dnssec-keygen man page on HP-UX

Man page or keyword search:  
man Server   10987 pages
apropos Keyword Search (all sections)
Output format
HP-UX logo
[printable version]

dnssec-keygen(1)					      dnssec-keygen(1)

       dnssec-keygen - key generation tool for DNSSEC

       algorithm]  keysize]  class] flag] generator] nametype] protocol-value]
	      randomdev] strength-value] type] level] name

       generates keys for Secure DNS (DNSSEC) as defined in RFC 2535.  It also
       generates  keys	for  use  in  Transaction Signatures (TSIG), which are
       defined in RFC 2845.

       recognizes the following options:

       Specify the encryption algorithm.
		 The algorithm can be (RSA), or algorithm is case-insensitive.

		 DNSSEC specifies as a mandatory algorithm  and	 as  a	recom‐
		 mended one.  Implementations of TSIG must support

       Determine the number of bits in the key.
		 The choice of key size depends on the algorithm that is used.

		 For  the  or  algorithm, keysize must be between 512 and 2048

		 For the (Diffie-Hellman) algorithm, keysize must  be  between
		 128 and 4096 bits.

		 For  the  (Digital  Signature)	 algorithm,  keysize  must  be
		 between 512 and 1024 bits and a multiple of 64.

		 For the algorithm, keysize must be between 1 and 512 bits.

       Set the class for the DNS record containing the key.
		 The default class is (Internet).  Other values for class  are
		 (Chaosnet) and (Hesiod).

       Generate	 and keys with a large exponent value.

       Set the specified
		 flag in the flag field of the KEY or DNSKEY record.  The only
		 recognized flag is (Key Signing Key) for DNSKEY.

       Select the generator to be used when creating Diffie-Hellman keys.
		 The only supported values for generator are and If no Diffie-
		 Hellman generator is supplied, a known prime from RFC 2539 is
		 used, if possible; otherwise, is used as the generator.

       Print a summary of the
		 options and operands.

       Generate KEY records rather than DNSKEY records.

       Specify how the generated key will be used.

		 nametype can be either or to indicate that the	 key  will  be
		 used for signing a zone, host, entity, or user, respectively.
		 In this context, and are equivalent.  nametype is case-insen‐

       Set the protocol value for the generated key to
		 protocol-value.   The	default	 is  (DNSSEC).	Other possible
		 values for this argument are listed in RFC 2535 and its  suc‐

       Override the behavior of
		 to  use random numbers to seed the process of generating keys
		 when the system does not have a  device  to  generate	random
		 numbers.  The program prompts for keyboard input and uses the
		 time intervals	 between  keystrokes  to  provide  randomness.
		 With  this  option,  it  uses randomdev as a source of random

       Set the key's strength value.
		 The generated key will	 sign  DNS  resource  records  with  a
		 strength  value  of strength-value.  It should be a number in
		 the range The default strength is The key strength field cur‐
		 rently has no defined purpose in DNSSEC.

       Indicate if the key is used for authentication or confidentiality.
		 type can be one of

		 The key can be used for authentication and confidentiality.

		 The key cannot be used for authentication or confidentiality.

		 The key can be used for confidentiality but not for authenti‐

		 The key cannot be used for confidentiality, although  it  can
		 be used for authentication.

		 The default is

       Set the verbosity level.
		 As  the debugging/tracing level increases, generates increas‐
		 ingly detailed reports about what it is doing.	  The  default
		 level is 0.

	      name	The domain name for which the key is to be generated.

   Generated Keys
       When  completes,	 it prints an identification string on standard output
       for the key it has generated, in the form

       The fields are:

	      nnnn	The dot-terminated domain name given by name.

	      aaa	The DNSSEC algorithm identifier.

	      iiiii	A five-digit number identifying the key.

       creates two files.  The file names are adapted from the key identifica‐
       tion string above, in the form:

       These  contain  the  public  and private parts of the key respectively.
       The files generated by follow this naming convention to	make  it  easy
       for  the	 signing  tool to identify which files have to be read to find
       the necessary keys for generating or validating signatures.

       The file contains a resource record that can be inserted	 into  a  zone
       file with a statement.  The private part of the key is in the file.  It
       contains details of the encryption algorithm that was used and any rel‐
       evant parameters.  For obvious security reasons, the file does not have
       general read permission.	 Both and key files are generated by a symmet‐
       ric  encryption	algorithm,  such as even though the public and private
       key are equivalent.

       To generate a 768-bit DSA key for the domain issue the command:

       prints the key identification string

       indicating a DSA key with identifier 26160.  It creates the files

       which contain the public and private keys, respectively, for the gener‐
       ated DSA key.

       was developed by the Internet Systems Consortium (ISC).


       Requests for Comments (RFC): 2535, 2539, and 2845, available online at

       available online at

       available from the Internet Systems Consortium at

				   BIND 9.3		      dnssec-keygen(1)

List of man pages available for HP-UX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
Vote for polarhome
Free Shell Accounts :: the biggest list on the net