Generate DNS Key (GENDNSKEY)
Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Generate DNS Key (GENDNSKEY) command generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.
By default, the generated files would be stored in the directory of /QIBM/UserData/OS400/DNS/_DYN
Restrictions:
- You must have *SECADM special authority to use this command.
- You must have execute (*X) authority to the directories in the path of the entropy source file.
- You must have read (*R) authority to the entropy source file.
- You must have execute (*X) authority to the directories in the path of the keyset directory.
- You must have read (*R) authority to the keyset directory files.
- You must have execute (*X) authority to the directories in the path of the output file.
- You must have write (*W) authority to the output file if it already exists.
- You must have read, write and execute (*RWX) authority to the output file's parent directory if the output file does not already exist.
Top |
Parameters
Keyword | Description | Choices | Notes |
---|---|---|---|
KEYNAME | Key name | Character value | Required, Positional 1 |
ALGORITHM | Cryptographic algorithm | *RSASHA1, *NSEC3RSASHA1, *NSEC3DSA, *RSAMD5, *RSASHA256, *RSASHA512, *DSA, *DH, *MD5, *SHA1, *SHA224, *SHA256, *SHA384, *SHA512 | Optional, Positional 2 |
KEYSIZE | Key size | Unsigned integer, 1024 | Optional, Positional 3 |
KEYOWNTYPE | Key owner type | *ZONE, *HOST, *ENTITY, *USER, *OTHER | Optional, Positional 4 |
COMPMODE | Compatibility mode | *NO, *YES | Optional |
CLASS | Class | *IN, *CH, *HS | Optional |
KEYFLAG | Key flag | *NONE, *KSK, *REVOKE | Optional |
DHGEN | Generator for DH key | *PRIME, 2, 5 | Optional |
QUIETMODE | Quiet mode | *NO, *YES | Optional |
STRENGTH | Key strength | 0-15, *NONE | Optional |
RRTYPE | Resource record type | *DNSKEY, *KEY | Optional |
USETYPE | Key use type | *AUTHCONF, *NOAUTHCONF, *NOAUTH, *NOCONF | Optional |
PUBDATE | Published date | Character value, *NOW | Optional |
ACTDATE | Activated date | Character value, *NOW | Optional |
RVKDATE | Revoked date | Character value, *NONE | Optional |
RTEDATE | Retired date | Character value, *NONE | Optional |
DLTDATE | Deleted date | Character value, *NONE | Optional |
LRGEXP | Use large exponent | *NO, *YES | Optional |
KEYPCLNBR | Key protocol number | 0-255, 3 | Optional |
ENTROPYSRC | Entropy source | Path name, *DFT | Optional |
DBGLVL | Debug level | 0-10, 0 | Optional |
TOSTMF | Output file | Path name, *STDOUT | Optional |
Top |
Key name (KEYNAME)
Specifies the key name to use. For DNSSEC keys, this must match the name of the zone for which the key is being generated.
This is a required parameter.
- character-value
- Specify the name of the key to be generated.
Top |
Cryptographic algorithm (ALGORITHM)
Specifies the cryptographic algorithm to use. For DNSSEC keys, the value of algorithm must be one of *RSAMD5, *RSASHA1, *DSA, *NSEC3RSASHA1, *NSEC3DSA, *RSASHA256 or *RSASHA512. For TSIG/TKEY, the value must be *DH (Diffie Hellman), *MD5, *SHA1, *SHA224, *SHA256, *SHA384, or *SHA512.
Note: For DNSSEC, *RSASHA1 and *DSA are recommended to implement algorithm. For TSIG, *MD5 is recommended.
Note: *DH, *MD5, and *SHA1 through *SHA512 automatically imply RRTYPE(*KEY).
- *RSASHA1
- RSA is an algorithm for public key encryption. Secure Hash Algorithm 1 (SHA1) is a one-way hash algorithm.
- *NSEC3RSASHA1
- NSEC3-capable RSASHA1 algorithm.
- *NSEC3DSA
- NSEC3-capable DSA algorithm.
- *RSAMD5
- RSA is an algorithm for public key encryption. Message-Digest 5 (MD5) is a one-way hash algorithm.
- *RSASHA256
- RSA is an algorithm for public key encryption. Secure Hash Algorithm 256 (SHA256) is a one-way hash algorithm.
- *RSASHA512
- RSA is an algorithm for public key encryption. Secure Hash Algorithm 512 (SHA512) is a one-way hash algorithm.
