Generate DNS Key (GENDNSKEY)

The Generate DNS Key (GENDNSKEY) command generates keys for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. It can also generate keys for use with TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY (Transaction Key) as defined in RFC 2930.

By default, the generated files would be stored in the directory of /QIBM/UserData/OS400/DNS/_DYN

Restrictions:

Parameters

Keyword Description Choices Notes
KEYNAME Key name Character value Required, Positional 1
ALGORITHM Cryptographic algorithm *RSASHA1, *NSEC3RSASHA1, *NSEC3DSA, *RSAMD5, *RSASHA256, *RSASHA512, *DSA, *DH, *MD5, *SHA1, *SHA224, *SHA256, *SHA384, *SHA512 Optional, Positional 2
KEYSIZE Key size Unsigned integer, 1024 Optional, Positional 3
KEYOWNTYPE Key owner type *ZONE, *HOST, *ENTITY, *USER, *OTHER Optional, Positional 4
COMPMODE Compatibility mode *NO, *YES Optional
CLASS Class *IN, *CH, *HS Optional
KEYFLAG Key flag *NONE, *KSK, *REVOKE Optional
DHGEN Generator for DH key *PRIME, 2, 5 Optional
QUIETMODE Quiet mode *NO, *YES Optional
STRENGTH Key strength 0-15, *NONE Optional
RRTYPE Resource record type *DNSKEY, *KEY Optional
USETYPE Key use type *AUTHCONF, *NOAUTHCONF, *NOAUTH, *NOCONF Optional
PUBDATE Published date Character value, *NOW Optional
ACTDATE Activated date Character value, *NOW Optional
RVKDATE Revoked date Character value, *NONE Optional
RTEDATE Retired date Character value, *NONE Optional
DLTDATE Deleted date Character value, *NONE Optional
LRGEXP Use large exponent *NO, *YES Optional
KEYPCLNBR Key protocol number 0-255, 3 Optional
ENTROPYSRC Entropy source Path name, *DFT Optional
DBGLVL Debug level 0-10, 0 Optional
TOSTMF Output file Path name, *STDOUT Optional

Key name (KEYNAME)

Specifies the key name to use. For DNSSEC keys, this must match the name of the zone for which the key is being generated.

This is a required parameter.

character-value
Specify the name of the key to be generated.

Cryptographic algorithm (ALGORITHM)

Specifies the cryptographic algorithm to use. For DNSSEC keys, the value of algorithm must be one of *RSAMD5, *RSASHA1, *DSA, *NSEC3RSASHA1, *NSEC3DSA, *RSASHA256 or *RSASHA512. For TSIG/TKEY, the value must be *DH (Diffie Hellman), *MD5, *SHA1, *SHA224, *SHA256, *SHA384, or *SHA512.

Note: For DNSSEC, *RSASHA1 and *DSA are recommended to implement algorithm. For TSIG, *MD5 is recommended.

Note: *DH, *MD5, and *SHA1 through *SHA512 automatically imply RRTYPE(*KEY).

*RSASHA1
RSA is an algorithm for public key encryption. Secure Hash Algorithm 1 (SHA1) is a one-way hash algorithm.
*NSEC3RSASHA1
NSEC3-capable RSASHA1 algorithm.
*NSEC3DSA
NSEC3-capable DSA algorithm.
*RSAMD5
RSA is an algorithm for public key encryption. Message-Digest 5 (MD5) is a one-way hash algorithm.
*RSASHA256
RSA is an algorithm for public key encryption. Secure Hash Algorithm 256 (SHA256) is a one-way hash algorithm.
*RSASHA512
RSA is an algorithm for public key encryption. Secure Hash Algorithm 512 (SHA512) is a one-way hash algorithm.
*DSA
Digital Signature Algorithm.
*DH
Diffie-Hellman key exchange
*MD5
Keyed-hash message authentication code (HMAC) using Message-Digest 5 (MD5) hash algorithm.
*SHA1
Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-1) hash algorithm.
*SHA224
Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-224) hash algorithm.
*SHA256
Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-256) hash algorithm.
*SHA384
Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-384) hash algorithm.
*SHA512
Keyed-hash message authentication code (HMAC) using Secure Hash Algorithm (SHA-512) hash algorithm.

