dnssec-keygen(1)dnssec-keygen(1)NAMEdnssec-keygen - key generation tool for DNSSEC
algorithm] keysize] class] flag] generator] nametype] protocol-value]
randomdev] strength-value] type] level] name
generates keys for Secure DNS (DNSSEC) as defined in RFC 2535. It also
generates keys for use in Transaction Signatures (TSIG), which are
defined in RFC 2845.
recognizes the following options:
Specify the encryption algorithm.
The algorithm can be (RSA), or algorithm is case-insensitive.
DNSSEC specifies as a mandatory algorithm and as a recom‐
mended one. Implementations of TSIG must support
Determine the number of bits in the key.
The choice of key size depends on the algorithm that is used.
For the or algorithm, keysize must be between 512 and 2048
For the (Diffie-Hellman) algorithm, keysize must be between
128 and 4096 bits.
For the (Digital Signature) algorithm, keysize must be
between 512 and 1024 bits and a multiple of 64.
For the algorithm, keysize must be between 1 and 512 bits.
Set the class for the DNS record containing the key.
The default class is (Internet). Other values for class are
(Chaosnet) and (Hesiod).
Generate and keys with a large exponent value.
Set the specified
flag in the flag field of the KEY or DNSKEY record. The only
recognized flag is (Key Signing Key) for DNSKEY.
Select the generator to be used when creating Diffie-Hellman keys.
The only supported values for generator are and If no Diffie-
Hellman generator is supplied, a known prime from RFC 2539 is
used, if possible; otherwise, is used as the generator.
Print a summary of the
options and operands.
Generate KEY records rather than DNSKEY records.
Specify how the generated key will be used.
nametype can be either or to indicate that the key will be
used for signing a zone, host, entity, or user, respectively.
In this context, and are equivalent. nametype is case-insen‐
Set the protocol value for the generated key to
protocol-value. The default is (DNSSEC). Other possible
values for this argument are listed in RFC 2535 and its suc‐
Override the behavior of
to use random numbers to seed the process of generating keys
when the system does not have a device to generate random
numbers. The program prompts for keyboard input and uses the
time intervals between keystrokes to provide randomness.
With this option, it uses randomdev as a source of random
Set the key's strength value.
The generated key will sign DNS resource records with a
strength value of strength-value. It should be a number in
the range The default strength is The key strength field cur‐
rently has no defined purpose in DNSSEC.
Indicate if the key is used for authentication or confidentiality.
type can be one of
The key can be used for authentication and confidentiality.
The key cannot be used for authentication or confidentiality.
The key can be used for confidentiality but not for authenti‐
The key cannot be used for confidentiality, although it can
be used for authentication.
The default is
Set the verbosity level.
As the debugging/tracing level increases, generates increas‐
ingly detailed reports about what it is doing. The default
level is 0.
name The domain name for which the key is to be generated.
When completes, it prints an identification string on standard output
for the key it has generated, in the form
The fields are:
nnnn The dot-terminated domain name given by name.
aaa The DNSSEC algorithm identifier.
iiiii A five-digit number identifying the key.
creates two files. The file names are adapted from the key identifica‐
tion string above, in the form:
These contain the public and private parts of the key respectively.
The files generated by follow this naming convention to make it easy
for the signing tool to identify which files have to be read to find
the necessary keys for generating or validating signatures.
The file contains a resource record that can be inserted into a zone
file with a statement. The private part of the key is in the file. It
contains details of the encryption algorithm that was used and any rel‐
evant parameters. For obvious security reasons, the file does not have
general read permission. Both and key files are generated by a symmet‐
ric encryption algorithm, such as even though the public and private
key are equivalent.
To generate a 768-bit DSA key for the domain issue the command:
prints the key identification string
indicating a DSA key with identifier 26160. It creates the files
which contain the public and private keys, respectively, for the gener‐
ated DSA key.
was developed by the Internet Systems Consortium (ISC).
Requests for Comments (RFC): 2535, 2539, and 2845, available online at
available online at
available from the Internet Systems Consortium at
BIND 9.3 dnssec-keygen(1)