- *DSA
- Digital Signature Algorithm.
- *DH
- Diffie-Hellman key exchange
- *MD5
- Keyed-hash message authentication code (HMAC) using Message-Digest 5 (MD5) hash algorithm.
- *SHA1
- Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-1) hash algorithm.
- *SHA224
- Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-224) hash algorithm.
- *SHA256
- Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-256) hash algorithm.
- *SHA384
- Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-384) hash algorithm.
- *SHA512
- Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-512) hash algorithm.
Top |
Key size (KEYSIZE)
Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA(*RSASHA1, *NSEC3RSASHA1, *RSAMD5, *RSASHA256) keys must be between 512 and 4096 bits. RSA(*RSASHA512) keys must be between 1024 and 4096 bits. Diffie Hellman(*DH) keys must be between 128 and 4096 bits. DSA(*DSA, *NSEC3DSA) keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC(*MD5, *SHA512) keys must be between 1 and 512 bits. HMAC(*SHA1) keys must be between 1 and 160 bits. HMAC(*SHA224) keys must be between 1 and 224 bits. HMAC(*SHA256) keys must be between 1 and 256 bits. HMAC(*SHA384) keys must be between 1 and 384 bits.
If using a default algorithm(*RSASHA1), the recommended key size is 1024 bits for zone signing keys (ZSK) and 2048 bits for key signing keys (KSK, generated with KEYFLAG(*KSK)).
- 1024
- The number of bits will be 1024.
- 1-4096
- Specify the number of bits for the key.
Top |
Key owner type (KEYOWNTYPE)
Specifies the owner type of the key.
- *ZONE
- For DNSSEC zone keys (KEY/DNSKEY).
- *HOST
- For a key associated with a host (KEY).
- *ENTITY
- For a key associated with a entity (KEY).
- *USER
- A key associated with a user (KEY).
- *OTHER
- DNSKEY.
Top |
Compatibility mode (COMPMODE)
Specifies whether or not to generate an old-style key, without any metadata. By default, this CL command will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND.
- *NO
- Do not generate an old-style key.
- *YES
- Generate an old-style key.
Top |
Class (CLASS)
Specifies the protocol group of the information.
- *IN
- The Internet class.
- *CH
- The CHAOS class.
- *HS
- The Hesiod class.
Top |
Key flag (KEYFLAG)
Specifies the flag to set in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.
- *NONE
- Do not set any flags.
- *KSK
- Set the KSK flag.
- *REVOKE
- Set the REVOKE flag.
Top |
Generator for DH key (DHGEN)
Specifies, if generating a Diffie-Hellman key, the generator value to use.
- *PRIME
- A prime value will be selected based on RFC 2539, if possible. Otherwise, a value of 2 is used.
- 2
- A value of 2 will be used.
- 5
- A value of 5 will be used.
Top |
Quiet mode (QUIETMODE)
Specifies whether or not to suppress unnecessary output, including progress indication.
Without this option, when this CL command is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to stderr indicating the progress of the key generation.
- *NO
- Do not suppresses unnecessary output.
- *YES
- Suppresses unnecessary output.
Top |
Key strength (STRENGTH)
Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.
- *NONE
- Not specify one strength value.
- 0-15
- Specify a valid strength value.
Top |
Resource record type (RRTYPE)
Specifies if KEY resource records (RRs) rather than DNSKEY RRs should be generated.
- *DNSKEY
- DNSKEY resource records will be created.
- *KEY
- KEY resource records will be created.
Top |
Key use type (USETYPE)
Specifies how the key will be used. AUTH refers to the ability to authenticate data and CONF refers to the ability to encrypt data.
- *AUTHCONF
- Authentication and data encryption.
- *NOAUTHCONF
- Neither authentication nor data encryption.
- *NOAUTH
- Data encryption only.
- *NOCONF
- Authentication only.
Top |
Published date (PUBDATE)
Specifies the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.
- *NOW
- The default published date is the current date.
- YYYYMMDDHHMMSS
- Specifies the date(in UTC) on which a key is to be published to the zone.
Top |
Activated date (ACTDATE)
Specifies the date on which a key is to be activated. After that date, the key will be included in the zone and used to sign it.
- *NOW
- The default activated date is the current date.
- YYYYMMDDHHMMSS
- Specifies the date(in UTC) on which a key is to be activated.
Top |
Revoked date (RVKDATE)
Specifies the date on which a key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.
