dnssec-keygen(1)

Specifies the domain name for which the key is to be generated.

This option is used to specify the encryption algorithm. The algorithm can be RSAMD5, DH, DSA or HMAC-MD5. RSA can also be used, which is equivalent to RSAMD5.

The algorithm argument identifying the encryption algorithm is case-insensitive. DNSSEC specifies DSA as a mandatory algorithm and RSA as a recommended one. Implementations of TSIG must support HMAC-MD5.

This option is used to determine the number of bits in the key. The choice of key size depends on the algorithm that is used.

If RSA algorithm is used, keysize must be between 512 and 2048 bits.

If the DH (Diffie-Hellman) algorithm is used, keysize must be between 128 and 4096 bits.

If the DSA (Digital Signature Algorithm) is used, keysize must be between 512 and 1024 bits and a multiple of 64.

If the HMAC-MD5 algorithm is used, keysize should be between 1 and 512 bits.

This option is used for generating RSA keys with a large exponent value.

This option is used when creating Diffie-Hellman keys. The -g option selects the Diffie-Hellman generator that is to be used. The only supported values for generator are 2 and 5. If no Diffie-Hellman generator is supplied, a known prime from RFC2539 will be used if possible; otherwise, 2 will be used as the generator.

A summary of the options and arguments to dnssec-keygen is printed by this option.

This option specifies how the generated key will be used.

nametype can be either ZONE, HOST, ENTITY, or USER to indicate that the key will be used for signing a zone, host, entity or user; respectively. In this context HOST and ENTITY are identical. nametype is case-insensitive.

This option sets the protocol value for the generated key to protocol-value. The default is 2 (email) for keys of the type USER and 3 (DNSSEC) for all other key types. Other possible values for this argument are listed in RFC2535 and its successors.

This option overrides the behaviour of dnssec-keygen to use random numbers to seed the process of generating keys when the system does not have a /dev/random device to generate random numbers. The dnssec-keygen program will prompt for keyboard input and use the time intervals between keystrokes to provide randomness. With this option it will use randomdev as a source of random data.

This option is used to set the key's strength value. The generated key will sign DNS resource records with a strength value of strength-value. It should be a number in the range 0-15. The default strength is zero. The key strength field currently has no defined purpose in DNSSEC.

This option indicates if the key is used for authentication or confidentiality. type can be either AUTHCONF, NOAUTHCONF, NOAUTH or NOCONF. The default is AUTHCONF. If type is AUTHCONF, the key can be used for authentication and confidentiality. Setting type to NOAUTHCONF indicates that the key cannot be used for authentication or confidentiality. A value of NOAUTH means the key can be used for confidentiality but not for authentication. Similarly, NOCONF defines that the key cannot be used for confidentiality though it can be used for authentication.

This option can be used to make dnssec-keygen more verbose. As the debugging/tracing level increases, dnssec-keygen generates increasingly detailed reports about what it is doing. The default level is zero.