Key size (KEYSIZE)

Specifies the number of bits in the key. The choice of key size depends on the algorithm used. RSA(*RSASHA1, *NSEC3RSASHA1, *RSAMD5, *RSASHA256) keys must be between 512 and 4096 bits. RSA(*RSASHA512) keys must be between 1024 and 4096 bits. Diffie Hellman(*DH) keys must be between 128 and 4096 bits. DSA(*DSA, *NSEC3DSA) keys must be between 512 and 1024 bits and an exact multiple of 64. HMAC(*MD5, *SHA512) keys must be between 1 and 512 bits. HMAC(*SHA1) keys must be between 1 and 160 bits. HMAC(*SHA224) keys must be between 1 and 224 bits. HMAC(*SHA256) keys must be between 1 and 256 bits. HMAC(*SHA384) keys must be between 1 and 384 bits.

If using a default algorithm(*RSASHA1), the recommended key size is 1024 bits for zone signing keys (ZSK) and 2048 bits for key signing keys (KSK, generated with KEYFLAG(*KSK)).

1024
The number of bits will be 1024.
1-4096
Specify the number of bits for the key.

Key owner type (KEYOWNTYPE)

Specifies the owner type of the key.

*ZONE
For DNSSEC zone keys (KEY/DNSKEY).
*HOST
For a key associated with a host (KEY).
*ENTITY
For a key associated with a entity (KEY).
*USER
A key associated with a user (KEY).
*OTHER
DNSKEY.

Compatibility mode (COMPMODE)

Specifies whether or not to generate an old-style key, without any metadata. By default, this CL command will include the key's creation date in the metadata stored with the private key, and other dates may be set there as well (publication date, activation date, etc). Keys that include this data may be incompatible with older versions of BIND.

*NO
Do not generate an old-style key.
*YES
Generate an old-style key.

Class (CLASS)

Specifies the protocol group of the information.

*IN
The Internet class.
*CH
The CHAOS class.
*HS
The Hesiod class.

Key flag (KEYFLAG)

Specifies the flag to set in the flag field of the KEY/DNSKEY record. The only recognized flags are KSK (Key Signing Key) and REVOKE.

*NONE
Do not set any flags.
*KSK
Set the KSK flag.
*REVOKE
Set the REVOKE flag.

Generator for DH key (DHGEN)

Specifies, if generating a Diffie-Hellman key, the generator value to use.

*PRIME
A prime value will be selected based on RFC 2539, if possible. Otherwise, a value of 2 is used.
2
A value of 2 will be used.
5
A value of 5 will be used.

Quiet mode (QUIETMODE)

Specifies whether or not to suppress unnecessary output, including progress indication.

Without this option, when this CL command is run interactively to generate an RSA or DSA key pair, it will print a string of symbols to stderr indicating the progress of the key generation.

*NO
Do not suppresses unnecessary output.
*YES
Suppresses unnecessary output.

Key strength (STRENGTH)

Specifies the strength value of the key. The strength is a number between 0 and 15, and currently has no defined purpose in DNSSEC.

*NONE
Not specify one strength value.
0-15
Specify a valid strength value.

Resource record type (RRTYPE)

Specifies if KEY resource records (RRs) rather than DNSKEY RRs should be generated.

*DNSKEY
DNSKEY resource records will be created.
*KEY
KEY resource records will be created.

Key use type (USETYPE)

Specifies how the key will be used. AUTH refers to the ability to authenticate data and CONF refers to the ability to encrypt data.

*AUTHCONF
Authentication and data encryption.
*NOAUTHCONF
Neither authentication nor data encryption.
*NOAUTH
Data encryption only.
*NOCONF
Authentication only.

Published date (PUBDATE)

Specifies the date on which a key is to be published to the zone. After that date, the key will be included in the zone but will not be used to sign it.

*NOW
The default published date is the current date.
YYYYMMDDHHMMSS
Specifies the date(in UTC) on which a key is to be published to the zone.

Activated date (ACTDATE)

Specifies the date on which a key is to be activated. After that date, the key will be included in the zone and used to sign it.

*NOW
The default activated date is the current date.
YYYYMMDDHHMMSS
Specifies the date(in UTC) on which a key is to be activated.

Revoked date (RVKDATE)

Specifies the date on which a key is to be revoked. After that date, the key will be flagged as revoked. It will be included in the zone and will be used to sign it.

*NONE
Do not specify the revoked date.
YYYYMMDDHHMMSS
Specifies the date(in UTC) on which a key is to be revoked.

