bin/dnssec/dnssec-keyfromlabel.docbook

	dnssec-keyfromlabel.docbook revision 784a904bd06c7492361ed09a882d10c636b1291b
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews           [<!ENTITY mdash "&#8212;">]>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Copyright (C) 2008-2011  Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<!-- $Id: dnssec-keyfromlabel.docbook,v 1.20 2011/02/03 12:18:10 tbox Exp $ -->
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<refentry id="man.dnssec-keyfromlabel">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <date>February 8, 2008</date>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  </refentryinfo>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refmeta>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <manvolnum>8</manvolnum>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refmiscinfo>BIND9</refmiscinfo>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User  </refmeta>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refname><application>dnssec-keyfromlabel</application></refname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <refpurpose>DNSSEC key generation tool</refpurpose>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews  </refnamediv>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein  <docinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    <copyright>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2008</year>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <year>2009</year>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <year>2010</year>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <year>2011</year>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </copyright>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </docinfo>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
1e126d80e1b8a0dd541a733283907656424634dcTinderbox User  <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <command>dnssec-keyfromlabel</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-3</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-G</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <arg><option>-k</option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User      <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
1e126d80e1b8a0dd541a733283907656424634dcTinderbox User      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
f9ce6280cec79deb16ff6d9807aa493ff23e10d9Tinderbox User      <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User      <arg><option>-y</option></arg>
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User      <arg choice="req">name</arg>
e285c11870c6263cd79b418e104c7eb3e2d96952Tinderbox User    </cmdsynopsis>
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User  </refsynopsisdiv>
46472a450e043434d78fa18edc73bca8c47f3981Tinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsect1>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    <title>DESCRIPTION</title>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    <para><command>dnssec-keyfromlabel</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      gets keys with the given label from a crypto hardware and builds
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      key files for DNSSEC (Secure DNS), as defined in RFC 2535
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      and RFC 4034.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The <option>name</option> of the key is specified on the command
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      line.  This must match the name of the zone for which the key is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      being generated.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  </refsect1>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <title>OPTIONS</title>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User    <variablelist>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Selects the cryptographic algorithm.  The value of
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            <option>algorithm</option> must be one of RSAMD5, RSASHA1,
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User        DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User        These values are case insensitive.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User      </para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          <para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            If no algorithm is specified, then RSASHA1 will be used by
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            default, unless the <option>-3</option> option is specified,
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            in which case NSEC3RSASHA1 will be used instead.  (If
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            <option>-3</option> is used and an algorithm is specified,
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            that algorithm will be checked for compatibility with NSEC3.)
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          </para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          <para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            algorithm, and DSA is recommended.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          </para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          <para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            Note 2: DH automatically sets the -k flag.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          </para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User        </listitem>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User      </varlistentry>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User      <varlistentry>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User        <term>-3</term>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User        <listitem>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          <para>
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User        Use an NSEC3-capable algorithm to generate a DNSSEC key.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            If this option is used and no algorithm is explicitly
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            set on the command line, NSEC3RSASHA1 will be used by
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User            default.
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User          </para>
3ba1f79ade054aa6a0dc5032502bcdcf357cd7bdTinderbox User        </listitem>
3ba1f79ade054aa6a0dc5032502bcdcf357cd7bdTinderbox User      </varlistentry>
3ba1f79ade054aa6a0dc5032502bcdcf357cd7bdTinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-E <replaceable class="parameter">engine</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the name of the crypto hardware (OpenSSL engine).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            When compiled with PKCS#11 support it defaults to "pkcs11".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-l <replaceable class="parameter">label</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the label of the key pair in the crypto hardware.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            The label may be preceded by an optional OpenSSL engine name,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            separated by a colon, as in "pkcs11:keylabel".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-n <replaceable class="parameter">nametype</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the owner type of the key.  The value of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <option>nametype</option> must either be ZONE (for a DNSSEC
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            a host (KEY)),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            These values are case insensitive.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-C</term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        Compatibility mode:  generates an old-style key, without
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        any metadata.  By default, <command>dnssec-keyfromlabel</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        will include the key's creation date in the metadata stored
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        with the private key, and other dates may be set there as well
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        (publication date, activation date, etc).  Keys that include
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        this data may be incompatible with older versions of BIND; the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <option>-C</option> option suppresses them.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-c <replaceable class="parameter">class</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Indicates that the DNS record containing the key should have
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the specified class.  If not specified, class IN is used.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-f <replaceable class="parameter">flag</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Set the specified flag in the flag field of the KEY/DNSKEY record.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            The only recognized flags are KSK (Key Signing Key) and REVOKE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-G</term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
76cf91b5df7a1bc450afcb9ce7585c61bb87de68Tinderbox User          <para>
76cf91b5df7a1bc450afcb9ce7585c61bb87de68Tinderbox User            Generate a key, but do not publish it or sign with it.  This
76cf91b5df7a1bc450afcb9ce7585c61bb87de68Tinderbox User            option is incompatible with -P and -A.
