[BACK]Return to man.dnssec-keygen.html CVS log [TXT][DIR] Up to [cvs.NetBSD.org] / src / external / mpl / bind / dist / doc / arm

Annotation of src/external/mpl/bind/dist/doc/arm/man.dnssec-keygen.html, Revision 1.1.1.2

1.1       christos    1: <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
                      2: <!--
                      3:  - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
                      4:  -
                      5:  - This Source Code Form is subject to the terms of the Mozilla Public
                      6:  - License, v. 2.0. If a copy of the MPL was not distributed with this
                      7:  - file, You can obtain one at http://mozilla.org/MPL/2.0/.
                      8: -->
                      9: <html lang="en">
                     10: <head>
                     11: <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
                     12: <title>dnssec-keygen</title>
                     13: <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
                     14: <link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
                     15: <link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
                     16: <link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
                     17: <link rel="next" href="man.dnssec-keymgr.html" title="dnssec-keymgr">
                     18: </head>
                     19: <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
                     20: <div class="navheader">
                     21: <table width="100%" summary="Navigation header">
                     22: <tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
                     23: <tr>
                     24: <td width="20%" align="left">
                     25: <a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
                     26: <th width="60%" align="center">Manual pages</th>
                     27: <td width="20%" align="right"> <a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
                     28: </td>
                     29: </tr>
                     30: </table>
                     31: <hr>
                     32: </div>
                     33: <div class="refentry">
                     34: <a name="man.dnssec-keygen"></a><div class="titlepage"></div>
                     35:
                     36:
                     37:
                     38:
                     39:
                     40:   <div class="refnamediv">
                     41: <h2>Name</h2>
                     42: <p>
                     43:     <span class="application">dnssec-keygen</span>
                     44:      &#8212; DNSSEC key generation tool
                     45:   </p>
                     46: </div>
                     47:
                     48:
                     49:
                     50:   <div class="refsynopsisdiv">
                     51: <h2>Synopsis</h2>
                     52:     <div class="cmdsynopsis"><p>
                     53:       <code class="command">dnssec-keygen</code>
                     54:        [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
                     55:        [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>]
                     56:        [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
                     57:        [<code class="option">-3</code>]
                     58:        [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
                     59:        [<code class="option">-C</code>]
                     60:        [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
                     61:        [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
                     62:        [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
                     63:        [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
                     64:        [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
                     65:        [<code class="option">-G</code>]
                     66:        [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>]
                     67:        [<code class="option">-h</code>]
                     68:        [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
                     69:        [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
                     70:        [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
                     71:        [<code class="option">-k</code>]
                     72:        [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
                     73:        [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
                     74:        [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
                     75:        [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
                     76:        [<code class="option">-q</code>]
                     77:        [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
                     78:        [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
                     79:        [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>]
                     80:        [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
                     81:        [<code class="option">-V</code>]
                     82:        [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
                     83:        [<code class="option">-z</code>]
                     84:        {name}
                     85:     </p></div>
                     86:   </div>
                     87:
                     88:   <div class="refsection">
                     89: <a name="id-1.13.12.7"></a><h2>DESCRIPTION</h2>
                     90:
                     91:     <p><span class="command"><strong>dnssec-keygen</strong></span>
                     92:       generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
                     93:       and RFC 4034.  It can also generate keys for use with
                     94:       TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
                     95:       (Transaction Key) as defined in RFC 2930.
                     96:     </p>
                     97:     <p>
                     98:       The <code class="option">name</code> of the key is specified on the command
                     99:       line.  For DNSSEC keys, this must match the name of the zone for
                    100:       which the key is being generated.
                    101:     </p>
                    102:     <p>
                    103:       The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
                    104:       around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
                    105:       as needed to enforce defined security policies such as key rollover
                    106:       scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
                    107:       to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
                    108:     </p>
                    109:   </div>
                    110:
                    111:   <div class="refsection">
                    112: <a name="id-1.13.12.8"></a><h2>OPTIONS</h2>
                    113:
                    114:
                    115:     <div class="variablelist"><dl class="variablelist">
                    116: <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
                    117: <dd>
                    118:          <p>
                    119:            Selects the cryptographic algorithm.  For DNSSEC keys, the value
                    120:            of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
1.1.1.2 ! christos  121:            NSEC3RSASHA1, RSASHA256, RSASHA512,
1.1       christos  122:            ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.  For
                    123:            TKEY, the value must be DH (Diffie Hellman); specifying
                    124:            his value will automatically set the <code class="option">-T KEY</code>
                    125:            option as well.
