|
|
|
|
|
Usage:
|
|
dnssec-keygen -a alg -b
bits -n type [options] name
|
|
|
|
Required options:
|
|
-a algorithm: RSA |
RSAMD5 | DH | DSA | RSASHA1 | HMAC-MD5
|
|
-b key size, in bits:
|
|
RSAMD5: [512..4096]
|
|
RSASHA1: [512..4096]
|
|
DH: [128..4096]
|
|
DSA: [512..1024]
and divisible by 64
|
|
HMAC-MD5: [1..512]
|
|
-n nametype: ZONE | HOST
| ENTITY | USER
|
|
name: owner of the key
|
|
Other options:
|
|
-c <class>
(default: IN)
|
|
-e use large exponent
(RSAMD5/RSASHA1 only)
|
|
-g <generator> use
specified generator (DH only)
|
|
-t <type>: AUTHCONF
| NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
|
|
-p <protocol>:
default: 3 [dnssec]
|
|
-s <strength>
strength value this key signs DNS records with (default: 0)
|
|
-r <randomdev>: a
file containing random data
|
|
-v <verbose level>
|
|
Output:
|
|
K<name>+<alg>+<id>.key,
K<name>+<alg>+<id>.private
|
|
|
|
DSA an RSA
should have the same signing speed but DSA is slower for verification (There
is difference in signing speed though, the speed depends on the
implementation.)
|
|
DSA may leak key
material when the random number generator used at signing time is not truly
random (RFC 2536 sect 5).
|
|
Best use RSA/SHA-1 (RFC 3110) as soon as it is
implemented.
|
|
(For DSA/RSA
controversy also see
SchneierÕs Applied Cryptograpy
2nd ed pp484 486)
|