.RS 4
Selects the cryptographic algorithm\&. The value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. These values are case insensitive\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&.
.sp
If no algorithm is specified, then RSASHA1 will be used by default, unless the
\fB\-3\fR
\fB\-3\fR
is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
.sp
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&.
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
+\fB\-3\fR
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
.sp
-Note 2: DH automatically sets the \-k flag\&.
+As of BIND 9\&.12\&.0, this option is mandatory except when using the
+\fB\-S\fR
+option (which copies the algorithm from the predecessory key)\&. Previously, the default for newly generated keys was RSASHA1\&.
.RE
.PP
\-3
.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&.
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-E \fIengine\fR
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm, and DSA is recommended.
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the <code class="option">-3</code> option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
</p>
<p>
- Note 2: DH automatically sets the -k flag.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the <code class="option">-S</code> option (which copies the algorithm from
+ the predecessory key). Previously, the default for newly
+ generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used and no algorithm is explicitly
- set on the command line, NSEC3RSASHA1 will be used by
- default.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
- <p>
- Sets the prepublication interval for a key. If set, then
- the publication and activation dates must be separated by at least
- this much time. If the activation date is specified but the
- publication date isn't, then the publication date will default
- to this much time before the activation date; conversely, if
- the publication date is specified but activation date isn't,
- then activation will be set to this much time after publication.
- </p>
- <p>
- If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
- otherwise it is zero.
- </p>
- <p>
- As with date offsets, if the argument is followed by one of
- the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
- interval is measured in years, months, weeks, days, hours,
- or minutes, respectively. Without a suffix, the interval is
- measured in seconds.
- </p>
- </dd>
+ <p>
+ Sets the prepublication interval for a key. If set, then
+ the publication and activation dates must be separated by at least
+ this much time. If the activation date is specified but the
+ publication date isn't, then the publication date will default
+ to this much time before the activation date; conversely, if
+ the publication date is specified but activation date isn't,
+ then activation will be set to this much time after publication.
+ </p>
+ <p>
+ If the key is being created as an explicit successor to another
+ key, then the default prepublication interval is 30 days;
+ otherwise it is zero.
+ </p>
+ <p>
+ As with date offsets, if the argument is followed by one of
+ the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+ interval is measured in years, months, weeks, days, hours,
+ or minutes, respectively. Without a suffix, the interval is
+ measured in seconds.
+ </p>
+ </dd>
</dl></div>
</div>
The
\fBname\fR
of the key is specified on the command line\&. For DNSSEC keys, this must match the name of the zone for which the key is being generated\&.
+.PP
+The
+\fBdnssec\-keymgr\fR
+command acts as a wrapper around
+\fBdnssec\-keygen\fR, generating and updating keys as needed to enforce defined security policies such as key rollover scheduling\&. Using
+\fBdnssec\-keymgr\fR
+may be preferable to direct use of
+\fBdnssec\-keygen\fR\&.
.SH "OPTIONS"
.PP
\-a \fIalgorithm\fR
.RS 4
Selects the cryptographic algorithm\&. For DNSSEC keys, the value of
\fBalgorithm\fR
-must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY, the value must be DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512\&. These values are case insensitive\&.
+must be one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448\&. For TSIG/TKEY keys, the value must be one of DH (Diffie Hellman), HMAC\-MD5, HMAC\-SHA1, HMAC\-SHA224, HMAC\-SHA256, HMAC\-SHA384, or HMAC\-SHA512; specifying any of these algorithms will automatically set the
+\fB\-T KEY\fR
+option as well\&. (Note:
+\fBtsig\-keygen\fR
+produces TSIG keys in a more useful format than
+\fBdnssec\-keygen\fR\&.)
.sp
-If no algorithm is specified, then RSASHA1 will be used by default, unless the
+These values are case insensitive\&. In some cases, abbreviations are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for ECDSAP384SHA384\&. If RSASHA1 or DSA is specified along with the
\fB\-3\fR
-option is specified, in which case NSEC3RSASHA1 will be used instead\&. (If
-\fB\-3\fR
-is used and an algorithm is specified, that algorithm will be checked for compatibility with NSEC3\&.)
-.sp
-Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement algorithm, and DSA is recommended\&. For TSIG, HMAC\-MD5 is mandatory\&.
+option, then NSEC3RSASHA1 or NSEC3DSA will be used instead\&.
.sp
-Note 2: DH, HMAC\-MD5, and HMAC\-SHA1 through HMAC\-SHA512 automatically set the \-T KEY option\&.
+As of BIND 9\&.12\&.0, this option is mandatory except when using the
+\fB\-S\fR
+option (which copies the algorithm from the predecessor key)\&. Previously, the default for newly generated keys was RSASHA1\&.
