dnssec-keyfromlabel.docbook revision 11d8c966ea7c7cbc9384eb6558a9d2a15e45cf40
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont [<!ENTITY mdash "—">]>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
db0008c4486414b81e90dca9938e1fc2320e5133Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt<!-- $Id: dnssec-keyfromlabel.docbook,v 1.21 2011/03/17 01:40:34 each Exp $ -->
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refentryinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </refentryinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refname><application>dnssec-keyfromlabel</application></refname>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refpurpose>DNSSEC key generation tool</refpurpose>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </refnamediv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refsynopsisdiv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <cmdsynopsis>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </cmdsynopsis>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </refsynopsisdiv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont gets keys with the given label from a crypto hardware and builds
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key files for DNSSEC (Secure DNS), as defined in RFC 2535
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont and RFC 4034.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont The <option>name</option> of the key is specified on the command
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont line. This must match the name of the zone for which the key is
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont being generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <variablelist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-a <replaceable class="parameter">algorithm</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Selects the cryptographic algorithm. The value of
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt <option>algorithm</option> must be one of RSAMD5, RSASHA1,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews ECDSAP256SHA256 or ECDSAP384SHA384.
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews These values are case insensitive.
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt If no algorithm is specified, then RSASHA1 will be used by
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt default, unless the <option>-3</option> option is specified,
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt in which case NSEC3RSASHA1 will be used instead. (If
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt <option>-3</option> is used and an algorithm is specified,
cc6cddfd94e8f0c58c290317b0853dac30b1b895Evan Hunt that algorithm will be checked for compatibility with NSEC3.)
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont algorithm, and DSA is recommended.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 2: DH automatically sets the -k flag.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt <varlistentry>
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt Use an NSEC3-capable algorithm to generate a DNSSEC key.
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt If this option is used and no algorithm is explicitly
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt set on the command line, NSEC3RSASHA1 will be used by
d1f39121a69b6afa6c0c9e44eceb60910d1d7f81Evan Hunt </varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <varlistentry>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont <term>-E <replaceable class="parameter">engine</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Specifies the cryptographic hardware to use.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt to the string "pkcs11", which identifies an OpenSSL engine
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt that can drive a cryptographic accelerator or hardware service
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt module. When BIND is built with native PKCS#11 cryptography
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt (--enable-native-pkcs11), it defaults to the path of the PKCS#11
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt provider library specified via "--with-pkcs11".
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-l <replaceable class="parameter">label</replaceable></term>
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt Specifies the label for a key pair in the crypto hardware.
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt When <acronym>BIND</acronym> 9 is built with OpenSSL-based
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt PKCS#11 support, the label is an arbitrary string that
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt identifies a particular key. It may be preceded by an
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt optional OpenSSL engine name, followed by a colon, as in
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt When <acronym>BIND</acronym> 9 is built with native PKCS#11
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt support, the label is a PKCS#11 URI string in the format
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt "pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt Keywords include "token", which identifies the HSM; "object", which
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt identifies the key; and "pin-source", which identifies a file from
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt which the HSM's PIN code can be obtained. The label will be
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt stored in the on-disk "private" file.
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt If the label contains a
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt <option>pin-source</option> field, tools using the generated
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt key files will be able to use the HSM for signing and other
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt operations without any need for an operator to manually enter
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt a PIN. Note: Making the HSM's PIN accessible in this manner
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt may reduce the security advantage of using an HSM; be sure
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt this is what you want to do before making use of this feature.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-n <replaceable class="parameter">nametype</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the owner type of the key. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <option>nametype</option> must either be ZONE (for a DNSSEC
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont a host (KEY)),
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont These values are case insensitive.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Compatibility mode: generates an old-style key, without
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont any metadata. By default, <command>dnssec-keyfromlabel</command>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont will include the key's creation date in the metadata stored
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont with the private key, and other dates may be set there as well
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont (publication date, activation date, etc). Keys that include
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont this data may be incompatible with older versions of BIND; the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-c <replaceable class="parameter">class</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the specified class. If not specified, class IN is used.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-f <replaceable class="parameter">flag</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Set the specified flag in the flag field of the KEY/DNSKEY record.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont The only recognized flags are KSK (Key Signing Key) and REVOKE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt <varlistentry>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt Generate a key, but do not publish it or sign with it. This
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt option is incompatible with -P and -A.
