Open In App

dnssec-keygen command in Linux with Examples

Last Updated : 01 Sep, 2020
Improve
Improve
Like Article
Like
Save
Share
Report

dnssec-keygen command is used to generate keys for DNSSEC (DNS Security Extensions). DNSSEC is an extension to the regular DNS (Domain Name System) technology but with added authentication for the DNS data. This authentication is carried out using public key cryptography technique and the above mentioned command produces the public/private key pair.

Syntax:

dnssec-keygen [options] name

Example:

dnssec-keygen gfg.org

In the above example, keys are generated for gfg.org. Since no options are provided, the default algorithm (RSASHA1) is used for generation and the keys are of the default size (1024 bits).

Working with dnssec-keygen command

1. -b (Key Size) option:

This option specifies the number of bits the key should contain. The size of the key depends upon the algorithm used.

  • RSA Algorithm: 512-4096 bits
  • DH Algorithm: 128-4096 bits
  • DSA Algorithm: 512-1024 bits (multiples of 64)
  • HMAC Algorithm: 1-512 bits

Example:

dnssec-keygen -b 1024 gfg.org

-b dmssec-keygen

2. -a (Algorithm) option:

This option is used to select the crypt algorithm for the key generation. If an algorithm is specified like this, use of the -b to set key size is mandatory. The available algorithms are:

  • RSAMD5
  • RSASHA1 (default algorithm)
  • RSASHA256
  • RSASHA512
  • DH
  • DSA
  • HMAC-MD5
  • HMAC-SHA1
  • HMAC-SHA224
  • HMAC-SHA256
  • HMAC-SHA384
  • HMAC-SHA512

Example:

dnssec-keygen -a RSASHA1 -b 1024 gfg.org

dmssec-keygen -a

3. -n (Name Type) option:

This option is used to specify the owner type of the key. The accepted values are:

  • ZONE
  • HOST/ENTITY
  • USER

Example:

dnssec-keygen -n ZONE gfg.org

dmssec-keygen -n

4. -3 option:

This option mandates the creation of the keys using a NSEC3-capable algorithm. NSEC3RSASHA1 will be used by default if no algorithm is mentioned explicitly.

Example:

dnssec-keygen -a RSASHA256 -b 1024 -3 gfg.org

dmssec-keygen -3

5. -f (Key Flag) option:

This is used to specify a flag for the generated key. The recognized flags are:

  • KSK (Key Signing Key)
  • REVOKE

Example :

dnssec-keygen -a RSASHA256 -b 1024 -f KSK gfg.org

dmssec-keygen -f

6. -c (Class) option:

DNS could be partitioned according to the class. This option is used to specify the class that the DNS record should have. If you do not specify anything using this option, IN is used by default. The following are a list of DNS classes:

  • IN (Internet) – Default Class
  • CH (CHAOS)
  • HS (Hesiod)

Example:

dnssec-keygen -c CH gfg.org

dmssec-keygen -c

7. -t (Type) option:

This option is used to specify the type of the key. AUTHCONF is used by default if not specified explicitly. The possible types are: 

  • AUTHCONF
  • NOAUTHCONF
  • NOAUTH
  • NOCONF

Example:

dnssec-keygen -a RSASHA256 -b 1024 -t NOAUTH gfg.org

dmssec-keygen -t


Like Article
Suggest improvement
Next
dumpkeys command in Linux with examples
Share your thoughts in the comments

Similar Reads

How To Generate SSH Key With ssh-keygen In Linux?
Ccat – Colorize Cat Command Output command in Linux with Examples
How to Display Command History in Linux | history Command
select command in Linux with examples
ZIP command in Linux with examples
atrm command in Linux with examples
comm command in Linux with examples
cmp Command in Linux with examples
expand Command in LINUX with examples
df Command in Linux with examples

Z
z0o0p
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox