Open System Services Shell and Utilities Reference Manual (G06.27+, H06.04+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

791

792

793

794

795

796

797

798

799

800

Administrator Commands and Files dnssec-keygen(8)

NAME

dnssec-keygen - Runs the BIND 9 secure domain name server DNSSEC key generation tool

SYNOPSIS

/etc/dns_secure/dnssec-keygen

-a algorithm

-b keysize

-n nametype

[ -c class ]

[ -e ]

[ -f ﬂag ]

[ -g generator ]

[ -h ]

[ -k ]

[ -p protocol ]

[ -r randomdev ]

[ -s strength ]

[ -t type ]

[ -v level ]

name

FLAGS

-a algorithm ... Selects the cryptographic algorithm to be used. The value of algorithm must be

one or more of:

RSAMD5 Speciﬁes RSA. This value is an alternative to RSASHA1.

RSASHA1 Speciﬁes RSA. This value is required to implement a secure

DNSSEC name server algorithm.

DSA Speciﬁes DSA. This value is recommended to implement a

secure DNSSEC name server algorithm.

DH Speciﬁes Difﬁe Hellman. Using this value automatically sets

the -k ﬂag.

HMAC-MD5 Speciﬁes HMAC-MD5. This value is required for transaction

signatures (TSIG). Using this value automatically sets the -k

ﬂag.

These values are case-insensitive.

-b keysize Speciﬁes the number of bits in the key. The choice of key size depends on the

algorithm used:

• RSAMD5/RSASHA1 keys must be between 512 and 2048 bits.

• Difﬁe Hellman keys must be between 128 and 4096 bits.

• DSA keys must be between 512 and 1024 bits and an exact multiple of

64.

• HMAC-MD5 keys must be between 1 and 512 bits.

527188-004 Hewlett-Packard Company 12−13