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Prints a short summary of the options and arguments to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the directory in which the key files are to be written.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate KEY records rather than DNSKEY records.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <varlistentry>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <term>-L <replaceable class="parameter">ttl</replaceable></term>
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt Sets the default TTL to use for this key when it is converted
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt into a DNSKEY RR. If the key is imported into a zone,
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt this is the TTL that will be used for it, unless there was
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt already a DNSKEY RRset in place, in which case the existing TTL
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt would take precedence. Setting the default TTL to
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt <literal>0</literal> or <literal>none</literal> removes it.
61bcc232038f0a2cb77ed6269675fdc288f5ec98Evan Hunt </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-p <replaceable class="parameter">protocol</replaceable></term>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Sets the protocol value for the key. The protocol
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is a number between 0 and 255. The default is 3 (DNSSEC).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Other possible values for this argument are listed in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RFC 2535 and its successors.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-t <replaceable class="parameter">type</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates the use of the key. <option>type</option> must be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is AUTHCONF. AUTH refers to the ability to authenticate
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont data, and CONF the ability to encrypt data.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-v <replaceable class="parameter">level</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the debugging level.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt <varlistentry>
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt Allows DNSSEC key files to be generated even if the key ID
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt would collide with that of an existing key, in the event of
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt either key being revoked. (This is only safe to use if you
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt are sure you won't be using RFC 5011 trust anchor maintenance
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt with either of the keys involved.)
8a198fa776a09beb4dabf40b73a54d9c7bd70ac9Evan Hunt </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </variablelist>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont If the argument begins with a '+' or '-', it is interpreted as
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont an offset from the present time. For convenience, if such an offset
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont then the offset is computed in years (defined as 365 24-hour days,
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont ignoring leap years), months (defined as 30 24-hour days), weeks,
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont days, hours, or minutes, respectively. Without a suffix, the offset
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt is computed in seconds. To explicitly prevent a date from being
a165a17a81ff3285f4f4d79785fafb465e626183Evan Hunt set, use 'none' or 'never'.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <variablelist>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <term>-P <replaceable class="parameter">date/offset</replaceable></term>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Sets the date on which a key is to be published to the zone.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont After that date, the key will be included in the zone but will
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt not be used to sign it. If not set, and if the -G option has
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt not been used, the default is "now".
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <term>-A <replaceable class="parameter">date/offset</replaceable></term>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Sets the date on which the key is to be activated. After that
eec29cfd40361662b25bad50e1b94f7738a8fea0Jeremy Reed date, the key will be included in the zone and used to sign
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt it. If not set, and if the -G option has not been used, the
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt default is "now".
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <term>-R <replaceable class="parameter">date/offset</replaceable></term>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Sets the date on which the key is to be revoked. After that
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont date, the key will be flagged as revoked. It will be included
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont in the zone and will be used to sign it.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <varlistentry>
5cfe4bcb0afd71f6bc1cc2dab37a9ad6181c13f9Mark Andrews <term>-I <replaceable class="parameter">date/offset</replaceable></term>
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt Sets the date on which the key is to be retired. After that
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt date, the key will still be included in the zone, but it
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt will not be used to sign it.
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont <term>-D <replaceable class="parameter">date/offset</replaceable></term>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont Sets the date on which the key is to be deleted. After that
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt date, the key will no longer be included in the zone. (It
b843f577bbcd6660fbaa506d9e55b156c689a5a8Evan Hunt may remain in the key repository, however.)
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont </varlistentry>
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont </variablelist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When <command>dnssec-keyfromlabel</command> completes
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont successfully,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the standard output. This is an identification string for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the key files it has generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <itemizedlist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <para><filename>nnnn</filename> is the key name.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <para><filename>aaa</filename> is the numeric representation
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont of the algorithm.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <para><filename>iiiii</filename> is the key identifier (or
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </itemizedlist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont creates two files, with names based
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont contains the public key, and
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <filename>Knnnn.+aaa+iiiii.private</filename> contains the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <filename>.key</filename> file contains a DNS KEY record
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont can be inserted into a zone file (directly or with a $INCLUDE
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont The <filename>.private</filename> file contains
1f821c10583d9cddbaf3626a96ff8cf10cdb645bFrancis Dupont algorithm-specific
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont fields. For obvious security reasons, this file does not have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont general read permission.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </citerefentry>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <citerefentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </citerefentry>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
08c67b5b7a54047fbfed423a59b48c86177b9859Evan Hunt <citetitle>The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</citetitle>.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <para><corpauthor>Internet Systems Consortium</corpauthor>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Local variables: