summaryrefslogtreecommitdiffstats
path: root/contrib/bind/doc/man/dnskeygen.1
diff options
context:
space:
mode:
Diffstat (limited to 'contrib/bind/doc/man/dnskeygen.1')
-rw-r--r--contrib/bind/doc/man/dnskeygen.1231
1 files changed, 94 insertions, 137 deletions
diff --git a/contrib/bind/doc/man/dnskeygen.1 b/contrib/bind/doc/man/dnskeygen.1
index bdc2df9..4b3c406 100644
--- a/contrib/bind/doc/man/dnskeygen.1
+++ b/contrib/bind/doc/man/dnskeygen.1
@@ -1,4 +1,4 @@
-.\" Copyright (c) 1996 by Internet Software Consortium
+.\" Copyright (c) 1996,1999 by Internet Software Consortium
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
@@ -13,163 +13,120 @@
.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
.\" SOFTWARE.
.\"
-.\" $Id: dnskeygen.1,v 8.2 1997/03/14 02:29:41 vixie Exp $
+.\" $Id: dnskeygen.1,v 8.5 1999/02/23 05:20:18 vixie Exp $
.\"
-.Dd October 25, 1996
+.Dd December 2, 1998
.Dt DNSKEYGEN @CMD_EXT_U@
.Os BSD 4
.Sh NAME
.Nm dnskeygen
-.Nd generate and display public and private RSA keys for DNS
+.Nd generate public, private, and shared secret keys for DNS Security
.Sh SYNOPSIS
.Nm dnskeygen
-.Bo Fl g Ns Op Ar size
-.Op Fl f
-.Bc
-.Bo Fl z
-|
-.Fl e
-|
-.Fl u
-.Bc
-.Op Fl i
-.Op Fl m
-.Op Fl p Ns Ar #
-.Op Fl s Ns Ar #
-.Op Fl x
-.Ar name
+.Oo Fl
+.Op Cm DHR
+.Ar size
+.Oc
+.Op Fl F
+.Fl Op Cm zhu
+.Op Cm Fl a
+.Op Cm Fl c
+.Op Cm Fl p Ar num
+.Op Cm Fl s Ar num
+.Fl n Ar name
.Sh DESCRIPTION
.Ic Dnskeygen
-(DNS Key Generator) is a tool to generate and maintain RSA keys
-for DNS (Domain Name System).
+(DNS Key Generator) is a tool to generate and maintain keys for DNS Security
+within the DNS (Domain Name System).
+.Nm Dnskeygen
+can generate public and private keys to authenticate zone data, and shared
+secret keys to be used for Request/Transaction signatures.
.Bl -tag -width Fl
-.It Fl g Ns Op Ar size
-.Ic Dnskeygen
-will generate a new key when
-the
-.Dq Fl g
-flag is specified. If the
-.Dq Fl g
-flag is not specified, then it
-will attempt to display an existing key that is stored in the current
-directory. If no
-.Ar size
-is specified after the
-.Dq Fl g
-flag, a key of 512 bits
-will be generated; otherwise,
-.Ar size
-is the size of the modulus in the newly-generated key.
-.It Fl f
-flag can only be specified with the
-.Dq Fl g
-flag; this changes the
-exponent used on the key. If
-.Dq Fl f
-is specified, the exponent is 65537,
-which is suitable for encryption keys. If
-.Dq Fl f
-is not specified,
-the exponent is 3, which is suitable for signatures and
-verification of public data such as DNS records. Signing and
-verifying with exponent of 65537 takes significantly more CPU time than
-with exponent of 3.
-.It Fl z Fl e Fl u
-These flags define the type of key being generated: Zone (DNS
-validation) key, End Entity (host or service) key or User (e.g. email) key,
-respectively.
-Each key is only allowed to be one of these. When
-keys are displayed, the type of key can be changed.
-.It Fl i
-Indicates that the key can be used for IPSEC (Internet Protocol Security
-services).
-.It Fl m
-Indicates that the key can be used for secure email.
-.It Fl p Ns Ar #
-Indicates that the key can be used for protocol number
-.Ar # .
-A value of
-.Ar 0
-denies the use of the key for
-.Em any
-protocol (other than those specified by other option flags like
-.Fl m ) .
-A value of
-.Ar 255
-allows it to be used with
-.Em all
-protocols.
-These protocol numbers will be assigned in the latest Assigned Numbers
-RFC from the Internet Assigned Numbers Authority (IANA).
-.It Fl s Ns Ar #
-Strength value; this value is only used when key is signing.
-Interpretation of this field is to be specified later. Default value is 7.