                    126:          </p>
                    127:          <p>
                    128:            These values are case insensitive. In some cases, abbreviations
                    129:            are supported, such as ECDSA256 for ECDSAP256SHA256 and
1.1.1.2 ! christos  130:            ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
1.1       christos  131:            along with the <code class="option">-3</code> option, then NSEC3RSASHA1
1.1.1.2 ! christos  132:            will be used instead.
        !           133:          </p>
        !           134:          <p>
        !           135:            This parameter <span class="emphasis"><em>must</em></span> be specified except
        !           136:            when using the <code class="option">-S</code> option, which copies the
        !           137:            algorithm from the predecessor key.
1.1       christos  138:          </p>
                    139:          <p>
1.1.1.2 ! christos  140:            In prior releases, HMAC algorithms could be generated for
        !           141:            use as TSIG keys, but that feature has been removed as of
        !           142:            BIND 9.13.0. Use <span class="command"><strong>tsig-keygen</strong></span> to generate
        !           143:            TSIG keys.
1.1       christos  144:          </p>
                    145:        </dd>
                    146: <dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
                    147: <dd>
                    148:          <p>
                    149:            Specifies the number of bits in the key.  The choice of key
                    150:            size depends on the algorithm used.  RSA keys must be
                    151:            between 1024 and 2048 bits.  Diffie Hellman keys must be between
                    152:            128 and 4096 bits.  DSA keys must be between 512 and 1024
                    153:            bits and an exact multiple of 64.  HMAC keys must be
                    154:            between 1 and 512 bits. Elliptic curve algorithms don't need
                    155:            this parameter.
                    156:          </p>
                    157:          <p>
                    158:            If the key size is not specified, some algorithms have
                    159:            pre-defined defaults.  For example, RSA keys for use as
                    160:            DNSSEC zone signing keys have a default size of 1024 bits;
                    161:            RSA keys for use as key signing keys (KSKs, generated with
                    162:            <code class="option">-f KSK</code>) default to 2048 bits.
                    163:          </p>
                    164:        </dd>
                    165: <dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
                    166: <dd>
                    167:          <p>
                    168:            Specifies the owner type of the key.  The value of
                    169:            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
                    170:            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
                    171:            with a host (KEY)), USER (for a key associated with a
                    172:            user(KEY)) or OTHER (DNSKEY).  These values are case
                    173:            insensitive.  Defaults to ZONE for DNSKEY generation.
                    174:          </p>
                    175:        </dd>
                    176: <dt><span class="term">-3</span></dt>
                    177: <dd>
                    178:          <p>
                    179:            Use an NSEC3-capable algorithm to generate a DNSSEC key.
                    180:            If this option is used with an algorithm that has both
                    181:            NSEC and NSEC3 versions, then the NSEC3 version will be
                    182:            used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
                    183:            specifies the NSEC3RSASHA1 algorithm.
                    184:          </p>
                    185:        </dd>
                    186: <dt><span class="term">-C</span></dt>
                    187: <dd>
                    188:          <p>
                    189:            Compatibility mode:  generates an old-style key, without
                    190:            any metadata.  By default, <span class="command"><strong>dnssec-keygen</strong></span>
                    191:            will include the key's creation date in the metadata stored
                    192:            with the private key, and other dates may be set there as well
                    193:            (publication date, activation date, etc).  Keys that include
                    194:            this data may be incompatible with older versions of BIND; the
                    195:            <code class="option">-C</code> option suppresses them.
                    196:          </p>
                    197:        </dd>
                    198: <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
                    199: <dd>
                    200:          <p>
                    201:            Indicates that the DNS record containing the key should have
                    202:            the specified class.  If not specified, class IN is used.
                    203:          </p>
                    204:        </dd>
                    205: <dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
                    206: <dd>
                    207:          <p>
                    208:            Specifies the cryptographic hardware to use, when applicable.
                    209:          </p>
                    210:          <p>
                    211:            When BIND is built with OpenSSL PKCS#11 support, this defaults
                    212:            to the string "pkcs11", which identifies an OpenSSL engine
                    213:            that can drive a cryptographic accelerator or hardware service
                    214:            module.  When BIND is built with native PKCS#11 cryptography
                    215:            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
                    216:            provider library specified via "--with-pkcs11".
                    217:          </p>
                    218:        </dd>
                    219: <dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
                    220: <dd>
                    221:          <p>
                    222:            Set the specified flag in the flag field of the KEY/DNSKEY record.
                    223:            The only recognized flags are KSK (Key Signing Key) and REVOKE.
