bin/dnssec/dnssec-keyfromlabel.html

d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<!--
46bb3884a0738664862e3a36b7848aa374aebd45Tinderbox User - Copyright (C) 2008-2012, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont -
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont-->
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<html lang="en">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<head>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<title>dnssec-keyfromlabel</title>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</head>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refnamediv">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<h2>Name</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <span class="application">dnssec-keyfromlabel</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User     &#8212; DNSSEC key generation tool
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsynopsisdiv">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<h2>Synopsis</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="cmdsynopsis"><p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <code class="command">dnssec-keyfromlabel</code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       {-l <em class="replaceable"><code>label</code></em>}
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-3</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-G</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-k</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-V</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       [<code class="option">-y</code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User       {name}
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.7"></a><h2>DESCRIPTION</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User      generates a key pair of files that referencing a key object stored
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User      in a cryptographic hardware service module (HSM).  The private key
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User      file can be used for DNSSEC signing of zone data as if it were a
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User      conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User      but the key material is stored within the HSM, and the actual signing
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User      takes place there.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      The <code class="option">name</code> of the key is specified on the command
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      line.  This must match the name of the zone for which the key is
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      being generated.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.8"></a><h2>OPTIONS</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="variablelist"><dl class="variablelist">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        Selects the cryptographic algorithm.  The value of
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews        DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
bfb7b680bf88c1fdd9949197b71c512c532280a4Tinderbox User        ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater        These values are case insensitive.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        If no algorithm is specified, then RSASHA1 will be used by
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        default, unless the <code class="option">-3</code> option is specified,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        in which case NSEC3RSASHA1 will be used instead.  (If
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        <code class="option">-3</code> is used and an algorithm is specified,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        that algorithm will be checked for compatibility with NSEC3.)
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        algorithm, and DSA is recommended.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Note 2: DH automatically sets the -k flag.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater<dt><span class="term">-3</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater        Use an NSEC3-capable algorithm to generate a DNSSEC key.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        If this option is used and no algorithm is explicitly
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        set on the command line, NSEC3RSASHA1 will be used by
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        default.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Specifies the cryptographic hardware to use.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        When BIND is built with OpenSSL PKCS#11 support, this defaults
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        to the string "pkcs11", which identifies an OpenSSL engine
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        that can drive a cryptographic accelerator or hardware service
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        module.  When BIND is built with native PKCS#11 cryptography
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        (--enable-native-pkcs11), it defaults to the path of the PKCS#11
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        provider library specified via "--with-pkcs11".
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Specifies the label for a key pair in the crypto hardware.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        PKCS#11 support, the label is an arbitrary string that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        identifies a particular key.  It may be preceded by an
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        optional OpenSSL engine name, followed by a colon, as in
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        support, the label is a PKCS#11 URI string in the format
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Keywords include "token", which identifies the HSM; "object", which
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        identifies the key; and "pin-source", which identifies a file from
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        which the HSM's PIN code can be obtained.  The label will be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        stored in the on-disk "private" file.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        If the label contains a
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        <code class="option">pin-source</code> field, tools using the generated
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        key files will be able to use the HSM for signing and other
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        operations without any need for an operator to manually enter
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        a PIN.  Note: Making the HSM's PIN accessible in this manner
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        may reduce the security advantage of using an HSM; be sure
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        this is what you want to do before making use of this feature.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Specifies the owner type of the key.  The value of
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        <code class="option">nametype</code> must either be ZONE (for a DNSSEC
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        a host (KEY)),
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        These values are case insensitive.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-C</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        Compatibility mode:  generates an old-style key, without
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User        any metadata.  By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        will include the key's creation date in the metadata stored
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        with the private key, and other dates may be set there as well
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        (publication date, activation date, etc).  Keys that include
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        this data may be incompatible with older versions of BIND; the
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater        <code class="option">-C</code> option suppresses them.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Indicates that the DNS record containing the key should have
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        the specified class.  If not specified, class IN is used.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Set the specified flag in the flag field of the KEY/DNSKEY record.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        The only recognized flags are KSK (Key Signing Key) and REVOKE.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-G</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Generate a key, but do not publish it or sign with it.  This
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        option is incompatible with -P and -A.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-h</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Prints a short summary of the options and arguments to
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the directory in which the key files are to be written.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-k</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Generate KEY records rather than DNSKEY records.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the default TTL to use for this key when it is converted
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        into a DNSKEY RR.  If the key is imported into a zone,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        this is the TTL that will be used for it, unless there was
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        already a DNSKEY RRset in place, in which case the existing TTL
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        would take precedence.  Setting the default TTL to
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        <code class="literal">0</code> or <code class="literal">none</code> removes it.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the protocol value for the key.  The protocol
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        is a number between 0 and 255.  The default is 3 (DNSSEC).
