Open System Services Shell and Utilities Reference Manual (G06.28+, H06.05+)
Administrator Commands and Files dnssec-keygen(8)
NAME
dnssec-keygen - Runs the BIND 9 secure domain name server DNSSEC key generation tool
SYNOPSIS
/etc/dns_secure/dnssec-keygen
-a algorithm
-b keysize
-n nametype
[ -c class ]
[ -e ]
[ -f flag ]
[ -g generator ]
[ -h ]
[ -k ]
[ -p protocol ]
[ -r randomdev ]
[ -s strength ]
[ -t type ]
[ -v level ]
name
FLAGS
-a algorithm ... Selects the cryptographic algorithm to be used. The value of algorithm must be
one or more of:
RSAMD5 Specifies RSA. This value is an alternative to RSASHA1.
RSASHA1 Specifies RSA. This value is required to implement a secure
DNSSEC name server algorithm.
DSA Specifies DSA. This value is recommended to implement a
secure DNSSEC name server algorithm.
DH Specifies Diffie Hellman. Using this value automatically sets
the -k flag.
HMAC-MD5 Specifies HMAC-MD5. This value is required for transaction
signatures (TSIG). Using this value automatically sets the -k
flag.
These values are case-insensitive.
-b keysize Specifies the number of bits in the key. The choice of key size depends on the
algorithm used:
• RSAMD5/RSASHA1 keys must be between 512 and 2048 bits.
• Diffie Hellman keys must be between 128 and 4096 bits.
• DSA keys must be between 512 and 1024 bits and an exact multiple of
64.
• HMAC-MD5 keys must be between 1 and 512 bits.
527188-007 Hewlett-Packard Company 12−13