- *NONE
- Do not specify the revoked date.
- YYYYMMDDHHMMSS
- Specifies the date(in UTC) on which a key is to be revoked.
Top |
Retired date (RTEDATE)
Specifies the date on which a key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.
- *NONE
- Do not specify the retired date.
- YYYYMMDDHHMMSS
- Specifies the date(in UTC) on which a key is to be retired.
Top |
Deleted date (DLTDATE)
Specifies the date on which a key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)
- *NONE
- Do not specify the deleted date.
- YYYYMMDDHHMMSS
- Specifies the date(in UTC) on which a key is to be deleted.
Top |
Use large exponent (LRGEXP)
Specifies, if generating an RSA(RSAMD5/RSASHA1/ RSASHA256/NSEC3RSASHA1/RSASHA512) key, whether or not to use a large exponent.
- *NO
- Do not use a large exponent.
- *YES
- Use a large exponent.
Top |
Key protocol number (KEYPCLNBR)
Specifies the protocol value for the generated key. The protocol is a number between 0 and 255. The shipped default value is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.
- 3
- The protocol value will be 3.
- 0-255
- Specify a valid key protocol value.
Top |
Entropy source (ENTROPYSRC)
Specifies a source of random data for generating the authorization. If for some reason the default entropy file is not large enough, this parameter allows you to change the entropy source to one that is larger.
- *DFT
- The default entropy source of randomness /dev/urandom will be used.
- path-name
- Specify the path for a stream file to serve as an entropy source.
Top |
Debug level (DBGLVL)
Specifies the debugging level to indicate how much diagnostic (debug) information this command will generate.
- 0
- Debugging is off.
- 1-10
- Specify a number within the range of 1-10. The amount of debug information increases as the DBGLVL value increases. 1 equals minimum debug information. 10 equals maximum debug information.
Top |
Output file (TOSTMF)
Specifies the name of a stream file where all command output is written.
- *STDOUT
- All command output goes to the standard output device (normally the display).
- path-name
- Specify the path name for a stream file where output should be written.
Top |
Examples
GENDNSKEY KEYNAME('my-tsig-key') ALGORITHM(*MD5) KEYSIZE(128) KEYOWNTYPE(*HOST) RRTYPE(*KEY)
This command generates a key named 'my-tsig-key' and the key files are placed into directory '/QIBM/UserData/OS400/DNS/_DYN'. The name of the key files are displayed as output, for example:
/QIBM/UserData/OS400/DNS/_DYN/my-tsig-key._KEY (symlink) /QIBM/UserData/OS400/DNS/_DYN/Kmy-tsig-key.+157+12836.key /QIBM/UserData/OS400/DNS/_DYN/Kmy-tsig-key.+157+12836.private
The contents of key file '/QIBM/UserData/OS400/DNS/_DYN/my-tsig-key._KEY' might look like this:
my-tsig-key. IN KEY 512 3 157 emjb8j5JDB7JFBqXCj5kkQ==
GENDNSKEY KEYNAME('example.com.') ALGORITHM(*RSASHA1) KEYSIZE(1024) KEYOWNTYPE(*ZONE)
This command generates a key named 'example.com.' and the key files are placed into directory '/QIBM/UserData/OS400/DNS/_DYN'. The name of the key files are displayed as output, for example:
/QIBM/UserData/OS400/DNS/_DYN/example.com.._KEY (symlink) /QIBM/UserData/OS400/DNS/_DYN/Kexample.com.+005+48876.key /QIBM/UserData/OS400/DNS/_DYN/Kexample.com.+005+48876.private
The contents of key file '/QIBM/UserData/OS400/DNS/_DYN/Kexample.com.+005+48876.key' might look like this:
example.com. IN DNSKEY 256 3 5 AwEAAaIANTvuE4hJyyJ+y+1wyH72dI8U7kvPxclzeDoApZDJkxixAoE/ KLvK8jxD FdVzj6dP0UvC6RTVHOa05MYA7evs6UkRfbFHNobV+MvCVWN0w/1UoywYhi8MnvBK akfv2x3SDiseSJs01Kl6jqg/UtSH41roJlzjuAiE /L3qHTCp
Top |
Error messages
*ESCAPE Messages
- DNS0013
- Error processing command parameters.
- DNS0065
- Option 33 of i5/OS is required, but is not installed.
- TCP7124
- Program &1 in library &2 type *PGM ended abnormally.
Top |