Table of Contents
dnskeygen - generate and display public and private RSA keys for
dnskeygen [-g[size][-f]] [-z| -e | -u] [-i] [-m] [-p#] [-s#] [-x] name
Dnskeygen (DNS Key Generator) is a tool to generate and maintain RSA keys
for DNS (Domain Name System).
- -g[size]
- Dnskeygen will generate a new key when the ``-g'' flag is
specified. If the ``-g'' flag is not specified, then it will
attempt to display an existing key that is stored in the current
directory. If no size is specified after the ``-g''
flag, a key of 512 bits will be generated; otherwise, size is
the size of the modulus in the newly-generated key.
- -f
- flag can only be specified with the ``-g'' flag; this changes
the exponent used on the key. If ``-f'' is specified, the
exponent is 65537, which is suitable for encryption keys. If
``-f'' is not specified, the exponent is 3, which is suitable
for signatures and verification of public data such as DNS
records. Signing and verifying with exponent of 65537 takes
significantly more CPU time than with exponent of 3.
- -z -e -u
- These flags define the type of key being generated: Zone (DNS
validation) key, End Entity (host or service) key or User
(e.g. email) key, respectively. Each key is only allowed to
be one of these. When keys are displayed, the type of key
can be changed.
- -i
- Indicates that the key can be used for IPSEC (Internet Protocol
Security services).
- -m
- Indicates that the key can be used for secure email.
- -p#
- Indicates that the key can be used for protocol number #. A
value of 0 denies the use of the key for any protocol (other
than those specified by other option flags like -m). A value
of 255 allows it to be used with all protocols. These protocol
numbers will be assigned in the latest Assigned Numbers
RFC from the Internet Assigned Numbers Authority (IANA).
- -s#
- Strength value; this value is only used when key is signing.
Interpretation of this field is to be specified later. Default
value is 7.
- -x
- Experimental key. This indicates that software should not
assume that it should use secure protocols when talking to
this zone, host, or user. Instead, the key is being published
experimentally, to debug the software to be used to
run the secure protocols, for example. Data signed by Experimental
keys will not be treated as trusted by DNS servers.
- name
- The DNS name the key is for. This can be any valid DNS name.
Dnskeygen uses two files for each key: <name>.priv and <name>.public.
File <name>.public contains the public key in the pubkey format:
<flags> <algorithm> <protocol> <exponent|modulus>
Dnskeygen name displays the public key in both DNS RR format and pubkey
format. Dnskeygen can display the key with different flags on subsequent
runs. The contents of the public key file will not be changed.
<name>.priv stores the private key, in either a password-protected format
file or in a open file. The advantage of a password-protected file is
that it is harder to use the key if the file is stolen. The disadvantage
is that the password has to be given each time the key is read. If the
key is to be stored in a safe off-line place, and only used for signing
zones, then local policy may allow storing the key in an unencrypted format.
No environmental variables are used.
RSAREF documentation, RFC 2065 on secure DNS.
Olafur Gudmundsson (ogud@tis.com).
The underlying cryptographic math is done by the RSAREF or BSAFE libraries.
Dnskeygen renames old keys in such a way that only one ``previous'' key
for a given name is kept; older keys are overwritten. (For example, the
third time a key is generated for a given name, the second key is kept as
the ``previous'' key, while the first key is lost. If a key is generated
again for this name--i.e., if the fourth key is generated--then the third
key will become the ``previous'' key and the second key will be lost.)
Dnskeygen will not overwrite existing keys. Only one key for each name
can be stored in the current directory. If you want to keep your old
keys, rename the files before running dnskeygen. Otherwise you must
delete them before running dnskeygen.
Portability of Private key file must be better tested between different
implementations of RSA.
Table of Contents