dnssec-keyfromlabel.html revision 33d0a7767d53cb366039fd0ac4f63cf8a9c351b0
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews generates a key pair of files that referencing a key object stored
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in a cryptographic hardware service module (HSM). The private key
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file can be used for DNSSEC signing of zone data as if it were a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews but the key material is stored within the HSM, and the actual signing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews takes place there.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The <code class="option">name</code> of the key is specified on the command
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews line. This must match the name of the zone for which the key is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews being generated.
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User<div class="variablelist"><dl class="variablelist">
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User Selects the cryptographic algorithm. The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ECDSAP256SHA256 or ECDSAP384SHA384.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If no algorithm is specified, then RSASHA1 will be used by
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews default, unless the <code class="option">-3</code> option is specified,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in which case NSEC3RSASHA1 will be used instead. (If
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">-3</code> is used and an algorithm is specified,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews that algorithm will be checked for compatibility with NSEC3.)
f6da30bb5447c23d880b09f601441e70c5313557Mark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews algorithm, and DSA is recommended.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Note 2: DH automatically sets the -k flag.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Use an NSEC3-capable algorithm to generate a DNSSEC key.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If this option is used and no algorithm is explicitly
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews set on the command line, NSEC3RSASHA1 will be used by
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the cryptographic hardware to use.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When BIND is built with OpenSSL PKCS#11 support, this defaults
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to the string "pkcs11", which identifies an OpenSSL engine
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews that can drive a cryptographic accelerator or hardware service
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews module. When BIND is built with native PKCS#11 cryptography
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (--enable-native-pkcs11), it defaults to the path of the PKCS#11
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews provider library specified via "--with-pkcs11".
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User Specifies the label for a key pair in the crypto hardware.
d8620c7234281056fdfd2ee40cf16636b8281092Tinderbox User When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews PKCS#11 support, the label is an arbitrary string that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews identifies a particular key. It may be preceded by an
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews optional OpenSSL engine name, followed by a colon, as in
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews support, the label is a PKCS#11 URI string in the format
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Keywords include "token", which identifies the HSM; "object", which
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews identifies the key; and "pin-source", which identifies a file from
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews which the HSM's PIN code can be obtained. The label will be
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews stored in the on-disk "private" file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the label contains a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">pin-source</code> field, tools using the generated
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key files will be able to use the HSM for signing and other
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews operations without any need for an operator to manually enter
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a PIN. Note: Making the HSM's PIN accessible in this manner
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may reduce the security advantage of using an HSM; be sure
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this is what you want to do before making use of this feature.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the owner type of the key. The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a host (KEY)),
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Compatibility mode: generates an old-style key, without
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews will include the key's creation date in the metadata stored
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews with the private key, and other dates may be set there as well
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews (publication date, activation date, etc). Keys that include
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews this data may be incompatible with older versions of BIND; the
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews <code class="option">-C</code> option suppresses them.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Indicates that the DNS record containing the key should have
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the specified class. If not specified, class IN is used.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
43b94483957d3168796a816ed86cf097518817dcTinderbox User Set the specified flag in the flag field of the KEY/DNSKEY record.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate a key, but do not publish it or sign with it. This
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews option is incompatible with -P and -A.
72938578c985138165e7a4b0a38f16daacbad95eAutomatic Updater Prints a short summary of the options and arguments to
dba3c818ae00b10388d31703e86a28415db398acTinderbox User <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
43b94483957d3168796a816ed86cf097518817dcTinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
dba3c818ae00b10388d31703e86a28415db398acTinderbox User Sets the directory in which the key files are to be written.
dba3c818ae00b10388d31703e86a28415db398acTinderbox User Generate KEY records rather than DNSKEY records.
72938578c985138165e7a4b0a38f16daacbad95eAutomatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the default TTL to use for this key when it is converted
bf056b7184b38281c1b0bf0cf21b5982fa1a4edaMark Andrews into a DNSKEY RR. If the key is imported into a zone,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this is the TTL that will be used for it, unless there was
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews already a DNSKEY RRset in place, in which case the existing TTL
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews would take precedence. Setting the default TTL to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="literal">0</code> or <code class="literal">none</code> removes it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
97e74139b19368e385a3564746d42db70879195eAutomatic Updater Sets the protocol value for the key. The protocol
97e74139b19368e385a3564746d42db70879195eAutomatic Updater is a number between 0 and 255. The default is 3 (DNSSEC).
43b94483957d3168796a816ed86cf097518817dcTinderbox User Other possible values for this argument are listed in
dba3c818ae00b10388d31703e86a28415db398acTinderbox User RFC 2535 and its successors.
dba3c818ae00b10388d31703e86a28415db398acTinderbox User<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate a key as an explicit successor to an existing key.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The name, algorithm, size, and type of the key will be set
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to match the predecessor. The activation date of the new
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key will be set to the inactivation date of the existing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews one. The publication date will be set to the activation
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date minus the prepublication interval, which defaults to
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews Indicates the use of the key. <code class="option">type</code> must be
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews data, and CONF the ability to encrypt data.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the debugging level.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints version information.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Allows DNSSEC key files to be generated even if the key ID
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews would collide with that of an existing key, in the event of
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews either key being revoked. (This is only safe to use if you
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews are sure you won't be using RFC 5011 trust anchor maintenance
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews with either of the keys involved.)
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater an offset from the present time. For convenience, if such an offset
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
285254345ce5ab270848f8c11f7be146793f1e00Mark Andrews is computed in seconds. To explicitly prevent a date from being
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews set, use 'none' or 'never'.
285254345ce5ab270848f8c11f7be146793f1e00Mark Andrews<div class="variablelist"><dl class="variablelist">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which a key is to be published to the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews After that date, the key will be included in the zone but will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not be used to sign it. If not set, and if the -G option has
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not been used, the default is "now".
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews Sets the date on which the CDS and CDNSKEY records which match
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews this key are to be published to the zone.
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be activated. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will be included in the zone and used to sign
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews it. If not set, and if the -G option has not been used, the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews default is "now".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User Sets the date on which the key is to be revoked. After that
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User date, the key will be flagged as revoked. It will be included
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User in the zone and will be used to sign it.
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
7be2f6d5df28b207e3e385c555eb4f740150528dTinderbox User Sets the date on which the key is to be retired. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will still be included in the zone, but it
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will not be used to sign it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be deleted. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will no longer be included in the zone. (It
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may remain in the key repository, however.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the CDS and CDNSKEY records which match
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this key are to be deleted.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the prepublication interval for a key. If set, then
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the publication and activation dates must be separated by at least
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this much time. If the activation date is specified but the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews publication date isn't, then the publication date will default
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to this much time before the activation date; conversely, if
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the publication date is specified but activation date isn't,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then activation will be set to this much time after publication.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the key is being created as an explicit successor to another
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key, then the default prepublication interval is 30 days;
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews otherwise it is zero.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews As with date offsets, if the argument is followed by one of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User interval is measured in years, months, weeks, days, hours,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews or minutes, respectively. Without a suffix, the interval is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews measured in seconds.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews successfully,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to the standard output. This is an identification string for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the key files it has generated.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews of the algorithm.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews creates two files, with names based
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews contains the public key, and
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews private key.
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews can be inserted into a zone file (directly or with a $INCLUDE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The <code class="filename">.private</code> file contains