                    224:          </p>
                    225:        </dd>
                    226: <dt><span class="term">-G</span></dt>
                    227: <dd>
                    228:          <p>
                    229:            Generate a key, but do not publish it or sign with it.  This
                    230:            option is incompatible with -P and -A.
                    231:          </p>
                    232:        </dd>
                    233: <dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
                    234: <dd>
                    235:          <p>
                    236:            If generating a Diffie Hellman key, use this generator.
                    237:            Allowed values are 2 and 5.  If no generator
                    238:            is specified, a known prime from RFC 2539 will be used
                    239:            if possible; otherwise the default is 2.
                    240:          </p>
                    241:        </dd>
                    242: <dt><span class="term">-h</span></dt>
                    243: <dd>
                    244:          <p>
                    245:            Prints a short summary of the options and arguments to
                    246:            <span class="command"><strong>dnssec-keygen</strong></span>.
                    247:          </p>
                    248:        </dd>
                    249: <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
                    250: <dd>
                    251:          <p>
                    252:            Sets the directory in which the key files are to be written.
                    253:          </p>
                    254:        </dd>
                    255: <dt><span class="term">-k</span></dt>
                    256: <dd>
                    257:          <p>
                    258:            Deprecated in favor of -T KEY.
                    259:          </p>
                    260:        </dd>
                    261: <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
                    262: <dd>
                    263:          <p>
                    264:            Sets the default TTL to use for this key when it is converted
                    265:            into a DNSKEY RR.  If the key is imported into a zone,
                    266:            this is the TTL that will be used for it, unless there was
                    267:            already a DNSKEY RRset in place, in which case the existing TTL
                    268:            would take precedence.  If this value is not set and there
                    269:            is no existing DNSKEY RRset, the TTL will default to the
                    270:            SOA TTL. Setting the default TTL to <code class="literal">0</code>
                    271:            or <code class="literal">none</code> is the same as leaving it unset.
                    272:          </p>
                    273:        </dd>
                    274: <dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
                    275: <dd>
                    276:          <p>
                    277:            Sets the protocol value for the generated key.  The protocol
                    278:            is a number between 0 and 255.  The default is 3 (DNSSEC).
                    279:            Other possible values for this argument are listed in
                    280:            RFC 2535 and its successors.
                    281:          </p>
                    282:        </dd>
                    283: <dt><span class="term">-q</span></dt>
                    284: <dd>
                    285:          <p>
                    286:            Quiet mode: Suppresses unnecessary output, including
                    287:            progress indication.  Without this option, when
                    288:            <span class="command"><strong>dnssec-keygen</strong></span> is run interactively
                    289:            to generate an RSA or DSA key pair, it will print a string
                    290:            of symbols to <code class="filename">stderr</code> indicating the
                    291:            progress of the key generation.  A '.' indicates that a
                    292:            random number has been found which passed an initial
                    293:            sieve test; '+' means a number has passed a single
                    294:            round of the Miller-Rabin primality test; a space
                    295:            means that the number has passed all the tests and is
                    296:            a satisfactory key.
                    297:          </p>
                    298:        </dd>
                    299: <dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
                    300: <dd>
                    301:          <p>
                    302:            Create a new key which is an explicit successor to an
                    303:            existing key.  The name, algorithm, size, and type of the
                    304:            key will be set to match the existing key.  The activation
                    305:            date of the new key will be set to the inactivation date of
                    306:            the existing one.  The publication date will be set to the
                    307:            activation date minus the prepublication interval, which
                    308:            defaults to 30 days.
                    309:          </p>
                    310:        </dd>
                    311: <dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
                    312: <dd>
                    313:          <p>
                    314:            Specifies the strength value of the key.  The strength is
                    315:            a number between 0 and 15, and currently has no defined
                    316:            purpose in DNSSEC.
                    317:          </p>
                    318:        </dd>
                    319: <dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
                    320: <dd>
                    321:          <p>
                    322:            Specifies the resource record type to use for the key.
                    323:            <code class="option">rrtype</code> must be either DNSKEY or KEY.  The
                    324:            default is DNSKEY when using a DNSSEC algorithm, but it can be
                    325:            overridden to KEY for use with SIG(0).
                    326:          </p>
                    327: <p>
                    328:          </p>
                    329: <p>
                    330:            Specifying any TSIG algorithm (HMAC-* or DH) with
                    331:            <code class="option">-a</code> forces this option to KEY.
                    332:          </p>
                    333:        </dd>
                    334: <dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
                    335: <dd>
                    336:          <p>
                    337:            Indicates the use of the key.  <code class="option">type</code> must be
                    338:            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
                    339:            is AUTHCONF.  AUTH refers to the ability to authenticate
                    340:            data, and CONF the ability to encrypt data.
