Open System Services Shell and Utilities Reference Manual (G06.29+, H06.08+, J06.03+)

ManualsBrandsHP ManualsServerHP NonStop G-Series

881

882

883

884

885

886

887

888

889

890

dnssec-keygen(8) OSS Shell and Utilities Reference Manual

NAME

dnssec-keygen - Runs the BIND 9 secure domain name server DNSSEC key generation tool

SYNOPSIS

/etc/dns_secure/dnssec-keygen

-a algorithm

-b keysize

-n nametype

[ -c class ]

[ -e ]

[ -f ﬂag ]

[ -g generator ]

[ -h ]

[ -k ]

[ -p protocol ]

[ -r randomdev ]

[ -s strength ]

[ -t type ]

[ -v level ]

name

FLAGS

-a algorithm ... Selects the cryptographic algorithm to be used. The value of algorithm must be

one or more of:

RSAMD5 Speciﬁes RSA. This value is an alternative to RSASHA1.

RSASHA1 Speciﬁes RSA. This value is required to implement a secure

DNSSEC name server algorithm.

DSA Speciﬁes DSA. This value is recommended to implement a

secure DNSSEC name server algorithm.

DH Speciﬁes Difﬁe Hellman. Using this value automatically sets

the -k ﬂag.

HMAC-MD5 Speciﬁes HMAC-MD5. This value is required for transaction

signatures (TSIG). Using this value automatically sets the -k

ﬂag.

These values are case-insensitive.

-b keysize Speciﬁes the number of bits in the key. The choice of key size depends on the

algorithm used:

• RSAMD5/RSASHA1 keys must be between 512 and 2048 bits.

• Difﬁe Hellman keys must be between 128 and 4096 bits.

• DSA keys must be between 512 and 1024 bits and an exact multiple of

64.

• HMAC-MD5 keys must be between 1 and 512 bits.

12−14 Hewlett-Packard Company 527188-021