dnssec-keyfromlabel.html revision 8ec3c085233cedb22b05da36e2773c8f357a7e45
6c2a76b3e2ccd32c35814b6e0f54da00190749d7Evan Hunt - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
19558a04decde0e7261d489d92d04ad88104217bTinderbox User - purpose with or without fee is hereby granted, provided that the above
2fee8782a6fd57d86a67949092ab9197111af390Evan Hunt - copyright notice and this permission notice appear in all copies.
969eaf7df8ac651946f76b6631ff5db568c11ef6Tinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f4ee48be3994797a8332b86c101db4d7b54799ceTinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a2c370ca12bb0360ff7e969474ead3f788c65fffTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8de3f14f1c300c3e1ed99084cc03485b42c92bf1Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - PERFORMANCE OF THIS SOFTWARE.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<!-- $Id: dnssec-keyfromlabel.html,v 1.11 2009/10/06 01:14:41 tbox Exp $ -->
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews gets keys with the given label from a crypto hardware and builds
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt key files for DNSSEC (Secure DNS), as defined in RFC 2535
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews and RFC 4034.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User The <code class="option">name</code> of the key is specified on the command
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews line. This must match the name of the zone for which the key is
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt being generated.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Selects the cryptographic algorithm. The value of
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <code class="option">algorithm</code> must be one of RSAMD5 (RSA),
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews These values are case insensitive.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews algorithm, and DSA is recommended.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Note 2: DH automatically sets the -k flag.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the name of the crypto hardware (OpenSSL engine).
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater When compiled with PKCS#11 support it defaults to pcks11.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the label of keys in the crypto hardware (OpenSSL
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews engine). An example for the pkcs11 engine is pkcs11:foo
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews (note the string pkcs11 is in both E and l options.)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Specifies the owner type of the key. The value of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews a host (KEY)),
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews These values are case insensitive.
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt Compatibility mode: generates an old-style key, without
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews will include the key's creation date in the metadata stored
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt with the private key, and other dates may be set there as well
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt (publication date, activation date, etc). Keys that include
7cc0a5d21ef046bfd630c4769943d896a7d7472cTinderbox User this data may be incompatible with older versions of BIND; the
e76dfff967cfbe00f4d1540434832e4499a9cd83Tinderbox User <code class="option">-C</code> option suppresses them.
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Indicates that the DNS record containing the key should have
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User the specified class. If not specified, class IN is used.
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
b91d11bfcc30b96f2c80f3a76d12e3dcc8597a68Mark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Generate a key, but do not publish it or sign with it. This
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User option is incompatible with -P and -A.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Prints a short summary of the options and arguments to
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <span><strong class="command">dnssec-keyfromlabel</strong></span>.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt Sets the directory in which the key files are to be written.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Generate KEY records rather than DNSKEY records.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Sets the protocol value for the key. The protocol
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson is a number between 0 and 255. The default is 3 (DNSSEC).
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Other possible values for this argument are listed in
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews RFC 2535 and its successors.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Indicates the use of the key. <code class="option">type</code> must be
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews data, and CONF the ability to encrypt data.
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Sets the debugging level.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="id2543828"></a><h2>TIMING OPTIONS</h2>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
8f4e6ea383aa9a953c0adb5be6c4d8dc8dbd5c4aWitold Krecicki If the argument begins with a '+' or '-', it is interpreted as
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews an offset from the present time. For convenience, if such an offset
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews then the offset is computed in years (defined as 365 24-hour days,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews is computed in seconds.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
549c517e2ecad52bb1d32f08920e29d4e8cda71eTinderbox User Sets the date on which a key is to be published to the zone.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews After that date, the key will be included in the zone but will
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews not be used to sign it. If not set, and if the -G option has
fec6e13f2d1e69fe1c2b8fac36f732f124cf5398Mark Andrews not been used, the default is "now".
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
361967ea970ea8f0ef8875e769505ecdac74bfb0Tinderbox User Sets the date on which the key is to be activated. After that
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews date, the key will be included and the zone and used to sign
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User it. If not set, and if the -G option has not been used, the
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater default is "now".
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Sets the date on which the key is to be revoked. After that
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater date, the key will be flagged as revoked. It will be included
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User in the zone and will be used to sign it.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Sets the date on which the key is to be retired. After that
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User date, the key will still be included in the zone, but it
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User will not be used to sign it.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User Sets the date on which the key is to be deleted. After that
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater date, the key will no longer be included in the zone. (It
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User may remain in the key repository, however.)
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="id2543994"></a><h2>GENERATED KEY FILES</h2>
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt successfully,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User to the standard output. This is an identification string for
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater the key files it has generated.
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt<li><p><code class="filename">nnnn</code> is the key name.
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User<li><p><code class="filename">aaa</code> is the numeric representation
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater of the algorithm.
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews<li><p><code class="filename">iiiii</code> is the key identifier (or
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
9ecb5d33470ebfb3719a1b8d56bcefdf4b27f7b2Tinderbox User creates two files, with names based
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
30370d905e9be3be7d9b947fd432bacecbb13bb9Evan Hunt contains the public key, and
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
e813f036c8251b6d9d2a72fa84f80c2c9d2795afMark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews can be inserted into a zone file (directly or with a $INCLUDE
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User The <code class="filename">.private</code> file contains
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews algorithm-specific
5affecff6e148a8e124d03f5dbac0da11e30dcc5Tinderbox User fields. For obvious security reasons, this file does not have
34d1f3b65324f8fcf358fa2f47891441d4b1d2f0Tinderbox User general read permission.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
015055b6e23f5c08f6a5b34726f90b62597e9e45Tinderbox User <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>