.RE
.PP
\-b \fIkeysize\fR
.RS 4
Specifies the number of bits in the key\&. The choice of key size depends on the algorithm used\&. RSA keys must be between 1024 and 2048 bits\&. Diffie Hellman keys must be between 128 and 4096 bits\&. DSA keys must be between 512 and 1024 bits and an exact multiple of 64\&. HMAC keys must be between 1 and 512 bits\&. Elliptic curve algorithms don\*(Aqt need this parameter\&.
.sp
-The key size does not need to be specified if using a default algorithm\&. The default key size is 1024 bits for zone signing keys (ZSKs) and 2048 bits for key signing keys (KSKs, generated with
-\fB\-f KSK\fR)\&. However, if an algorithm is explicitly specified with the
-\fB\-a\fR, then there is no default key size, and the
-\fB\-b\fR
-must be used\&.
+If the key size is not specified, some algorithms have pre\-defined defaults\&. For example, RSA keys for use as DNSSEC zone signing keys have a default size of 1024 bits; RSA keys for use as key signing keys (KSKs, generated with
+\fB\-f KSK\fR) default to 2048 bits\&.
.RE
.PP
\-n \fInametype\fR
.PP
\-3
.RS 4
-Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used and no algorithm is explicitly set on the command line, NSEC3RSASHA1 will be used by default\&. Note that RSASHA256, RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448 algorithms are NSEC3\-capable\&.
+Use an NSEC3\-capable algorithm to generate a DNSSEC key\&. If this option is used with an algorithm that has both NSEC and NSEC3 versions, then the NSEC3 version will be used; for example,
+\fBdnssec\-keygen \-3a RSASHA1\fR
+specifies the NSEC3RSASHA1 algorithm\&.
.RE
.PP
\-C
Specifies the resource record type to use for the key\&.
\fBrrtype\fR
must be either DNSKEY or KEY\&. The default is DNSKEY when using a DNSSEC algorithm, but it can be overridden to KEY for use with SIG(0)\&.
-Using any TSIG algorithm (HMAC\-* or DH) forces this option to KEY\&.
+Specifying any TSIG algorithm (HMAC\-* or DH) with
+\fB\-a\fR
+forces this option to KEY\&.
.RE
.PP
\-t \fItype\fR
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
+ <p>
+ The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
+ around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
+ as needed to enforce defined security policies such as key rollover
+ scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
+ to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
+ </p>
</div>
<div class="refsection">
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- For TSIG/TKEY, the value must
- be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
- HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
- case insensitive.
- </p>
- <p>
- If no algorithm is specified, then RSASHA1 will be used by
- default, unless the <code class="option">-3</code> option is specified,
- in which case NSEC3RSASHA1 will be used instead. (If
- <code class="option">-3</code> is used and an algorithm is specified,
- that algorithm will be checked for compatibility with NSEC3.)
+ ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
+ TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
+ HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
+ or HMAC-SHA512; specifying any of these algorithms will
+ automatically set the <code class="option">-T KEY</code> option as well.
+ (Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
+ more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
</p>
<p>
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
- mandatory.
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the <code class="option">-3</code> option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
</p>
<p>
- Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
- automatically set the -T KEY option.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the <code class="option">-S</code> option (which copies the algorithm from
+ the predecessor key). Previously, the default for newly
+ generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
this parameter.
</p>
<p>
- The key size does not need to be specified if using a default
- algorithm. The default key size is 1024 bits for zone signing
- keys (ZSKs) and 2048 bits for key signing keys (KSKs,
- generated with <code class="option">-f KSK</code>). However, if an
- algorithm is explicitly specified with the <code class="option">-a</code>,
- then there is no default key size, and the <code class="option">-b</code>
- must be used.
+ If the key size is not specified, some algorithms have
+ pre-defined defaults. For example, RSA keys for use as
+ DNSSEC zone signing keys have a default size of 1024 bits;
+ RSA keys for use as key signing keys (KSKs, generated with
+ <code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive. Defaults to ZONE for DNSKEY
- generation.
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used and no algorithm is explicitly
- set on the command line, NSEC3RSASHA1 will be used by
- default. Note that RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
- algorithms are NSEC3-capable.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<p>
</p>
<p>
- Using any TSIG algorithm (HMAC-* or DH) forces this option
- to KEY.
+ Specifying any TSIG algorithm (HMAC-* or DH) with
+ <code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
- <p>
- Sets the prepublication interval for a key. If set, then
- the publication and activation dates must be separated by at least
- this much time. If the activation date is specified but the
- publication date isn't, then the publication date will default
- to this much time before the activation date; conversely, if
- the publication date is specified but activation date isn't,
- then activation will be set to this much time after publication.
- </p>
- <p>
- If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
- otherwise it is zero.
