dnssec-keyfromlabel.docbook revision 8b78c993cb475cc94e88560941b28c37684789d9
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont [<!ENTITY mdash "—">]>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Permission to use, copy, modify, and/or distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<!-- $Id: dnssec-keyfromlabel.docbook,v 1.11 2009/10/05 17:30:49 fdupont Exp $ -->
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refentryinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </refentryinfo>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refname><application>dnssec-keyfromlabel</application></refname>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refpurpose>DNSSEC key generation tool</refpurpose>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </refnamediv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <refsynopsisdiv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <cmdsynopsis>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </cmdsynopsis>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </refsynopsisdiv>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont gets keys with the given label from a crypto hardware and builds
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key files for DNSSEC (Secure DNS), as defined in RFC 2535
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont and RFC 4034.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <option>name</option> of the key is specified on the command
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont line. This must match the name of the zone for which the key is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont being generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <variablelist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-a <replaceable class="parameter">algorithm</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Selects the cryptographic algorithm. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <option>algorithm</option> must be one of RSAMD5 (RSA),
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont These values are case insensitive.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont algorithm, and DSA is recommended.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 2: DH automatically sets the -k flag.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-E <replaceable class="parameter">engine</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the name of the crypto hardware (OpenSSL engine).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When compiled with PKCS#11 support it defaults to pcks11.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-l <replaceable class="parameter">label</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the label of keys in the crypto hardware (OpenSSL
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont engine). An example for the pkcs11 engine is pkcs11:foo
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (note the string pkcs11 is in both E and l options.)
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-n <replaceable class="parameter">nametype</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the owner type of the key. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <option>nametype</option> must either be ZONE (for a DNSSEC
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont a host (KEY)),
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont These values are case insensitive.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Compatibility mode: generates an old-style key, without
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont any metadata. By default, <command>dnssec-keyfromlabel</command>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont will include the key's creation date in the metadata stored
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont with the private key, and other dates may be set there as well
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (publication date, activation date, etc). Keys that include
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont this data may be incompatible with older versions of BIND; the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-c <replaceable class="parameter">class</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the specified class. If not specified, class IN is used.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-f <replaceable class="parameter">flag</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Set the specified flag in the flag field of the KEY/DNSKEY record.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The only recognized flags are KSK (Key Signing Key) and REVOKE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate a key, but do not publish it or sign with it. This
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont option is incompatible with -P and -A.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Prints a short summary of the options and arguments to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-K <replaceable class="parameter">directory</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the directory in which the key files are to be written.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate KEY records rather than DNSKEY records.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-p <replaceable class="parameter">protocol</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the protocol value for the key. The protocol
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is a number between 0 and 255. The default is 3 (DNSSEC).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Other possible values for this argument are listed in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RFC 2535 and its successors.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-t <replaceable class="parameter">type</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates the use of the key. <option>type</option> must be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is AUTHCONF. AUTH refers to the ability to authenticate
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont data, and CONF the ability to encrypt data.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-v <replaceable class="parameter">level</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the debugging level.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </variablelist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If the argument begins with a '+' or '-', it is interpreted as
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont an offset from the present time. For convenience, if such an offset
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont then the offset is computed in years (defined as 365 24-hour days,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont ignoring leap years), months (defined as 30 24-hour days), weeks,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont days, hours, or minutes, respectively. Without a suffix, the offset
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is computed in seconds.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <variablelist>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <term>-P <replaceable class="parameter">date/offset</replaceable></term>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the date on which a key is to be published to the zone.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont After that date, the key will be included in the zone but will
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont not be used to sign it. If not set, and if the -G option has
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont not been used, the default is "now".
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont </varlistentry>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <varlistentry>