                    341:          </p>
                    342:        </dd>
                    343: <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
                    344: <dd>
                    345:          <p>
                    346:            Sets the debugging level.
                    347:          </p>
                    348:        </dd>
                    349: <dt><span class="term">-V</span></dt>
                    350: <dd>
                    351:          <p>
                    352:            Prints version information.
                    353:          </p>
                    354:        </dd>
                    355: </dl></div>
                    356:   </div>
                    357:
                    358:   <div class="refsection">
                    359: <a name="id-1.13.12.9"></a><h2>TIMING OPTIONS</h2>
                    360:
                    361:
                    362:     <p>
                    363:       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
                    364:       If the argument begins with a '+' or '-', it is interpreted as
                    365:       an offset from the present time.  For convenience, if such an offset
                    366:       is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
                    367:       then the offset is computed in years (defined as 365 24-hour days,
                    368:       ignoring leap years), months (defined as 30 24-hour days), weeks,
                    369:       days, hours, or minutes, respectively.  Without a suffix, the offset
                    370:       is computed in seconds.  To explicitly prevent a date from being
                    371:       set, use 'none' or 'never'.
                    372:     </p>
                    373:
                    374:     <div class="variablelist"><dl class="variablelist">
                    375: <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
                    376: <dd>
                    377:          <p>
                    378:            Sets the date on which a key is to be published to the zone.
                    379:            After that date, the key will be included in the zone but will
                    380:            not be used to sign it.  If not set, and if the -G option has
                    381:            not been used, the default is "now".
                    382:          </p>
                    383:        </dd>
                    384: <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
                    385: <dd>
                    386:          <p>
                    387:            Sets the date on which CDS and CDNSKEY records that match this
                    388:            key are to be published to the zone.
                    389:          </p>
                    390:        </dd>
                    391: <dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
                    392: <dd>
                    393:          <p>
                    394:            Sets the date on which the key is to be activated.  After that
                    395:            date, the key will be included in the zone and used to sign
                    396:            it.  If not set, and if the -G option has not been used, the
                    397:            default is "now".  If set, if and -P is not set, then
                    398:            the publication date will be set to the activation date
                    399:            minus the prepublication interval.
                    400:          </p>
                    401:        </dd>
                    402: <dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
                    403: <dd>
                    404:          <p>
                    405:            Sets the date on which the key is to be revoked.  After that
                    406:            date, the key will be flagged as revoked.  It will be included
                    407:            in the zone and will be used to sign it.
                    408:          </p>
                    409:        </dd>
                    410: <dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
                    411: <dd>
                    412:          <p>
                    413:            Sets the date on which the key is to be retired.  After that
                    414:            date, the key will still be included in the zone, but it
                    415:            will not be used to sign it.
                    416:          </p>
                    417:        </dd>
                    418: <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
                    419: <dd>
                    420:          <p>
                    421:            Sets the date on which the key is to be deleted.  After that
                    422:            date, the key will no longer be included in the zone.  (It
                    423:            may remain in the key repository, however.)
                    424:          </p>
                    425:        </dd>
                    426: <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
                    427: <dd>
                    428:          <p>
                    429:            Sets the date on which the CDS and CDNSKEY records that match this
                    430:            key are to be deleted.
                    431:          </p>
                    432:        </dd>
                    433: <dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
                    434: <dd>
                    435:          <p>
                    436:            Sets the prepublication interval for a key.  If set, then
                    437:            the publication and activation dates must be separated by at least
                    438:            this much time.  If the activation date is specified but the
                    439:            publication date isn't, then the publication date will default
                    440:            to this much time before the activation date; conversely, if
                    441:            the publication date is specified but activation date isn't,
                    442:            then activation will be set to this much time after publication.
                    443:          </p>
                    444:          <p>
                    445:            If the key is being created as an explicit successor to another
                    446:            key, then the default prepublication interval is 30 days;
                    447:            otherwise it is zero.
                    448:          </p>
                    449:          <p>
                    450:            As with date offsets, if the argument is followed by one of
                    451:            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
                    452:            interval is measured in years, months, weeks, days, hours,
                    453:            or minutes, respectively.  Without a suffix, the interval is
                    454:            measured in seconds.
