Man page - dnst-keygen(1)
Packages contas this manual
Manual
| DNST-KEYGEN(1) | dnst | DNST-KEYGEN(1) |
NAME
dnst-keygen - Generate a new key pair for a domain name
SYNOPSIS
dnst keygen [OPTIONS] -a <ALGORITHM> <DOMAIN NAME>
DESCRIPTION
dnst keygen generates a new key pair for a given domain name.
The following files will be created:
- K<name>+<alg>+<tag>.key: The public key file containing a DNSKEY RR in zone file format.
- K<name>+<alg>+<tag>.private: The private key file containing the private key data fields in BIND's Private-key-format.
- K<name>+<alg>+<tag>.ds: The public key digest file containing the DS RR in zone file format. It is only created for key signing keys.
<name> is the fully-qualified owner name for the key (with a trailing dot). <alg> is the algorithm number of the key, zero-padded to 3 digits. <tag> is the 16-bit tag of the key, zero-padded to 5 digits.
Upon completion, K<name>+<alg>+<tag> will be printed.
ARGUMENTS
- <DOMAIN NAME>
- The owner name of the apex of the zone which the generated key is intended to sign.
OPTIONS
- -a <NUMBER OR MNEMONIC>
- Use the given signing algorithm. Mandatory.
Possible values are:
Mnemonic Number Description list List available algorithms RSASHA256 8 RSA with SHA-256 ECDSAP256SHA256 13 ECDSA P-256 with SHA-256 ECDSAP384SHA384 14 ECDSA P-384 with SHA-384 ED25519 15 ED25519 ED448 16 ED448
- -k
- Generate a key signing key (KSK) instead of a zone signing key (ZSK).
- -b <BITS>
- The length of the key (for RSA keys only). Defaults to 2048.
- -r <DEVICE>
- The randomness source to use for generation. Defaults to /dev/urandom.
- -s
- Create symlinks .key and .private to the generated keys.
- -f
- Overwrite existing symlinks (for use with -s).
- -h, --help
- Print the help text (short summary with -h, long help with --help).
AUTHOR
NLnet Labs
COPYRIGHT
2024–2026, NLnet Labs
| March 5, 2026 | 0.2.0-alpha1 |