76cf91b5df7a1bc450afcb9ce7585c61bb87de68Tinderbox User          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-h</term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Prints a short summary of the options and arguments to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <command>dnssec-keyfromlabel</command>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-K <replaceable class="parameter">directory</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <para>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User            Sets the directory in which the key files are to be written.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User          </para>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        </listitem>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User      </varlistentry>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User      <varlistentry>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        <term>-k</term>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        <listitem>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User          <para>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User            Generate KEY records rather than DNSKEY records.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User          </para>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        </listitem>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User      </varlistentry>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User      <varlistentry>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        <term>-p <replaceable class="parameter">protocol</replaceable></term>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        <listitem>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User          <para>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User            Sets the protocol value for the key.  The protocol
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User            is a number between 0 and 255.  The default is 3 (DNSSEC).
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User            Other possible values for this argument are listed in
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User            RFC 2535 and its successors.
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User          </para>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        </listitem>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User      </varlistentry>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User      <varlistentry>
3241ddcf9354c5ab50f4df5a656e72a5c68e172bTinderbox User        <term>-t <replaceable class="parameter">type</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Indicates the use of the key.  <option>type</option> must be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            is AUTHCONF.  AUTH refers to the ability to authenticate
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            data, and CONF the ability to encrypt data.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-v <replaceable class="parameter">level</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Sets the debugging level.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
e2b184f84e846bbcb764b6f0aef5dcd583d3d7a1Tinderbox User        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <term>-y</term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Allows DNSSEC key files to be generated even if the key ID
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        would collide with that of an existing key, in the event of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        either key being revoked.  (This is only safe to use if you
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            are sure you won't be using RFC 5011 trust anchor maintenance
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            with either of the keys involved.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  <refsect1>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User    <title>TIMING OPTIONS</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      If the argument begins with a '+' or '-', it is interpreted as
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      an offset from the present time.  For convenience, if such an offset
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      then the offset is computed in years (defined as 365 24-hour days,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      ignoring leap years), months (defined as 30 24-hour days), weeks,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      days, hours, or minutes, respectively.  Without a suffix, the offset
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      is computed in seconds.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Sets the date on which a key is to be published to the zone.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            After that date, the key will be included in the zone but will
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            not be used to sign it.  If not set, and if the -G option has
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            not been used, the default is "now".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-A <replaceable class="parameter">date/offset</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Sets the date on which the key is to be activated.  After that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            date, the key will be included in the zone and used to sign
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            it.  If not set, and if the -G option has not been used, the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            default is "now".
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User        <term>-R <replaceable class="parameter">date/offset</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Sets the date on which the key is to be revoked.  After that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            date, the key will be flagged as revoked.  It will be included
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            in the zone and will be used to sign it.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          </para>
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User        </listitem>
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User      </varlistentry>
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User
0226754d9e537fd56b690d5890cfe215a6c59f89Tinderbox User      <varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <term>-I <replaceable class="parameter">date/offset</replaceable></term>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Sets the date on which the key is to be retired.  After that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            date, the key will still be included in the zone, but it
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            will not be used to sign it.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <varlistentry>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
6b7cba2b10d6cb5363d94b434b0d22ecfb33a6f3Tinderbox User        <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User          <para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User            Sets the date on which the key is to be deleted.  After that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            date, the key will no longer be included in the zone.  (It
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            may remain in the key repository, however.)
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsect1>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  <refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <title>GENERATED KEY FILES</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      When <command>dnssec-keyfromlabel</command> completes
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      successfully,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      to the standard output.  This is an identification string for
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      the key files it has generated.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <itemizedlist>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <para><filename>nnnn</filename> is the key name.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      <listitem>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User        <para><filename>aaa</filename> is the numeric representation
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          of the algorithm.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <para><filename>iiiii</filename> is the key identifier (or
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          footprint).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </listitem>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </itemizedlist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para><command>dnssec-keyfromlabel</command>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      creates two files, with names based
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      on the printed string.  <filename>Knnnn.+aaa+iiiii.key</filename>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      contains the public key, and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <filename>Knnnn.+aaa+iiiii.private</filename> contains the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      private key.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The <filename>.key</filename> file contains a DNS KEY record
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      that
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      can be inserted into a zone file (directly or with a $INCLUDE
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      statement).
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      The <filename>.private</filename> file contains
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      algorithm-specific
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      fields.  For obvious security reasons, this file does not have
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      general read permission.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  </refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  <refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <title>SEE ALSO</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para><citerefentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      </citerefentry>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <citerefentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User      </citerefentry>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <citetitle>RFC 4034</citetitle>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  <refsect1>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User    <title>AUTHOR</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    <para><corpauthor>Internet Systems Consortium</corpauthor>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </para>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  </refsect1>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User</refentry><!--
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - Local variables:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - mode: sgml
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - End:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt-->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt