Open System Services Shell and Utilities Reference Manual (G06.27+, H06.04+)
Administrator Commands and Files dnssec-keygen(8)
NOCONF Do not use for data encryption.
-v level Sets the debugging level.
Operands
name Specifies the domain name for which the security information should be gen-
erated.
DESCRIPTION
dnssec-keygen generates keys for secure DNS, as defined in RFC 2535. It can also generate
keys for use with TSIG (transaction signatures), as defined in RFC 2845.
Generated Keys
When dnssec-keygen completes successfully, it prints a string of the form Knnnn.+aaa+iiiii to
the standard output, where:
nnnn is the key name.
aaa is the numeric representation of the algorithm.
iiiii is the key identifier (or footprint).
This is an identification string for the key it has generated.
dnssec-keygen creates two files, with names based on the printed string. Knnnn.+aaa+iiiii.key
contains the public key, and Knnnn.+aaa+iiiii.private contains the private key.
The Knnnn.+aaa+iiiii.key file contains a DNS KEY record that can be inserted into a zone file
(directly or with a $INCLUDE statement).
The Knnnn.+aaa+iiiii.private file contains algorithm-specific fields. For security reasons, this
file does not have general read permission.
Both files are generated for symmetric encryption algorithms such as HMAC-MD5, even though
the public and private keys are equivalent.
EXAMPLE
To generate a 768-bit DSA key for the domain example.com, issue the following command:
dnssec-keygen -a DSA -b 768 -n ZONE example.com
This command prints a string of the form:
Kexample.com.+003+26160
In this example, dnssec-keygen creates the files Kexample.com.+003+26160.key and
Kexample.com.+003+26160.private.
RELATED INFORMATION
Commands: dnssec-signzone(8).
Documents: BIND 9 Administrator Reference Manual, RFC 2535, RFC 2845, RFC 2539.
527188-004 Hewlett-Packard Company 12−15