- </p>
- <p>
- As with date offsets, if the argument is followed by one of
- the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
- interval is measured in years, months, weeks, days, hours,
- or minutes, respectively. Without a suffix, the interval is
- measured in seconds.
- </p>
- </dd>
+ <p>
+ Sets the prepublication interval for a key. If set, then
+ the publication and activation dates must be separated by at least
+ this much time. If the activation date is specified but the
+ publication date isn't, then the publication date will default
+ to this much time before the activation date; conversely, if
+ the publication date is specified but activation date isn't,
+ then activation will be set to this much time after publication.
+ </p>
+ <p>
+ If the key is being created as an explicit successor to another
+ key, then the default prepublication interval is 30 days;
+ otherwise it is zero.
+ </p>
+ <p>
+ As with date offsets, if the argument is followed by one of
+ the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+ interval is measured in years, months, weeks, days, hours,
+ or minutes, respectively. Without a suffix, the interval is
+ measured in seconds.
+ </p>
+ </dd>
</dl></div>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-keygen</strong></span> no longer has default
+ algorithm settings. It is necessary to explicitly specify the
+ algorithm on the command line with the <code class="option">-a</code> option
+ when generating keys. This may cause errors with existing signing
+ scripts if they rely on current defaults. The intent is to
+ reduce the long-term cost of transitioning to newer algorithms in
+ the event of RSASHA1 being deprecated. [RT #44755]
+ </p>
+ </li>
<li class="listitem">
<p>
Threads in <span class="command"><strong>named</strong></span> are now set to human-readable
<code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- These values are case insensitive.
</p>
<p>
If no algorithm is specified, then RSASHA1 will be used by
that algorithm will be checked for compatibility with NSEC3.)
</p>
<p>
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm, and DSA is recommended.
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the <code class="option">-3</code> option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
</p>
<p>
- Note 2: DH automatically sets the -k flag.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the <code class="option">-S</code> option (which copies the algorithm from
+ the predecessory key). Previously, the default for newly
+ generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used and no algorithm is explicitly
- set on the command line, NSEC3RSASHA1 will be used by
- default.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
- <p>
- Sets the prepublication interval for a key. If set, then
- the publication and activation dates must be separated by at least
- this much time. If the activation date is specified but the
- publication date isn't, then the publication date will default
- to this much time before the activation date; conversely, if
- the publication date is specified but activation date isn't,
- then activation will be set to this much time after publication.
- </p>
- <p>
- If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
- otherwise it is zero.
- </p>
- <p>
- As with date offsets, if the argument is followed by one of
- the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
- interval is measured in years, months, weeks, days, hours,
- or minutes, respectively. Without a suffix, the interval is
- measured in seconds.
- </p>
- </dd>
+ <p>
+ Sets the prepublication interval for a key. If set, then
+ the publication and activation dates must be separated by at least
+ this much time. If the activation date is specified but the
+ publication date isn't, then the publication date will default
+ to this much time before the activation date; conversely, if
+ the publication date is specified but activation date isn't,
+ then activation will be set to this much time after publication.
+ </p>
+ <p>
+ If the key is being created as an explicit successor to another
+ key, then the default prepublication interval is 30 days;
+ otherwise it is zero.
+ </p>
+ <p>
+ As with date offsets, if the argument is followed by one of
+ the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+ interval is measured in years, months, weeks, days, hours,
+ or minutes, respectively. Without a suffix, the interval is
+ measured in seconds.
+ </p>
+ </dd>
</dl></div>
</div>
line. For DNSSEC keys, this must match the name of the zone for
which the key is being generated.
</p>
+ <p>
+ The <span class="command"><strong>dnssec-keymgr</strong></span> command acts as a wrapper
+ around <span class="command"><strong>dnssec-keygen</strong></span>, generating and updating keys
+ as needed to enforce defined security policies such as key rollover
+ scheduling. Using <span class="command"><strong>dnssec-keymgr</strong></span> may be preferable
+ to direct use of <span class="command"><strong>dnssec-keygen</strong></span>.
+ </p>
</div>
<div class="refsection">
Selects the cryptographic algorithm. For DNSSEC keys, the value
of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
- For TSIG/TKEY, the value must
- be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
- HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
- case insensitive.
- </p>
- <p>
- If no algorithm is specified, then RSASHA1 will be used by
- default, unless the <code class="option">-3</code> option is specified,
- in which case NSEC3RSASHA1 will be used instead. (If
- <code class="option">-3</code> is used and an algorithm is specified,
- that algorithm will be checked for compatibility with NSEC3.)
+ ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448. For
+ TSIG/TKEY keys, the value must be one of DH (Diffie Hellman),
+ HMAC-MD5, HMAC-SHA1, HMAC-SHA224, HMAC-SHA256, HMAC-SHA384,
+ or HMAC-SHA512; specifying any of these algorithms will
+ automatically set the <code class="option">-T KEY</code> option as well.