Retired date (RTEDATE)

Specifies the date on which a key is to be retired. After that date, the key will still be included in the zone, but it will not be used to sign it.

*NONE
Do not specify the retired date.
YYYYMMDDHHMMSS
Specifies the date(in UTC) on which a key is to be retired.

Deleted date (DLTDATE)

Specifies the date on which a key is to be deleted. After that date, the key will no longer be included in the zone. (It may remain in the key repository, however.)

*NONE
Do not specify the deleted date.
YYYYMMDDHHMMSS
Specifies the date(in UTC) on which a key is to be deleted.

Use large exponent (LRGEXP)

Specifies, if generating an RSA(RSAMD5/RSASHA1/ RSASHA256/NSEC3RSASHA1/RSASHA512) key, whether or not to use a large exponent.

*NO
Do not use a large exponent.
*YES
Use a large exponent.

Key protocol number (KEYPCLNBR)

Specifies the protocol value for the generated key. The protocol is a number between 0 and 255. The shipped default value is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.

3
The protocol value will be 3.
0-255
Specify a valid key protocol value.

Entropy source (ENTROPYSRC)

Specifies a source of random data for generating the authorization. If for some reason the default entropy file is not large enough, this parameter allows you to change the entropy source to one that is larger.

*DFT
The default entropy source of randomness /dev/urandom will be used.
path-name
Specify the path for a stream file to serve as an entropy source.

Debug level (DBGLVL)

Specifies the debugging level to indicate how much diagnostic (debug) information this command will generate.

0
Debugging is off.
1-10
Specify a number within the range of 1-10. The amount of debug information increases as the DBGLVL value increases. 1 equals minimum debug information. 10 equals maximum debug information.

Output file (TOSTMF)

Specifies the name of a stream file where all command output is written.

*STDOUT
All command output goes to the standard output device (normally the display).
path-name
Specify the path name for a stream file where output should be written.

Examples 

GENDNSKEY KEYNAME('my-tsig-key')
            ALGORITHM(*MD5)
            KEYSIZE(128)
            KEYOWNTYPE(*HOST)
            RRTYPE(*KEY)

This command generates a key named 'my-tsig-key' and the key files are placed into directory '/QIBM/UserData/OS400/DNS/_DYN'. The name of the key files are displayed as output, for example: 

/QIBM/UserData/OS400/DNS/_DYN/my-tsig-key._KEY (symlink)
/QIBM/UserData/OS400/DNS/_DYN/Kmy-tsig-key.+157+12836.key
/QIBM/UserData/OS400/DNS/_DYN/Kmy-tsig-key.+157+12836.private

The contents of key file '/QIBM/UserData/OS400/DNS/_DYN/my-tsig-key._KEY' might look like this: 

my-tsig-key. IN KEY 512 3 157 emjb8j5JDB7JFBqXCj5kkQ==


GENDNSKEY KEYNAME('example.com.')
            ALGORITHM(*RSASHA1)
            KEYSIZE(1024)
            KEYOWNTYPE(*ZONE)

This command generates a key named 'example.com.' and the key files are placed into directory '/QIBM/UserData/OS400/DNS/_DYN'. The name of the key files are displayed as output, for example: 

/QIBM/UserData/OS400/DNS/_DYN/example.com.._KEY (symlink)
/QIBM/UserData/OS400/DNS/_DYN/Kexample.com.+005+48876.key
/QIBM/UserData/OS400/DNS/_DYN/Kexample.com.+005+48876.private

The contents of key file '/QIBM/UserData/OS400/DNS/_DYN/Kexample.com.+005+48876.key' might look like this: 

example.com. IN DNSKEY 256 3 5
AwEAAaIANTvuE4hJyyJ+y+1wyH72dI8U7kvPxclzeDoApZDJkxixAoE/ KLvK8jxD
FdVzj6dP0UvC6RTVHOa05MYA7evs6UkRfbFHNobV+MvCVWN0w/1UoywYhi8MnvBK
akfv2x3SDiseSJs01Kl6jqg/UtSH41roJlzjuAiE /L3qHTCp

Error messages

*ESCAPE Messages

DNS0013
Error processing command parameters.
DNS0065
Option 33 of i5/OS is required, but is not installed.
TCP7124
Program &1 in library &2 type *PGM ended abnormally.