bin/dnssec/dnssec-keyfromlabel.html

	dnssec-keyfromlabel.html revision 4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721
cd348e325366620fe047edcc849e3c9424828599Peter Bray<!--
cd348e325366620fe047edcc849e3c9424828599Peter Bray - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco -
cd348e325366620fe047edcc849e3c9424828599Peter Bray - Permission to use, copy, modify, and/or distribute this software for any
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - purpose with or without fee is hereby granted, provided that the above
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - copyright notice and this permission notice appear in all copies.
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal -
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2b024356b830395446c55f50f9f724a63612e578Lubos Kosco - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray - PERFORMANCE OF THIS SOFTWARE.
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray-->
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<!-- $Id: dnssec-keyfromlabel.html,v 1.6 2009/07/11 01:12:45 tbox Exp $ -->
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<html>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<head>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<title>dnssec-keyfromlabel</title>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray</head>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
d961aa46ea0d50fed47802497e45226b1965b12dVladimir Kotal<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
d961aa46ea0d50fed47802497e45226b1965b12dVladimir Kotal<div class="refnamediv">
d961aa46ea0d50fed47802497e45226b1965b12dVladimir Kotal<h2>Name</h2>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
cd71fb134e037849c77364b50940b1870c4684ceVladimir Kotal</div>
cd71fb134e037849c77364b50940b1870c4684ceVladimir Kotal<div class="refsynopsisdiv">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<h2>Synopsis</h2>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code>  {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray</div>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<div class="refsect1" lang="en">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="id2543413"></a><h2>DESCRIPTION</h2>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal      gets keys with the given label from a crypto hardware and builds
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      key files for DNSSEC (Secure DNS), as defined in RFC 2535
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray      and RFC 4034.
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal    </p>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal</div>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<div class="refsect1" lang="en">
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<a name="id2543425"></a><h2>OPTIONS</h2>
b17cb0705d90907337b3528aa7b8ed1700806f26Vladimir Kotal<div class="variablelist"><dl>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<dd>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<p>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal        Selects the cryptographic algorithm.  The value of
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal        <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal        or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
6ce0623fa4ef95af9d77700a1c9c19ec1a919326Guillaume Smet        These values are case insensitive.
6ce0623fa4ef95af9d77700a1c9c19ec1a919326Guillaume Smet      </p>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<p>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            algorithm, and DSA is recommended.
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal          </p>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal<p>
83439b4ed8fe40097dc3f2c05168d26bd7926159Vladimir Kotal            Note 2: DH automatically sets the -k flag.
83439b4ed8fe40097dc3f2c05168d26bd7926159Vladimir Kotal          </p>
83439b4ed8fe40097dc3f2c05168d26bd7926159Vladimir Kotal</dd>
3ba66fbb56ef22f183da783a1b2718280c357a4eStanislav Kozina<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
3ba66fbb56ef22f183da783a1b2718280c357a4eStanislav Kozina<dd><p>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            Specifies the label of keys in the crypto hardware
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            (PKCS#11 device).
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray          </p></dd>
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
c577d2f6c082eaff9af5bc997d12f3d3bcef537cPeter Bray<dd><p>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray            Specifies the owner type of the key.  The value of
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco            <code class="option">nametype</code> must either be ZONE (for a DNSSEC
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            a host (KEY)),
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
cd348e325366620fe047edcc849e3c9424828599Peter Bray            These values are
3b0448fdd830b8d04c6a71511e5d26a4fc3b5b80Lubos Kosco            case insensitive.
cd348e325366620fe047edcc849e3c9424828599Peter Bray          </p></dd>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dd><p>
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            Indicates that the DNS record containing the key should have
6c8465e3b4611cb632cba9b0572e3e3737c8c341Vladimir Kotal            the specified class.  If not specified, class IN is used.
43dac746513591adbd09bc4f417feb385f4fd87eVladimir Kotal          </p></dd>
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco<dd><p>
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco            Set the specified flag in the flag field of the KEY/DNSKEY record.
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco            The only recognized flag is KSK (Key Signing Key) DNSKEY.
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco          </p></dd>
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco<dt><span class="term">-h</span></dt>
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco<dd><p>
fbf97ea1786d1e25add88bbfb91810170473bc9fLubos Kosco            Prints a short summary of the options and arguments to
f21b682cd9b414738a4f5a38b56f6682e537e1d2Trond Norbye            <span><strong class="command">dnssec-keygen</strong></span>.
3b0448fdd830b8d04c6a71511e5d26a4fc3b5b80Lubos Kosco          </p></dd>
3b0448fdd830b8d04c6a71511e5d26a4fc3b5b80Lubos Kosco<dt><span class="term">-k</span></dt>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dd><p>
cd348e325366620fe047edcc849e3c9424828599Peter Bray            Generate KEY records rather than DNSKEY records.
cd348e325366620fe047edcc849e3c9424828599Peter Bray          </p></dd>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<dd><p>
cd348e325366620fe047edcc849e3c9424828599Peter Bray            Sets the protocol value for the generated key.  The protocol
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco            is a number between 0 and 255.  The default is 3 (DNSSEC).
