bin/dnssec/dnssec-keyfromlabel.html

	dnssec-keyfromlabel.html revision 28b3569d6248168e6c00caab951521cc8141a49d
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<!--
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont -
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - Permission to use, copy, modify, and distribute this software for any
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - purpose with or without fee is hereby granted, provided that the above
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - copyright notice and this permission notice appear in all copies.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont -
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont-->
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<!-- $Id: dnssec-keyfromlabel.html,v 1.3 2008/04/01 01:11:50 tbox Exp $ -->
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<html>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<head>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<title>dnssec-keyfromlabel</title>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</head>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="refnamediv">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<h2>Name</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="refsynopsisdiv">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<h2>Synopsis</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="refsect1" lang="en">
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<a name="id2543413"></a><h2>DESCRIPTION</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      gets keys with the given label from a crypto hardware and builds
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      key files for DNSSEC (Secure DNS), as defined in RFC 2535
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      and RFC 4034.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="refsect1" lang="en">
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<a name="id2543425"></a><h2>OPTIONS</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="variablelist"><dl>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        Selects the cryptographic algorithm.  The value of
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        or RSASHA1, DSA or DH (Diffie Hellman).  These values
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        are case insensitive.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            algorithm, and DSA is recommended.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Note 2: DH automatically sets the -k flag.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Specifies the label of keys in the crypto hardware
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            (PKCS#11 device).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Specifies the owner type of the key.  The value of
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            a host (KEY)),
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            These values are
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            case insensitive.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Indicates that the DNS record containing the key should have
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            the specified class.  If not specified, class IN is used.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Set the specified flag in the flag field of the KEY/DNSKEY record.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            The only recognized flag is KSK (Key Signing Key) DNSKEY.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-h</span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Prints a short summary of the options and arguments to
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            <span><strong class="command">dnssec-keygen</strong></span>.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-k</span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Generate KEY records rather than DNSKEY records.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Sets the protocol value for the generated key.  The protocol
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            is a number between 0 and 255.  The default is 3 (DNSSEC).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Other possible values for this argument are listed in
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            RFC 2535 and its successors.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Indicates the use of the key.  <code class="option">type</code> must be
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            is AUTHCONF.  AUTH refers to the ability to authenticate
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            data, and CONF the ability to encrypt data.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dd><p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont            Sets the debugging level.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          </p></dd>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</dl></div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="refsect1" lang="en">
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<a name="id2543619"></a><h2>GENERATED KEY FILES</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      successfully,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      to the standard output.  This is an identification string for
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      the key files it has generated.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="itemizedlist"><ul type="disc">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<li><p><code class="filename">nnnn</code> is the key name.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </p></li>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<li><p><code class="filename">aaa</code> is the numeric representation
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          of the
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          algorithm.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </p></li>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<li><p><code class="filename">iiiii</code> is the key identifier (or
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont          footprint).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont        </p></li>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</ul></div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      creates two files, with names based
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      contains the public key, and
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      private
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      key.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      The <code class="filename">.key</code> file contains a DNS KEY record
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      that
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      can be inserted into a zone file (directly or with a $INCLUDE
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      statement).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      The <code class="filename">.private</code> file contains algorithm
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      specific
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      fields.  For obvious security reasons, this file does not have
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      general read permission.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="refsect1" lang="en">
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<a name="id2543691"></a><h2>SEE ALSO</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <em class="citetitle">RFC 2535</em>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <em class="citetitle">RFC 2845</em>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont      <em class="citetitle">RFC 2539</em>.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<div class="refsect1" lang="en">
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<a name="id2543731"></a><h2>AUTHOR</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span class="corpauthor">Internet Systems Consortium</span>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont    </p>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</div></body>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont</html>