                    455:          </p>
                    456:        </dd>
                    457: </dl></div>
                    458:   </div>
                    459:
                    460:
                    461:   <div class="refsection">
                    462: <a name="id-1.13.12.10"></a><h2>GENERATED KEYS</h2>
                    463:
                    464:     <p>
                    465:       When <span class="command"><strong>dnssec-keygen</strong></span> completes
                    466:       successfully,
                    467:       it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
                    468:       to the standard output.  This is an identification string for
                    469:       the key it has generated.
                    470:     </p>
                    471:     <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
                    472: <li class="listitem">
                    473:        <p><code class="filename">nnnn</code> is the key name.
                    474:        </p>
                    475:       </li>
                    476: <li class="listitem">
                    477:        <p><code class="filename">aaa</code> is the numeric representation
                    478:          of the
                    479:          algorithm.
                    480:        </p>
                    481:       </li>
                    482: <li class="listitem">
                    483:        <p><code class="filename">iiiii</code> is the key identifier (or
                    484:          footprint).
                    485:        </p>
                    486:       </li>
                    487: </ul></div>
                    488:     <p><span class="command"><strong>dnssec-keygen</strong></span>
                    489:       creates two files, with names based
                    490:       on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
                    491:       contains the public key, and
                    492:       <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
                    493:       private
                    494:       key.
                    495:     </p>
                    496:     <p>
                    497:       The <code class="filename">.key</code> file contains a DNS KEY record
                    498:       that
                    499:       can be inserted into a zone file (directly or with a $INCLUDE
                    500:       statement).
                    501:     </p>
                    502:     <p>
                    503:       The <code class="filename">.private</code> file contains
                    504:       algorithm-specific
                    505:       fields.  For obvious security reasons, this file does not have
                    506:       general read permission.
                    507:     </p>
                    508:     <p>
                    509:       Both <code class="filename">.key</code> and <code class="filename">.private</code>
                    510:       files are generated for symmetric cryptography algorithms such as
                    511:       HMAC-MD5, even though the public and private key are equivalent.
                    512:     </p>
                    513:   </div>
                    514:
                    515:   <div class="refsection">
                    516: <a name="id-1.13.12.11"></a><h2>EXAMPLE</h2>
                    517:
                    518:     <p>
1.1.1.2 ! christos  519:       To generate an ECDSAP256SHA256 key for the domain
1.1       christos  520:       <strong class="userinput"><code>example.com</code></strong>, the following command would be
                    521:       issued:
                    522:     </p>
1.1.1.2 ! christos  523:     <p><strong class="userinput"><code>dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com</code></strong>
1.1       christos  524:     </p>
                    525:     <p>
                    526:       The command would print a string of the form:
                    527:     </p>
1.1.1.2 ! christos  528:     <p><strong class="userinput"><code>Kexample.com.+013+26160</code></strong>
1.1       christos  529:     </p>
                    530:     <p>
                    531:       In this example, <span class="command"><strong>dnssec-keygen</strong></span> creates
1.1.1.2 ! christos  532:       the files <code class="filename">Kexample.com.+013+26160.key</code>
1.1       christos  533:       and
1.1.1.2 ! christos  534:       <code class="filename">Kexample.com.+013+26160.private</code>.
1.1       christos  535:     </p>
                    536:   </div>
                    537:
                    538:   <div class="refsection">
                    539: <a name="id-1.13.12.12"></a><h2>SEE ALSO</h2>
                    540:
                    541:     <p><span class="citerefentry">
                    542:        <span class="refentrytitle">dnssec-signzone</span>(8)
                    543:       </span>,
                    544:       <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
                    545:       <em class="citetitle">RFC 2539</em>,
                    546:       <em class="citetitle">RFC 2845</em>,
                    547:       <em class="citetitle">RFC 4034</em>.
                    548:     </p>
                    549:   </div>
                    550:
                    551: </div>
                    552: <div class="navfooter">
                    553: <hr>
                    554: <table width="100%" summary="Navigation footer">
                    555: <tr>
                    556: <td width="40%" align="left">
                    557: <a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a> </td>
                    558: <td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
                    559: <td width="40%" align="right"> <a accesskey="n" href="man.dnssec-keymgr.html">Next</a>
                    560: </td>
                    561: </tr>
                    562: <tr>
                    563: <td width="40%" align="left" valign="top">
                    564: <span class="application">dnssec-keyfromlabel</span> </td>
                    565: <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
                    566: <td width="40%" align="right" valign="top"> <span class="application">dnssec-keymgr</span>
                    567: </td>
                    568: </tr>
                    569: </table>
                    570: </div>
1.1.1.2 ! christos  571: <p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.13.5-W1 (Development Release)</p>
1.1       christos  572: </body>
                    573: </html>

CVSweb <webmaster@jp.NetBSD.org>