bin/dnssec/dnssec-keyfromlabel.docbook

2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<!--
bc6f4c1c4c1b739fd06d2de05b77b9d08c4d8a5aTinderbox User - Copyright (C) 2008-2012, 2014-2017  Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont-->
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-keyfromlabel">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <info>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <date>2014-02-27</date>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </info>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  <refentryinfo>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <date>August 27, 2015</date>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpname>ISC</corpname>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  </refentryinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  <refmeta>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <manvolnum>8</manvolnum>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <refmiscinfo>BIND9</refmiscinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  </refmeta>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  <refnamediv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <refname><application>dnssec-keyfromlabel</application></refname>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <refpurpose>DNSSEC key generation tool</refpurpose>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  </refnamediv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  <docinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <copyright>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <year>2008</year>
26d8ffe715e74d1e67d268551449b780fec1b95fAutomatic Updater      <year>2009</year>
ca4e44ebe8f3b29a426fe047c4192262ca660c6fAutomatic Updater      <year>2010</year>
784a904bd06c7492361ed09a882d10c636b1291bAutomatic Updater      <year>2011</year>
99d8f5a70440ee8b63ab1745d713b96dde890546Tinderbox User      <year>2012</year>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User      <year>2014</year>
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User      <year>2015</year>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews      <year>2016</year>
bc6f4c1c4c1b739fd06d2de05b77b9d08c4d8a5aTinderbox User      <year>2017</year>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </copyright>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  </docinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <cmdsynopsis sepchar=" ">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <command>dnssec-keyfromlabel</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req" rep="norepeat">-l <replaceable class="parameter">label</replaceable></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-3</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-G</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-k</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-S <replaceable class="parameter">key</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-t <replaceable class="parameter">type</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-V</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="opt" rep="norepeat"><option>-y</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req" rep="norepeat">name</arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </cmdsynopsis>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont  </refsynopsisdiv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>DESCRIPTION</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <para><command>dnssec-keyfromlabel</command>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      generates a key pair of files that referencing a key object stored
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      in a cryptographic hardware service module (HSM).  The private key
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      file can be used for DNSSEC signing of zone data as if it were a
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      conventional signing key created by <command>dnssec-keygen</command>,
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      but the key material is stored within the HSM, and the actual signing
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      takes place there.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </para>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont    <para>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      The <option>name</option> of the key is specified on the command
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      line.  This must match the name of the zone for which the key is
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      being generated.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>OPTIONS</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <variablelist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-a <replaceable class="parameter">algorithm</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont        Selects the cryptographic algorithm.  The value of
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        <option>algorithm</option> must be one of RSAMD5, RSASHA1,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews        DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont        ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews        These values are case insensitive.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        If no algorithm is specified, then RSASHA1 will be used by
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        default, unless the <option>-3</option> option is specified,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        in which case NSEC3RSASHA1 will be used instead.  (If
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        <option>-3</option> is used and an algorithm is specified,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        that algorithm will be checked for compatibility with NSEC3.)
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        algorithm, and DSA is recommended.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Note 2: DH automatically sets the -k flag.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-3</term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt        Use an NSEC3-capable algorithm to generate a DNSSEC key.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        If this option is used and no algorithm is explicitly
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        set on the command line, NSEC3RSASHA1 will be used by
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        default.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt      </varlistentry>
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-E <replaceable class="parameter">engine</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Specifies the cryptographic hardware to use.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        When BIND is built with OpenSSL PKCS#11 support, this defaults
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        to the string "pkcs11", which identifies an OpenSSL engine
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        that can drive a cryptographic accelerator or hardware service
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        module.  When BIND is built with native PKCS#11 cryptography
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        (--enable-native-pkcs11), it defaults to the path of the PKCS#11
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        provider library specified via "--with-pkcs11".
