dnssec-keyfromlabel.docbook revision 6ea2385360e9e2167e65f9286447da9eea189457
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews [<!ENTITY mdash "—">]>
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<!-- $Id: dnssec-keyfromlabel.docbook,v 1.21 2011/03/17 01:40:34 each Exp $ -->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refname><application>dnssec-keyfromlabel</application></refname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refpurpose>DNSSEC key generation tool</refpurpose>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </refnamediv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt gets keys with the given label from a crypto hardware and builds
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt key files for DNSSEC (Secure DNS), as defined in RFC 2535
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt and RFC 4034.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The <option>name</option> of the key is specified on the command
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt line. This must match the name of the zone for which the key is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User being generated.
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User <variablelist>
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User <varlistentry>
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User <term>-a <replaceable class="parameter">algorithm</replaceable></term>
c42708dcc8ca18a41152251654d29f0cdd5b9533Tinderbox User Selects the cryptographic algorithm. The value of
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User <option>algorithm</option> must be one of RSAMD5, RSASHA1,
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User ECDSAP256SHA256 or ECDSAP384SHA384.
2ba8603ca962450068fe45f04c5caf8219b0d5f1Tinderbox User These values are case insensitive.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If no algorithm is specified, then RSASHA1 will be used by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt default, unless the <option>-3</option> option is specified,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in which case NSEC3RSASHA1 will be used instead. (If
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <option>-3</option> is used and an algorithm is specified,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt that algorithm will be checked for compatibility with NSEC3.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt algorithm, and DSA is recommended.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Note 2: DH automatically sets the -k flag.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Use an NSEC3-capable algorithm to generate a DNSSEC key.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If this option is used and no algorithm is explicitly
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt set on the command line, NSEC3RSASHA1 will be used by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-E <replaceable class="parameter">engine</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifies the cryptographic hardware to use.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When BIND is built with OpenSSL PKCS#11 support, this defaults
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt that can drive a cryptographic accelerator or hardware service
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt module. When BIND is built with native PKCS#11 cryptography
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (--enable-native-pkcs11), it defaults to the path of the PKCS#11
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt provider library specified via "--with-pkcs11".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-l <replaceable class="parameter">label</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specifies the label of the key pair in the crypto hardware.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The label may be preceded by an optional OpenSSL engine name,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt separated by a colon, as in "pkcs11:keylabel".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-n <replaceable class="parameter">nametype</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Specifies the owner type of the key. The value of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <option>nametype</option> must either be ZONE (for a DNSSEC
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt a host (KEY)),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User These values are case insensitive.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Compatibility mode: generates an old-style key, without
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt any metadata. By default, <command>dnssec-keyfromlabel</command>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User will include the key's creation date in the metadata stored
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt with the private key, and other dates may be set there as well
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (publication date, activation date, etc). Keys that include
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this data may be incompatible with older versions of BIND; the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-c <replaceable class="parameter">class</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Indicates that the DNS record containing the key should have
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the specified class. If not specified, class IN is used.
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User </varlistentry>
58d970a2b48b9186ca79b1506c0c736dd7b5daebTinderbox User <varlistentry>
58d970a2b48b9186ca79b1506c0c736dd7b5daebTinderbox User <term>-f <replaceable class="parameter">flag</replaceable></term>
4206bb139c83dae2a8b59b7782031ccd40439aaaTinderbox User Set the specified flag in the flag field of the KEY/DNSKEY record.
7e5658b04f825bc8defa83d35864ef6a0cbb5262Tinderbox User The only recognized flags are KSK (Key Signing Key) and REVOKE.
1609eab3caf63287d1caa0d3f8b4819a0c2becffTinderbox User </varlistentry>
1609eab3caf63287d1caa0d3f8b4819a0c2becffTinderbox User <varlistentry>
ba38c6b4bcc2c1cff3d281225c497f1d5884a2b2Tinderbox User Generate a key, but do not publish it or sign with it. This
ba38c6b4bcc2c1cff3d281225c497f1d5884a2b2Tinderbox User option is incompatible with -P and -A.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Prints a short summary of the options and arguments to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the directory in which the key files are to be written.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Generate KEY records rather than DNSKEY records.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-L <replaceable class="parameter">ttl</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the default TTL to use for this key when it is converted
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt into a DNSKEY RR. If the key is imported into a zone,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt this is the TTL that will be used for it, unless there was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt already a DNSKEY RRset in place, in which case the existing TTL
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User would take precedence. Setting the default TTL to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <literal>0</literal> or <literal>none</literal> removes it.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-p <replaceable class="parameter">protocol</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Sets the protocol value for the key. The protocol
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is a number between 0 and 255. The default is 3 (DNSSEC).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Other possible values for this argument are listed in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt RFC 2535 and its successors.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-t <replaceable class="parameter">type</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Indicates the use of the key. <option>type</option> must be
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is AUTHCONF. AUTH refers to the ability to authenticate
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt data, and CONF the ability to encrypt data.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-v <replaceable class="parameter">level</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the debugging level.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Allows DNSSEC key files to be generated even if the key ID
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User would collide with that of an existing key, in the event of
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User either key being revoked. (This is only safe to use if you
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt are sure you won't be using RFC 5011 trust anchor maintenance
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt with either of the keys involved.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If the argument begins with a '+' or '-', it is interpreted as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt an offset from the present time. For convenience, if such an offset
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt then the offset is computed in years (defined as 365 24-hour days,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ignoring leap years), months (defined as 30 24-hour days), weeks,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User days, hours, or minutes, respectively. Without a suffix, the offset
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is computed in seconds.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-P <replaceable class="parameter">date/offset</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the date on which a key is to be published to the zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User After that date, the key will be included in the zone but will
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User not be used to sign it. If not set, and if the -G option has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt not been used, the default is "now".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-A <replaceable class="parameter">date/offset</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the date on which the key is to be activated. After that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt date, the key will be included in the zone and used to sign
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User it. If not set, and if the -G option has not been used, the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User default is "now".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-R <replaceable class="parameter">date/offset</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the date on which the key is to be revoked. After that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt date, the key will be flagged as revoked. It will be included
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in the zone and will be used to sign it.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-I <replaceable class="parameter">date/offset</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Sets the date on which the key is to be retired. After that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt date, the key will still be included in the zone, but it
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will not be used to sign it.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <term>-D <replaceable class="parameter">date/offset</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Sets the date on which the key is to be deleted. After that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User date, the key will no longer be included in the zone. (It
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt may remain in the key repository, however.)
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When <command>dnssec-keyfromlabel</command> completes
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User successfully,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to the standard output. This is an identification string for
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the key files it has generated.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <itemizedlist>
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User <para><filename>nnnn</filename> is the key name.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <para><filename>aaa</filename> is the numeric representation
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt of the algorithm.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <para><filename>iiiii</filename> is the key identifier (or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </itemizedlist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt creates two files, with names based
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User contains the public key, and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>Knnnn.+aaa+iiiii.private</filename> contains the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt private key.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt The <filename>.key</filename> file contains a DNS KEY record
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt can be inserted into a zone file (directly or with a $INCLUDE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt algorithm-specific
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt fields. For obvious security reasons, this file does not have
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt general read permission.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </citerefentry>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <citerefentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </citerefentry>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <para><corpauthor>Internet Systems Consortium</corpauthor>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - Local variables:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - mode: sgml