From BarkerJr, 10 Months ago, written in Plain Text.
This paste will expire in 4 Weeks.
Embed
  1. [root@alpha dns]# dnssec-keygen
  2. Usage:
  3.     dnssec-keygen [options] name
  4.  
  5. Version: 9.9.4-RedHat-9.9.4-72.el7
  6.     name: owner of the key
  7. Options:
  8.     -K <directory>: write keys into directory
  9.     -a <algorithm>:
  10.         RSA | RSAMD5 | DSA | RSASHA1 | NSEC3RSASHA1 | NSEC3DSA |
  11.         RSASHA256 | RSASHA512 | ECCGOST |
  12.         ECDSAP256SHA256 | ECDSAP384SHA384 |
  13.         DH | HMAC-MD5 | HMAC-SHA1 | HMAC-SHA224 | HMAC-SHA256 |
  14.         HMAC-SHA384 | HMAC-SHA512
  15.        (default: RSASHA1, or NSEC3RSASHA1 if using -3)
  16.     -3: use NSEC3-capable algorithm
  17.     -b <key size in bits>:
  18.         RSAMD5: [512..4096]
  19.         RSASHA1:        [512..4096]
  20.         NSEC3RSASHA1:   [512..4096]
  21.         RSASHA256:      [512..4096]
  22.         RSASHA512:      [1024..4096]
  23.         DH:             [128..4096]
  24.         DSA:            [512..1024] and divisible by 64
  25.         NSEC3DSA:       [512..1024] and divisible by 64
  26.         ECCGOST:        ignored
  27.         ECDSAP256SHA256:        ignored
  28.         ECDSAP384SHA384:        ignored
  29.         HMAC-MD5:       [1..512]
  30.         HMAC-SHA1:      [1..160]
  31.         HMAC-SHA224:    [1..224]
  32.         HMAC-SHA256:    [1..256]
  33.         HMAC-SHA384:    [1..384]
  34.         HMAC-SHA512:    [1..512]
  35.         (if using the default algorithm, key size
  36.         defaults to 2048 for KSK, or 1024 for all others)
  37.     -n <nametype>: ZONE | HOST | ENTITY | USER | OTHER
  38.         (DNSKEY generation defaults to ZONE)
  39.     -c <class>: (default: IN)
  40.     -d <digest bits> (0 => max, default)
  41.     -E <engine>:
  42.         name of an OpenSSL engine to use
  43.     -f <keyflag>: KSK | REVOKE
  44.     -g <generator>: use specified generator (DH only)
  45.     -L <ttl>: default key TTL
  46.     -p <protocol>: (default: 3 [dnssec])
  47.     -r <randomdev>: a file containing random data
  48.     -s <strength>: strength value this key signs DNS records with (default: 0)
  49.     -T <rrtype>: DNSKEY | KEY (default: DNSKEY; use KEY for SIG(0))
  50.     -t <type>: AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF (default: AUTHCONF)
  51.     -h: print usage and exit
  52.     -m <memory debugging mode>:
  53.        usage | trace | record | size | mctx
  54.     -v <level>: set verbosity level (0 - 10)
  55. Timing options:
  56.     -P date/[+-]offset/none: set key publication date (default: now)
  57.     -A date/[+-]offset/none: set key activation date (default: now)
  58.     -R date/[+-]offset/none: set key revocation date
  59.     -I date/[+-]offset/none: set key inactivation date
  60.     -D date/[+-]offset/none: set key deletion date
  61.     -G: generate key only; do not set -P or -A
  62.     -C: generate a backward-compatible key, omitting all dates
  63.     -S <key>: generate a successor to an existing key
  64.     -i <interval>: prepublication interval for successor key (default: 30 days)
  65. Output:
  66.      K<name>+<alg>+<id>.key, K<name>+<alg>+<id>.private
  67.