Skip to content
Branch: master
Find file History
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.



coredns-keygen - generate a key pair suitable for signing DNS zones.


coredns-keygen generates a Common Signing Key for the purpose of signing zones. It has no options and will generate a key with the ECDSAP256SHA256 algorithm (elliptic curve) and the KSK bit set.


coredns-keygen ZONES...
  • ZONES zones it should generate keys for.

For each key pair the following files are created:

  • K<zone>.+<algorithm>+<keytag>.key for the DNSKEY RR, and
  • K<zone>.+<algorithm>+<keytag>.private for the private one.

For each generate key the base name of these file is printed to standard output once.


Generate keys for and

$ coredns-keygen

Also See

dnssec-keygen(8) can also used to generate keys and supports more options. See RFC 4033, 4034, 4035 for the whole DNSSEC specification.

You can’t perform that action at this time.