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont      </varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-l <replaceable class="parameter">label</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Specifies the label for a key pair in the crypto hardware.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        When <acronym>BIND</acronym> 9 is built with OpenSSL-based
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        PKCS#11 support, the label is an arbitrary string that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        identifies a particular key.  It may be preceded by an
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        optional OpenSSL engine name, followed by a colon, as in
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        "pkcs11:<replaceable>keylabel</replaceable>".
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        When <acronym>BIND</acronym> 9 is built with native PKCS#11
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        support, the label is a PKCS#11 URI string in the format
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        "pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Keywords include "token", which identifies the HSM; "object", which
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        identifies the key; and "pin-source", which identifies a file from
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        which the HSM's PIN code can be obtained.  The label will be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        stored in the on-disk "private" file.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        If the label contains a
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        <option>pin-source</option> field, tools using the generated
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        key files will be able to use the HSM for signing and other
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        operations without any need for an operator to manually enter
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        a PIN.  Note: Making the HSM's PIN accessible in this manner
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        may reduce the security advantage of using an HSM; be sure
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        this is what you want to do before making use of this feature.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-n <replaceable class="parameter">nametype</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Specifies the owner type of the key.  The value of
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        <option>nametype</option> must either be ZONE (for a DNSSEC
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        a host (KEY)),
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        These values are case insensitive.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-C</term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont        Compatibility mode:  generates an old-style key, without
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont        any metadata.  By default, <command>dnssec-keyfromlabel</command>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont        will include the key's creation date in the metadata stored
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont        with the private key, and other dates may be set there as well
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont        (publication date, activation date, etc).  Keys that include
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont        this data may be incompatible with older versions of BIND; the
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont        <option>-C</option> option suppresses them.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-c <replaceable class="parameter">class</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Indicates that the DNS record containing the key should have
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        the specified class.  If not specified, class IN is used.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-f <replaceable class="parameter">flag</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Set the specified flag in the flag field of the KEY/DNSKEY record.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        The only recognized flags are KSK (Key Signing Key) and REVOKE.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-G</term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Generate a key, but do not publish it or sign with it.  This
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        option is incompatible with -P and -A.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt      </varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-h</term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Prints a short summary of the options and arguments to
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        <command>dnssec-keyfromlabel</command>.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-K <replaceable class="parameter">directory</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the directory in which the key files are to be written.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt      </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-k</term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Generate KEY records rather than DNSKEY records.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-L <replaceable class="parameter">ttl</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the default TTL to use for this key when it is converted
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        into a DNSKEY RR.  If the key is imported into a zone,
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        this is the TTL that will be used for it, unless there was
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        already a DNSKEY RRset in place, in which case the existing TTL
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        would take precedence.  Setting the default TTL to
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        <literal>0</literal> or <literal>none</literal> removes it.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt      </varlistentry>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-p <replaceable class="parameter">protocol</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the protocol value for the key.  The protocol
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        is a number between 0 and 255.  The default is 3 (DNSSEC).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Other possible values for this argument are listed in
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        RFC 2535 and its successors.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-S <replaceable class="parameter">key</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Generate a key as an explicit successor to an existing key.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        The name, algorithm, size, and type of the key will be set
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        to match the predecessor. The activation date of the new
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        key will be set to the inactivation date of the existing
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        one. The publication date will be set to the activation
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        date minus the prepublication interval, which defaults to
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        30 days.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      </varlistentry>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-t <replaceable class="parameter">type</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Indicates the use of the key.  <option>type</option> must be
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        is AUTHCONF.  AUTH refers to the ability to authenticate
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        data, and CONF the ability to encrypt data.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-v <replaceable class="parameter">level</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the debugging level.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman    <term>-V</term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      <para>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman        Prints version information.
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman      </varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-y</term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Allows DNSSEC key files to be generated even if the key ID
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt        would collide with that of an existing key, in the event of
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt        either key being revoked.  (This is only safe to use if you
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        are sure you won't be using RFC 5011 trust anchor maintenance
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        with either of the keys involved.)