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Other possible values for this argument are listed in
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        RFC 2535 and its successors.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Generate a key as an explicit successor to an existing key.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        The name, algorithm, size, and type of the key will be set
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        to match the predecessor. The activation date of the new
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        key will be set to the inactivation date of the existing
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        one. The publication date will be set to the activation
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        date minus the prepublication interval, which defaults to
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User        30 days.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Indicates the use of the key.  <code class="option">type</code> must be
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        is AUTHCONF.  AUTH refers to the ability to authenticate
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        data, and CONF the ability to encrypt data.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the debugging level.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dt><span class="term">-V</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User        Prints version information.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<dt><span class="term">-y</span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Allows DNSSEC key files to be generated even if the key ID
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater        would collide with that of an existing key, in the event of
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater        either key being revoked.  (This is only safe to use if you
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        are sure you won't be using RFC 5011 trust anchor maintenance
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        with either of the keys involved.)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</dl></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      If the argument begins with a '+' or '-', it is interpreted as
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      an offset from the present time.  For convenience, if such an offset
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      then the offset is computed in years (defined as 365 24-hour days,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      ignoring leap years), months (defined as 30 24-hour days), weeks,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      days, hours, or minutes, respectively.  Without a suffix, the offset
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User      is computed in seconds.  To explicitly prevent a date from being
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User      set, use 'none' or 'never'.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="variablelist"><dl class="variablelist">
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the date on which a key is to be published to the zone.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        After that date, the key will be included in the zone but will
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        not be used to sign it.  If not set, and if the -G option has
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        not been used, the default is "now".
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the date on which the CDS and CDNSKEY records which match
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        this key are to be published to the zone.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the date on which the key is to be activated.  After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        date, the key will be included in the zone and used to sign
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        it.  If not set, and if the -G option has not been used, the
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        default is "now".
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the date on which the key is to be revoked.  After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        date, the key will be flagged as revoked.  It will be included
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        in the zone and will be used to sign it.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
79cf9524b15ca65f55fd6913e6cf01b5581c588aAutomatic Updater<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the date on which the key is to be retired.  After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        date, the key will still be included in the zone, but it
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        will not be used to sign it.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the date on which the key is to be deleted.  After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        date, the key will no longer be included in the zone.  (It
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        may remain in the key repository, however.)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        Sets the date on which the CDS and CDNSKEY records which match
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User        this key are to be deleted.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </dd>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<dd>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            Sets the prepublication interval for a key.  If set, then
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            the publication and activation dates must be separated by at least
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            this much time.  If the activation date is specified but the
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            publication date isn't, then the publication date will default
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            to this much time before the activation date; conversely, if
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            the publication date is specified but activation date isn't,
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            then activation will be set to this much time after publication.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            If the key is being created as an explicit successor to another
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User            key, then the default prepublication interval is 30 days;
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            otherwise it is zero.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User          <p>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            As with date offsets, if the argument is followed by one of
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            interval is measured in years, months, weeks, days, hours,
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            or minutes, respectively.  Without a suffix, the interval is
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User            measured in seconds.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User          </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User        </dd>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater</dl></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User      When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      successfully,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      to the standard output.  This is an identification string for
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      the key files it has generated.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p><code class="filename">nnnn</code> is the key name.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p><code class="filename">aaa</code> is the numeric representation
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      of the algorithm.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<li class="listitem">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p><code class="filename">iiiii</code> is the key identifier (or
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User      footprint).
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </li>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</ul></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      creates two files, with names based
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      contains the public key, and
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      private key.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      The <code class="filename">.key</code> file contains a DNS KEY record
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      that
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      can be inserted into a zone file (directly or with a $INCLUDE
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      statement).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      The <code class="filename">.private</code> file contains
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater      algorithm-specific
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      fields.  For obvious security reasons, this file does not have
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      general read permission.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  <div class="refsection">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id-1.11"></a><h2>SEE ALSO</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <p><span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <span class="refentrytitle">dnssec-keygen</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </span>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      <span class="citerefentry">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User    <span class="refentrytitle">dnssec-signzone</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User      </span>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User      <em class="citetitle">RFC 4034</em>,
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User      <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User  </div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div></body>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</html>