.\"
.\" ldnssec-keygen.1
.\" Written in 2021 by Lucas
.\" CC0 1.0 Universal/Public domain - No rights reserved
.\"
.\" To the extent possible under law, the author(s) have dedicated all
.\" copyright and related and neighboring rights to this software to the
.\" public domain worldwide. This software is distributed without any
.\" warranty. You should have received a copy of the CC0 Public Domain
.\" Dedication along with this software. If not, see
.\" .
.\"
.Dd December 14, 2021
.Dt LDNSSEC-KEYGEN 1
.Os
.Sh NAME
.Nm ldnssec-keygen
.Nd DNSSEC key management utility
.Sh SYNOPSIS
.Nm
.Cm dnskey
.Op Fl d Ar domain
.Op Fl k
.Nm
.Cm ds
.Op Fl a Ar algorithm
.Op Fl d Ar domain
.Nm
.Cm filename
.Op Fl d Ar domain
.Nm
.Cm gen
.Op Fl a Ar algorithm
.Op Fl b Ar bits
.Sh DESCRIPTION
.Nm
is a utiility for managing DNSSEC signing keys.
It allows for generating private keys,
printing the corresponding DS or DNSKEY records for those keys,
and printing a BIND / LDNS filename.
.Bl -tag -width Ds
.It Nm Cm dnskey Oo Fl d Ar domain Oc Oo Fl k Oc
Read a private key from
.Em stdin
and print the corresponding DNSKEY resource record.
If
.Fl d Ar domain
is provided, use
.Ar domain
as the owner name for the resource record.
If
.Fl k
is provided, set the
.Em SEP
flag in the resource record, signalling the key should be used as a
.Em KSK .
.It Nm Cm ds Oo Fl a Ar algorithm Oc Oo Fl d Ar domain Oc
Read a private key from
.Em stdin
and print the corresponding DS resource record.
If
.Fl a Ar algorithm
is provided, use that algorithm for the fingerprint, instead of the default
.Em SHA-256 .
If
.Fl d Ar domain
is provided, use
.Ar domain
as the owner name for the resource record.
.Nm
.Cm ds
will unconditionally treat the provided key as a
.Em KSK .
.It Nm Cm filename Op Fl d Ar domain
Read a private key from
.Em stdin
and print the corresponding base filename for it,
in the same fashion as BIND or LDNS:
.Em K++ .
If
.Fl d Ar domain
is provided, use
.Ar domain
as the domain name.
.It Nm Cm gen Oo Fl a Ar algorithm Oc Oo Fl b Ar bits Oc
Generate a private key and print it to
.Em stdout .
If
.Fl a Ar algorithm
is provided, generate a key for
.Ar algorithm
instead of the default of
.Em ECDSAP256SHA256 .
If
.Fl b Ar bits
is provided, generate a key of size
.Ar bits .
Do note that not all the supported algorithms support specifying a key size.
.El
.Sh EXIT STATUS
.Ex -std
.Sh EXAMPLES
To create a private key suitable for DNSSEC signing
.Bd -literal -offset indent
$ ldnssec-keygen gen | tee sk
Private-key-format: v1.2
Algorithm: 13 (ECDSAP256SHA256)
PrivateKey: ET6oewFD3NSZ+mKMgN9rWHKRZc9ULiGpILVjrUr+vko=
.Ed
.Pp
Do note that this command doesn't specify the domain the key will be used for,
nor the use for the generated key:
it can be used either as a KSK or a ZSK.
The following commands will define its use.
.Pp
If the generated key will be used as a
.Em ZSK
for the zone
.Ql zsk.example\&. ,
then
.Bd -literal -offset indent
$ ldnssec-keygen filename -d zsk.example.