
569 key.
0b062f49
BW
570 </para>
571 <para>
acc3fa04
TF
572 The <filename>.key</filename> file contains a DNSKEY or KEY record.
573 When a zone is being signed by <command>named</command>
574 or <command>dnssec-signzone</command> <option>-S</option>, DNSKEY
575 records are included automatically. In other cases,
576 the <filename>.key</filename> file can be inserted into a zone file
577 manually or with a <userinput>$INCLUDE</userinput> statement.
0b062f49
BW
578 </para>
579 <para>
561a29af
MA
580 The <filename>.private</filename> file contains
581 algorithm-specific
268a4475
RA
582 fields. For obvious security reasons, this file does not have
583 general read permission.
0b062f49 584 </para>
14a656f9 585 </refsection>
0b062f49 586
14a656f9 587 <refsection><info><title>EXAMPLE</title></info>
30eec077 588
0b062f49 589 <para>
1954f8d2
TF
590 To generate an ECDSAP256SHA256 zone-signing key for the zone
591 <userinput>example.com</userinput>, issue the command:
0b062f49 592 </para>
1954f8d2
TF
593 <para>
594 <userinput>dnssec-keygen -a ECDSAP256SHA256 example.com</userinput>
0b062f49
BW
595 </para>
596 <para>
268a4475 597 The command would print a string of the form:
0b062f49 598 </para>
07370798 599 <para><userinput>Kexample.com.+013+26160</userinput>
0b062f49
BW
600 </para>
601 <para>
268a4475 602 In this example, <command>dnssec-keygen</command> creates
07370798 603 the files <filename>Kexample.com.+013+26160.key</filename>
268a4475 604 and
07370798 605 <filename>Kexample.com.+013+26160.private</filename>.
0b062f49 606 </para>
1954f8d2
TF
607 <para>
608 To generate a matching key-signing key, issue the command:
609 </para>
610 <para>
611 <userinput>dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com</userinput>
612 </para>
14a656f9 613 </refsection>
0b062f49 614
14a656f9 615 <refsection><info><title>SEE ALSO</title></info>
30eec077 616
268a4475 617 <para><citerefentry>
e939674d 618 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
0b062f49
BW
619 </citerefentry>,
620 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
733531b6 621 <citetitle>RFC 2539</citetitle>,
0b062f49 622 <citetitle>RFC 2845</citetitle>,
cc6cddfd 623 <citetitle>RFC 4034</citetitle>.
0b062f49 624 </para>
14a656f9 625 </refsection>
0b062f49 626
14a656f9 627</refentry>