+ (Note: <span class="command"><strong>tsig-keygen</strong></span> produces TSIG keys in a
+ more useful format than <span class="command"><strong>dnssec-keygen</strong></span>.)
</p>
<p>
- Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
- algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
- mandatory.
+ These values are case insensitive. In some cases, abbreviations
+ are supported, such as ECDSA256 for ECDSAP256SHA256 and
+ ECDSA384 for ECDSAP384SHA384. If RSASHA1 or DSA is specified
+ along with the <code class="option">-3</code> option, then NSEC3RSASHA1
+ or NSEC3DSA will be used instead.
</p>
<p>
- Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
- automatically set the -T KEY option.
+ As of BIND 9.12.0, this option is mandatory except when using
+ the <code class="option">-S</code> option (which copies the algorithm from
+ the predecessor key). Previously, the default for newly
+ generated keys was RSASHA1.
</p>
</dd>
<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
this parameter.
</p>
<p>
- The key size does not need to be specified if using a default
- algorithm. The default key size is 1024 bits for zone signing
- keys (ZSKs) and 2048 bits for key signing keys (KSKs,
- generated with <code class="option">-f KSK</code>). However, if an
- algorithm is explicitly specified with the <code class="option">-a</code>,
- then there is no default key size, and the <code class="option">-b</code>
- must be used.
+ If the key size is not specified, some algorithms have
+ pre-defined defaults. For example, RSA keys for use as
+ DNSSEC zone signing keys have a default size of 1024 bits;
+ RSA keys for use as key signing keys (KSKs, generated with
+ <code class="option">-f KSK</code>) default to 2048 bits.
</p>
</dd>
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
<p>
Specifies the owner type of the key. The value of
<code class="option">nametype</code> must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
- a host (KEY)),
- USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
- These values are case insensitive. Defaults to ZONE for DNSKEY
- generation.
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
</p>
</dd>
<dt><span class="term">-3</span></dt>
<dd>
<p>
Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used and no algorithm is explicitly
- set on the command line, NSEC3RSASHA1 will be used by
- default. Note that RSASHA256, RSASHA512, ECCGOST,
- ECDSAP256SHA256, ECDSAP384SHA384, ED25519 and ED448
- algorithms are NSEC3-capable.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
+ specifies the NSEC3RSASHA1 algorithm.
</p>
</dd>
<dt><span class="term">-C</span></dt>
<p>
</p>
<p>
- Using any TSIG algorithm (HMAC-* or DH) forces this option
- to KEY.
+ Specifying any TSIG algorithm (HMAC-* or DH) with
+ <code class="option">-a</code> forces this option to KEY.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
- <p>
- Sets the prepublication interval for a key. If set, then
- the publication and activation dates must be separated by at least
- this much time. If the activation date is specified but the
- publication date isn't, then the publication date will default
- to this much time before the activation date; conversely, if
- the publication date is specified but activation date isn't,
- then activation will be set to this much time after publication.
- </p>
- <p>
- If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
- otherwise it is zero.
- </p>
- <p>
- As with date offsets, if the argument is followed by one of
- the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
- interval is measured in years, months, weeks, days, hours,
- or minutes, respectively. Without a suffix, the interval is
- measured in seconds.
- </p>
- </dd>
+ <p>
+ Sets the prepublication interval for a key. If set, then
+ the publication and activation dates must be separated by at least
+ this much time. If the activation date is specified but the
+ publication date isn't, then the publication date will default
+ to this much time before the activation date; conversely, if
+ the publication date is specified but activation date isn't,
+ then activation will be set to this much time after publication.
+ </p>
+ <p>
+ If the key is being created as an explicit successor to another
+ key, then the default prepublication interval is 30 days;
+ otherwise it is zero.
+ </p>
+ <p>
+ As with date offsets, if the argument is followed by one of
+ the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
+ interval is measured in years, months, weeks, days, hours,
+ or minutes, respectively. Without a suffix, the interval is
+ measured in seconds.
+ </p>
+ </dd>
</dl></div>
</div>
<div class="titlepage"><div><div><h3 class="title">
<a name="relnotes_changes"></a>Feature Changes</h3></div></div></div>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
+<li class="listitem">
+ <p>
+ <span class="command"><strong>dnssec-keygen</strong></span> no longer has default
+ algorithm settings. It is necessary to explicitly specify the
+ algorithm on the command line with the <code class="option">-a</code> option
+ when generating keys. This may cause errors with existing signing
+ scripts if they rely on current defaults. The intent is to
+ reduce the long-term cost of transitioning to newer algorithms in
+ the event of RSASHA1 being deprecated. [RT #44755]
+ </p>
+ </li>
<li class="listitem">
<p>
Threads in <span class="command"><strong>named</strong></span> are now set to human-readable