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt      </varlistentry>
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>TIMING OPTIONS</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont    <para>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      If the argument begins with a '+' or '-', it is interpreted as
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      an offset from the present time.  For convenience, if such an offset
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      then the offset is computed in years (defined as 365 24-hour days,
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      ignoring leap years), months (defined as 30 24-hour days), weeks,
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      days, hours, or minutes, respectively.  Without a suffix, the offset
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt      is computed in seconds.  To explicitly prevent a date from being
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt      set, use 'none' or 'never'.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont    </para>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont    <variablelist>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-P <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the date on which a key is to be published to the zone.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        After that date, the key will be included in the zone but will
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        not be used to sign it.  If not set, and if the -G option has
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        not been used, the default is "now".
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the date on which the CDS and CDNSKEY records which match
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        this key are to be published to the zone.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-A <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the date on which the key is to be activated.  After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        date, the key will be included in the zone and used to sign
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        it.  If not set, and if the -G option has not been used, the
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        default is "now".
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-R <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the date on which the key is to be revoked.  After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        date, the key will be flagged as revoked.  It will be included
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        in the zone and will be used to sign it.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-I <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the date on which the key is to be retired.  After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        date, the key will still be included in the zone, but it
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        will not be used to sign it.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-D <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the date on which the key is to be deleted.  After that
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        date, the key will no longer be included in the zone.  (It
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        may remain in the key repository, however.)
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <varlistentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      <para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        Sets the date on which the CDS and CDNSKEY records which match
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews        this key are to be deleted.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      </para>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </listitem>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      </varlistentry>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      <varlistentry>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        <term>-i <replaceable class="parameter">interval</replaceable></term>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        <listitem>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt          <para>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            Sets the prepublication interval for a key.  If set, then
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            the publication and activation dates must be separated by at least
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            this much time.  If the activation date is specified but the
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            publication date isn't, then the publication date will default
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            to this much time before the activation date; conversely, if
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            the publication date is specified but activation date isn't,
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            then activation will be set to this much time after publication.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt          </para>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt          <para>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            If the key is being created as an explicit successor to another
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews            key, then the default prepublication interval is 30 days;
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            otherwise it is zero.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt          </para>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt          <para>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            As with date offsets, if the argument is followed by one of
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            interval is measured in years, months, weeks, days, hours,
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            or minutes, respectively.  Without a suffix, the interval is
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt            measured in seconds.
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt          </para>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt        </listitem>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt      </varlistentry>
a60bf97f9f7dcde6f4ca6e8188245fb0866200dbEvan Hunt
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont    </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>GENERATED KEY FILES</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      When <command>dnssec-keyfromlabel</command> completes
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      successfully,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      to the standard output.  This is an identification string for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      the key files it has generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <itemizedlist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <para><filename>nnnn</filename> is the key name.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <para><filename>aaa</filename> is the numeric representation
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      of the algorithm.
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <listitem>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <para><filename>iiiii</filename> is the key identifier (or
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews      footprint).
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    </para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </listitem>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </itemizedlist>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews    <para><command>dnssec-keyfromlabel</command>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      creates two files, with names based
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      contains the public key, and
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      private key.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      The <filename>.key</filename> file contains a DNS KEY record
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      that
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      can be inserted into a zone file (directly or with a $INCLUDE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      statement).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </para>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <para>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      The <filename>.private</filename> file contains
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont      algorithm-specific
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      fields.  For obvious security reasons, this file does not have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      general read permission.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsection><info><title>SEE ALSO</title></info>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    <para><citerefentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </citerefentry>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <citerefentry>
e939674d53a127ddeeaf4b41fd72933f0b493308Mark Andrews    <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      </citerefentry>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt      <citetitle>RFC 4034</citetitle>,
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt      <citetitle>The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</citetitle>.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsection>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</refentry>