# dnssec-keygen

The `dnssec-keygen` command is used to generate DNSSEC (Domain Name System Security Extensions) keys for signing zones in DNSSEC-enabled domains. Here's an overview of how `dnssec-keygen` works and its usage:

### Purpose of `dnssec-keygen`:

DNSSEC keys are essential for securing DNS data by providing cryptographic signatures that can be verified to ensure the authenticity and integrity of DNS records. `dnssec-keygen` generates various types of keys required for DNSSEC:

1. **Key Signing Key (KSK)**: Used to sign other keys (Zone Signing Keys).
2. **Zone Signing Key (ZSK)**: Used to sign DNS resource records (RRs) within a zone.

### Syntax:

```bash
dnssec-keygen [options] zone-name
```

### Common Options:

* `-a algorithm`: Specifies the cryptographic algorithm to use (default is `rsasha256`).
* `-b keysize`: Specifies the key size in bits (default is algorithm-specific).
* `-n type`: Specifies the key type (`ksk` for Key Signing Key or `zsk` for Zone Signing Key).
* `-f keyfile`: Specifies the filename prefix for the generated keys.
* `-K directory`: Specifies the directory where the keys will be stored.
* `-c class`: Specifies the DNS class (default is `IN` for Internet).

### Example Usage:

#### Generating a Key Signing Key (KSK):

```bash
dnssec-keygen -a RSASHA256 -b 2048 -n KSK example.com
```

This command generates a Key Signing Key (`Kexample.com.+008+12345`) using the RSA-SHA256 algorithm (`RSASHA256`) with a key size of 2048 bits (`-b 2048`). The keys will be stored in the current directory by default.

#### Generating a Zone Signing Key (ZSK):

```bash
dnssec-keygen -a RSASHA256 -b 1024 -n ZSK example.com
```

This command generates a Zone Signing Key (`Kexample.com.+008+54321`) using the RSA-SHA256 algorithm (`RSASHA256`) with a key size of 1024 bits (`-b 1024`).

### Key Output:

After running `dnssec-keygen`, you will get two files for each key generated:

* `<keyname>.key`: Contains the public key that can be published in DNS zone files.
* `<keyname>.private`: Contains the private key used for signing DNS records.

### Key Management:

* **Rolling Keys**: Periodically generate new keys (`KSK` and `ZSK`) to improve security and rotate them in DNS zone configurations.
* **Secure Storage**: Safeguard private keys (`*.private`) to prevent unauthorized access and use.
* **DNSSEC Zone Configuration**: Update DNS zone configuration files (`zone files`) with new keys and signatures.

DNSSEC is critical for enhancing DNS security by providing data integrity and authenticity assurances. `dnssec-keygen` is a fundamental tool for generating the cryptographic keys necessary to implement DNSSEC and protect DNS data against various types of attacks.