diff --git a/CHANGES b/CHANGES
index 6c87beb8e9..99cc52244f 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,5 @@
+5174. [doc] Tidy dnssec-keygen manual. [GL !1557]
+
5173. [bug] Fixed a race in socket code that could occur when
accept, send, or recv were called from an event
loop but the socket had been closed by another
diff --git a/bin/dnssec/dnssec-keygen.c b/bin/dnssec/dnssec-keygen.c
index c534f9b90f..a493f1bfee 100644
--- a/bin/dnssec/dnssec-keygen.c
+++ b/bin/dnssec/dnssec-keygen.c
@@ -241,7 +241,7 @@ main(int argc, char **argv) {
/*
* Process memory debugging argument first.
*/
-#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:kL:m:n:P:p:qR:r:S:s:T:t:" \
+#define CMDLINE_FLAGS "3A:a:b:Cc:D:d:E:eFf:Gg:hI:i:K:L:m:n:P:p:qR:r:S:s:T:t:" \
"v:V"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
@@ -322,11 +322,6 @@ main(int argc, char **argv) {
fatal("cannot open directory %s: %s",
directory, isc_result_totext(ret));
break;
- case 'k':
- fatal("The -k option has been deprecated.\n"
- "To generate a key-signing key, use -f KSK.\n"
- "To generate a key with TYPE=KEY, use -T KEY.\n");
- break;
case 'L':
ttl = strtottl(isc_commandline_argument);
setttl = true;
diff --git a/bin/dnssec/dnssec-keygen.docbook b/bin/dnssec/dnssec-keygen.docbook
index 239bc26bf0..a56ded92b9 100644
--- a/bin/dnssec/dnssec-keygen.docbook
+++ b/bin/dnssec/dnssec-keygen.docbook
@@ -58,11 +58,10 @@
dnssec-keygen
-
-
-
+
+
@@ -77,6 +76,7 @@
+
@@ -87,7 +87,6 @@
- name
@@ -118,6 +117,20 @@
+
+
+ -3
+
+
+ Use an NSEC3-capable algorithm to generate a DNSSEC key.
+ If this option is used with an algorithm that has both
+ NSEC and NSEC3 versions, then the NSEC3 version will be
+ used; for example, dnssec-keygen -3a RSASHA1
+ specifies the NSEC3RSASHA1 algorithm.
+
+
+
+
-a algorithm
@@ -157,11 +170,9 @@
Specifies the number of bits in the key. The choice of key
size depends on the algorithm used. RSA keys must be
- between 1024 and 2048 bits. Diffie Hellman keys must be between
- 128 and 4096 bits. DSA keys must be between 512 and 1024
- bits and an exact multiple of 64. HMAC keys must be
- between 1 and 512 bits. Elliptic curve algorithms don't need
- this parameter.
+ between 1024 and 4096 bits. Diffie Hellman keys must be between
+ 128 and 4096 bits. Elliptic curve algorithms don't need this
+ parameter.
If the key size is not specified, some algorithms have
@@ -173,43 +184,16 @@
-
- -n nametype
-
-
- Specifies the owner type of the key. The value of
- must either be ZONE (for a DNSSEC
- zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
- with a host (KEY)), USER (for a key associated with a
- user(KEY)) or OTHER (DNSKEY). These values are case
- insensitive. Defaults to ZONE for DNSKEY generation.
-
-
-
-
-
- -3
-
-
- Use an NSEC3-capable algorithm to generate a DNSSEC key.
- If this option is used with an algorithm that has both
- NSEC and NSEC3 versions, then the NSEC3 version will be
- used; for example, dnssec-keygen -3a RSASHA1
- specifies the NSEC3RSASHA1 algorithm.
-
-
-
-
-C
- Compatibility mode: generates an old-style key, without
- any metadata. By default, dnssec-keygen
- will include the key's creation date in the metadata stored
- with the private key, and other dates may be set there as well
- (publication date, activation date, etc). Keys that include
- this data may be incompatible with older versions of BIND; the
+ Compatibility mode: generates an old-style key, without any
+ timing metadata. By default, dnssec-keygen
+ will include the key's creation date in the metadata stored with
+ the private key, and other dates may be set there as well
+ (publication date, activation date, etc). Keys that include this
+ data may be incompatible with older versions of BIND; the
option suppresses them.
@@ -293,15 +277,6 @@
-
- -k
-
-
- Deprecated in favor of -T KEY.
-
-
-
-
-L ttl
@@ -318,14 +293,28 @@
+
+ -n nametype
+
+
+ Specifies the owner type of the key. The value of
+ must either be ZONE (for a DNSSEC
+ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated
+ with a host (KEY)), USER (for a key associated with a
+ user(KEY)) or OTHER (DNSKEY). These values are case
+ insensitive. Defaults to ZONE for DNSKEY generation.
+
+
+
+
-p protocol
- Sets the protocol value for the generated key. The protocol
- is a number between 0 and 255. The default is 3 (DNSSEC).
- Other possible values for this argument are listed in
- RFC 2535 and its successors.
+ Sets the protocol value for the generated key, for use
+ with . The protocol is a number between 0
+ and 255. The default is 3 (DNSSEC). Other possible values for
+ this argument are listed in RFC 2535 and its successors.
@@ -383,10 +372,6 @@
must be either DNSKEY or KEY. The
default is DNSKEY when using a DNSSEC algorithm, but it can be
overridden to KEY for use with SIG(0).
-
-
- Specifying any TSIG algorithm (HMAC-* or DH) with
- forces this option to KEY.
@@ -395,19 +380,11 @@
-t type
- Indicates the use of the key. must be
- one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
- is AUTHCONF. AUTH refers to the ability to authenticate
- data, and CONF the ability to encrypt data.
-
-
-
-
-
- -v level
-
-
- Sets the debugging level.
+ Indicates the use of the key, for use with . must be one of AUTHCONF,
+ NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH
+ refers to the ability to authenticate data, and CONF the ability
+ to encrypt data.
@@ -421,6 +398,15 @@
+
+ -v level
+
+
+ Sets the debugging level.
+
+
+
+
@@ -606,11 +592,11 @@
EXAMPLE
- To generate an ECDSAP256SHA256 key for the domain
- example.com, the following command would be
- issued:
+ To generate an ECDSAP256SHA256 zone-signing key for the zone
+ example.com, issue the command:
- dnssec-keygen -a ECDSAP256SHA256 -n ZONE example.com
+
+ dnssec-keygen -a ECDSAP256SHA256 example.com
The command would print a string of the form:
@@ -623,6 +609,12 @@
and
Kexample.com.+013+26160.private.
+
+ To generate a matching key-signing key, issue the command:
+
+
+ dnssec-keygen -a ECDSAP256SHA256 -f KSK example.com
+ SEE ALSO