-.It Fl x
-Experimental key. This indicates that software should not assume
-that it should use secure protocols when talking to this zone, host, or user.
-Instead, the key is being published experimentally, to debug the software
-to be used to run the secure protocols, for example.
-Data signed by Experimental keys will not be treated as trusted by DNS servers.
-.It Ar name
-The DNS name the key is for. This can be any valid DNS name.
+.It Fl D
+Dnskeygen will generate a
+.Ic DSA/DSS
+key.
+.Dq size
+must be one of [512, 576, 640, 704, 768, 832, 896, 960, 1024].
+.It Fl H
+Dnskeygen will generate an
+.Ic HMAC-MD5
+key.
+.Dq size
+must be between 128 and 504.
+.It Fl R
+Dnskeygen will generate an
+.Ic RSA
+key.
+.Dq size
+must be between 512 and 4096.
+.It Fl F
+.Ic (RSA only)
+Use a large exponent for key generation.
+.It Fl z Fl h Fl u
+These flags define the type of key being generated: Zone (DNS validation) key,
+Host (host or service) key or User (e.g. email) key, respectively.
+Each key is only allowed to be one of these.
+.It Fl a
+Indicates that the key
+.Ic CANNOT
+be used for authentication.
+.It Fl c
+Indicates that the key
+.Ic CANNOT
+be used for encryption.
+.It Fl p Ar num
+Sets the key's protocol field to
+.Ar num
+; the default is
+.Ic 3
+(DNSSEC) if
+.Dq Fl z
+or
+.Dq Fl h
+is specified and
+.Ic 2
+(EMAIL) otherwise. Other accepted values are
+.Ic 1
+(TLS),
+.Ic 4
+(IPSEC), and
+.Ic 255
+(ANY).
+.It Fl s Ar num
+Sets the key's strength field to
+.Ar num;
+the default is
+.Sy 0.
+.It Fl n Ar name
+Sets the key's name to
+.Ar name.
.El
.Ss DETAILS
.Ic Dnskeygen
-uses two files for each key:
-.Pa <name>.priv
+stores each key in two files:
+.Pa K<name>+<alg>+<footprint>.private
and
-.Pa <name>.public .
-File
-.Pa <name>.public
-contains the public key in the pubkey format:
+.Pa K<name>+<alg>+<footprint>.key
+The file
+.Pa K<name>+<alg>+<footprint>.private
+contains the private key in a portable format. The file
+.Pa K<name>+<alg>+<footprint>.key
+contains the public key in the DNS zone file format:
.Pp
-.D1 Ar <flags> <algorithm> <protocol> <exponent|modulus>
+.D1 Ar <name> IN KEY <flags> <algorithm> <protocol> <exponent|modulus>
.Pp
-.Ic Dnskeygen
-.Ar name
-displays the public key in both DNS RR format and pubkey format.
-.Ic Dnskeygen
-can display the key with different flags on subsequent runs.
-The contents of the public key file will not be changed.
-.Pa <name>.priv
-stores the private key, in either a password-protected
-format file or in a open file. The advantage of
-a password-protected file is that it is harder to use the key if the file is
-stolen. The disadvantage is that the password has to be given each time
-the key is read. If the key is to be stored in a safe off-line place,
-and only used for signing zones, then local policy may allow storing the
-key in an unencrypted format.
.Sh ENVIRONMENT
No environmental variables are used.
.Sh SEE ALSO
-RSAREF documentation,
.Em RFC 2065
-on secure DNS.
+on secure DNS and the
+.Em TSIG
+Internet Draft.
.Sh AUTHOR
Olafur Gudmundsson (ogud@tis.com).
.Sh ACKNOWLEDGMENTS
-The underlying cryptographic math is done by the RSAREF or BSAFE libraries.
+The underlying cryptographic math is done by the DNSSAFE and/or Foundation
+Toolkit libraries.
.Sh BUGS
-.Ic Dnskeygen
-renames old keys in such a way that only one
-.Dq previous
-key for a given name is kept; older keys are overwritten. (For example,
-the third time a key is generated for a given name, the second key is kept
-as the
-.Dq previous
-key, while the first key is lost. If a key is generated
-.Em again
-for this name--i.e., if the fourth key is generated--then the third key
-will become the
-.Dq previous
-key and the second key will be lost.)
-.Ic Dnskeygen
-will not overwrite existing keys.
-Only one key for each name can be stored in the current directory. If you
-want to keep your old keys, rename the files before running
-.Ic dnskeygen .
-Otherwise you must delete them before running
-.Ic dnskeygen .
-.Pp
-Portability of Private key file must be better tested between
-different implementations of RSA.
+None are known at this time
OpenPOWER on IntegriCloud