dnssec-keyfromlabel.html revision 90f35c2f2a1c660f3b96eec413036d238df395f6
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
c8175ece69d986ccd0671bc4d2571b247dfae177Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Permission to use, copy, modify, and distribute this software for any
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - purpose with or without fee is hereby granted, provided that the above
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley - copyright notice and this permission notice appear in all copies.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<!-- $Id: dnssec-keyfromlabel.html,v 1.2 2008/03/31 15:05:25 fdupont Exp $ -->
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence gets keys with the given label from a crypto hardware and builds
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley key files for DNSSEC (Secure DNS), as defined in RFC 2535
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley and RFC 4034.
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence Selects the cryptographic algorithm. The value of
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence or RSASHA1, DSA or DH (Diffie Hellman). These values
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence are case insensitive.
dabea86dac4c01f852b7aea728f73b4f55a89d44Mark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
dabea86dac4c01f852b7aea728f73b4f55a89d44Mark Andrews algorithm, and DSA is recommended.
f5cfcbf2f7906fb59c2b8b9b8fc9c7a75ac44dabMark Andrews Note 2: DH automatically sets the -k flag.
dabea86dac4c01f852b7aea728f73b4f55a89d44Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence Specifies the label of keys in the crypto hardware
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence (PKCS#11 device).
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence Specifies the owner type of the key. The value of
596912ee9ca8eb14d30707ec286ab5d28bd39b3eMark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
8319af16557b81eba3277ee67215285f0823b587Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
8319af16557b81eba3277ee67215285f0823b587Mark Andrews a host (KEY)),
aee5e9cbacd8f88325840b8a498876f4319b0890Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence These values are
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence case insensitive.
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
c32b87bc54abacf95fb3b063d72b7d1855c1643bMichael Graff Indicates that the DNS record containing the key should have
7f9f8c13c5e5e26e0ba2b82c0900d11ecf6269ceMark Andrews the specified class. If not specified, class IN is used.
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence Set the specified flag in the flag field of the KEY/DNSKEY record.
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence The only recognized flag is KSK (Key Signing Key) DNSKEY.
c427260a8678f2e99a2337fb95ec98d9c9ee8c05Mark Andrews Prints a short summary of the options and arguments to
620a452ebe92fff63e85c5930a6e6dc8d9455918Mark Andrews <span><strong class="command">dnssec-keygen</strong></span>.
43b3337ba58d70ca34f4d91e8c6c5e13a54af690Mark Andrews Generate KEY records rather than DNSKEY records.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Sets the protocol value for the generated key. The protocol
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley is a number between 0 and 255. The default is 3 (DNSSEC).
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Other possible values for this argument are listed in
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley RFC 2535 and its successors.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Indicates the use of the key. <code class="option">type</code> must be
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley is AUTHCONF. AUTH refers to the ability to authenticate
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley data, and CONF the ability to encrypt data.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Sets the debugging level.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<a name="id2543652"></a><h2>GENERATED KEY FILES</h2>
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence successfully,
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence to the standard output. This is an identification string for
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence the key files it has generated.
a9558a6c63d9c6dbb2f3800b39ccb008652fcde3Mark Andrews<li><p><code class="filename">nnnn</code> is the key name.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<li><p><code class="filename">aaa</code> is the numeric representation
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<li><p><code class="filename">iiiii</code> is the key identifier (or
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley creates two files, with names based
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley contains the public key, and
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley The <code class="filename">.key</code> file contains a DNS KEY record
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley can be inserted into a zone file (directly or with a $INCLUDE
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley The <code class="filename">.private</code> file contains algorithm
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley fields. For obvious security reasons, this file does not have
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley general read permission.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<p><span class="corpauthor">Internet Systems Consortium</span>