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco            Other possible values for this argument are listed in
43dac746513591adbd09bc4f417feb385f4fd87eVladimir Kotal            RFC 2535 and its successors.
43dac746513591adbd09bc4f417feb385f4fd87eVladimir Kotal          </p></dd>
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
43dac746513591adbd09bc4f417feb385f4fd87eVladimir Kotal<dd><p>
43dac746513591adbd09bc4f417feb385f4fd87eVladimir Kotal            Indicates the use of the key.  <code class="option">type</code> must be
2cf31ec93bd5d8a2efeab511ce051da51e69aedaLubos Kosco            one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco            is AUTHCONF.  AUTH refers to the ability to authenticate
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray            data, and CONF the ability to encrypt data.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray          </p></dd>
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray<dd><p>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray            Sets the debugging level.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray          </p></dd>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray</dl></div>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray</div>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<div class="refsect1" lang="en">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="id2543619"></a><h2>GENERATED KEY FILES</h2>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<p>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
cd348e325366620fe047edcc849e3c9424828599Peter Bray      successfully,
cd348e325366620fe047edcc849e3c9424828599Peter Bray      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      to the standard output.  This is an identification string for
cd348e325366620fe047edcc849e3c9424828599Peter Bray      the key files it has generated.
cd348e325366620fe047edcc849e3c9424828599Peter Bray    </p>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<div class="itemizedlist"><ul type="disc">
cd348e325366620fe047edcc849e3c9424828599Peter Bray<li><p><code class="filename">nnnn</code> is the key name.
cd348e325366620fe047edcc849e3c9424828599Peter Bray        </p></li>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<li><p><code class="filename">aaa</code> is the numeric representation
cd348e325366620fe047edcc849e3c9424828599Peter Bray          of the
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray          algorithm.
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray        </p></li>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<li><p><code class="filename">iiiii</code> is the key identifier (or
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco          footprint).
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray        </p></li>
0ca9a2c194523c517c3aafe5758e217ac88d6baaLubos Kosco</ul></div>
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
5762c9f28c2246777be0e9d49cb29d9c0f49146dLubos Kosco      creates two files, with names based
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      contains the public key, and
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray      private
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray      key.
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray    </p>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<p>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      The <code class="filename">.key</code> file contains a DNS KEY record
d280c5e286f5b98be13237f52281ae5afdcf51b9Peter Bray      that
b34561d2c3d92fac37dbced05ba6a8738e3d20e9Lubos Kosco      can be inserted into a zone file (directly or with a $INCLUDE
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      statement).
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray    </p>
5e6c91d7e77062129cd0b6ac8aaa546dff216419Lubos Kosco<p>
c83dfde6b364917fa8ed28142d509a7c29a4da68Vladimir Kotal      The <code class="filename">.private</code> file contains algorithm
c83dfde6b364917fa8ed28142d509a7c29a4da68Vladimir Kotal      specific
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      fields.  For obvious security reasons, this file does not have
cd348e325366620fe047edcc849e3c9424828599Peter Bray      general read permission.
cd348e325366620fe047edcc849e3c9424828599Peter Bray    </p>
cd348e325366620fe047edcc849e3c9424828599Peter Bray</div>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<div class="refsect1" lang="en">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="id2543691"></a><h2>SEE ALSO</h2>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
cd348e325366620fe047edcc849e3c9424828599Peter Bray      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
cd348e325366620fe047edcc849e3c9424828599Peter Bray      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
cd348e325366620fe047edcc849e3c9424828599Peter Bray      <em class="citetitle">RFC 2539</em>,
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray      <em class="citetitle">RFC 2845</em>,
cd348e325366620fe047edcc849e3c9424828599Peter Bray      <em class="citetitle">RFC 4033</em>.
0b2998be561e7bf5e3479d686a5af36f712b0d9aVladimir Kotal    </p>
0b2998be561e7bf5e3479d686a5af36f712b0d9aVladimir Kotal</div>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<div class="refsect1" lang="en">
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray<a name="id2543731"></a><h2>AUTHOR</h2>
cd348e325366620fe047edcc849e3c9424828599Peter Bray<p><span class="corpauthor">Internet Systems Consortium</span>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray    </p>
cd348e325366620fe047edcc849e3c9424828599Peter Bray</div>
d2a02e104622a26dd90fa88f4f17188f2039809fPeter Bray</div></body>
cd348e325366620fe047edcc849e3c9424828599Peter Bray</html>
c842732324ee4c74ede17887ad1f0dcdc4364a2cLubos Kosco