|
System Administration Commands | dnskeygen(1M) |
| dnskeygen - generate public, private, and shared secret keys for DNS |
SYNOPSIS
| dnskeygen [ [-DHR] size] [-F] [-zhu] [-a] [-c] [-p num] [-s num] -n name |
|
The dnskeygen utility is a tool to generate and maintain keys for DNS security with the Domain Name System ("DNS"). Use dnskeygen to generate public and private keys to authenticate zone data or shared secret keys for request and transaction signatures.
dnskeygen stores each key in two files:
|
K<name>+<algorithm>+<footprint>.private
|
and
|
K<name>+<algorithm>+<footprint>.key
|
The key is stored in a portable format within K<name>+<alg>+<footprint>.private. The public key is stored in K<name>+<alg>+<footprint>.private in the DNS zone file format:
|
<name> IN KEY <flags><algorithm><protocol><exponent|modulus>
|
The underlying cryptographic math is done by the DNSSAFE and Foundation Toolkit libraries.
|
|
The dnskeygen utility supports the following options:
- -D
- Generate a DSA/DSS key. The value of size must be one of the following: 512, 576, 640, 704, 768, 832, 896, 960 or 1024.
- -F
- Use a large exponent for key generation. Use for RSA only.
- -H
- Generate a HMAC-MD5 key. The value of size must be between 128 and 504.
- -R
- Generate an RSA key. The value of size must be between 512 and 4096.
- -a
- Cannot use key for authentication.
- -c
- Cannot use key for encryption.
- -h
- Generate host or service key.
- -n name
- Set the key's name to name.
- -p num
- Set the key's protocol field to num. The values for num are as follows:
-
3
- If -z or -h is specified (DNSSEC), this is the default value.
-
2
- Unless specified, the default value for all other options.
-
1
- Use this value for TLS.
-
4
- Use this value for IPSEC.
-
255
- Use this value for ANY.
- -s num
- Set the key's strength field to num. The default value of num is 0.
- -u
- Generate User key, for example, for email.
- -z
- Generate Zone key for DNS validation.
|
|
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE | ATTRIBUTE VALUE |
Availability | SUNWcsu |
Interface Stability | Standard Bind 8.2.4 |
|
|
attributes(5)
Eastlake III, D. and Kaufman, C. RFC 2065, Domain Name System Security Extension. Network Working Group. January 1997.
Vixie, P., Gudmundsson, O., Eastlake III, D., and Wellington, B. RFC 2845, Secret Key Transaction Authentication for DNS (TSIG). Network Working Group. May 2000.
|
| |