dnssec-keyfromlabel.html revision aaaf8d4f4873d21e55c3ffb4f656203d08339865
012a352f4b26cfd874db8d06debc495c2303e8b2Bob Halley<!--
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
c8175ece69d986ccd0671bc4d2571b247dfae177Automatic Updater -
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - purpose with or without fee is hereby granted, provided that the above
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - copyright notice and this permission notice appear in all copies.
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley -
178f6ad061e54bc5babfca3577f72058fa0797c1Bob Halley - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews-->
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<!-- $Id$ -->
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<html>
43b3337ba58d70ca34f4d91e8c6c5e13a54af690Mark Andrews<head>
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<title>dnssec-keyfromlabel</title>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley</head>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<div class="refnamediv">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<h2>Name</h2>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley</div>
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<div class="refsynopsisdiv">
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<h2>Synopsis</h2>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley</div>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<div class="refsect1" lang="en">
b897c52f865b2fc4e220e2110b874e59c716456bBob Halley<a name="id2543504"></a><h2>DESCRIPTION</h2>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence gets keys with the given label from a crypto hardware and builds
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence key files for DNSSEC (Secure DNS), as defined in RFC 2535
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley and RFC 4034.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<p>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence The <code class="option">name</code> of the key is specified on the command
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence line. This must match the name of the zone for which the key is
fcb54ce0a4f7377486df5bec83b3aa4711bf4131Mark Andrews being generated.
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence </p>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence</div>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<div class="refsect1" lang="en">
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<a name="id2543522"></a><h2>OPTIONS</h2>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<div class="variablelist"><dl>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence<dd>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence<p>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence Selects the cryptographic algorithm. The value of
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
dabea86dac4c01f852b7aea728f73b4f55a89d44Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
dabea86dac4c01f852b7aea728f73b4f55a89d44Mark Andrews ECDSAP256SHA256 or ECDSAP384SHA384.
dabea86dac4c01f852b7aea728f73b4f55a89d44Mark Andrews These values are case insensitive.
12a3ab37fe6556406acdf92fc7c5f198d603ca2eMark Andrews </p>
f5cfcbf2f7906fb59c2b8b9b8fc9c7a75ac44dabMark Andrews<p>
2d46d268ccff30bb50e661b47c6496d23d9156c7Mark Andrews If no algorithm is specified, then RSASHA1 will be used by
2d46d268ccff30bb50e661b47c6496d23d9156c7Mark Andrews default, unless the <code class="option">-3</code> option is specified,
dabea86dac4c01f852b7aea728f73b4f55a89d44Mark Andrews in which case NSEC3RSASHA1 will be used instead. (If
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley <code class="option">-3</code> is used and an algorithm is specified,
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence that algorithm will be checked for compatibility with NSEC3.)
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence </p>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence<p>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence algorithm, and DSA is recommended.
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence </p>
596912ee9ca8eb14d30707ec286ab5d28bd39b3eMark Andrews<p>
8319af16557b81eba3277ee67215285f0823b587Mark Andrews Note 2: DH automatically sets the -k flag.
8319af16557b81eba3277ee67215285f0823b587Mark Andrews </p>
aee5e9cbacd8f88325840b8a498876f4319b0890Mark Andrews</dd>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence<dt><span class="term">-3</span></dt>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<dd><p>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence Use an NSEC3-capable algorithm to generate a DNSSEC key.
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence If this option is used and no algorithm is explicitly
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence set on the command line, NSEC3RSASHA1 will be used by
c32b87bc54abacf95fb3b063d72b7d1855c1643bMichael Graff default.
7f9f8c13c5e5e26e0ba2b82c0900d11ecf6269ceMark Andrews </p></dd>
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence<dd><p>
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence Specifies the name of the crypto hardware (OpenSSL engine).
12e63bfe1d111ccb57f482b28d56c785cccc7cf7David Lawrence When compiled with PKCS#11 support it defaults to "pkcs11".
460b427411b72da26b1836b9424e2e70d65d9394David Lawrence </p></dd>
b616f6ed69209ab4c87f610b472aeb20760652f2Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
2320f230995995595438a9d9301d84931fd266ceMark Andrews Specifies the label of the key pair in the crypto hardware.
c427260a8678f2e99a2337fb95ec98d9c9ee8c05Mark Andrews The label may be preceded by an optional OpenSSL engine name,
620a452ebe92fff63e85c5930a6e6dc8d9455918Mark Andrews separated by a colon, as in "pkcs11:keylabel".
620a452ebe92fff63e85c5930a6e6dc8d9455918Mark Andrews </p></dd>
6dcb47e37f9f0cdb94bdabc3fa157ff07983c590Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
6dcb47e37f9f0cdb94bdabc3fa157ff07983c590Mark Andrews<dd><p>
43b3337ba58d70ca34f4d91e8c6c5e13a54af690Mark Andrews Specifies the owner type of the key. The value of
43b3337ba58d70ca34f4d91e8c6c5e13a54af690Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley a host (KEY)),
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley These values are case insensitive.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-C</span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Compatibility mode: generates an old-style key, without
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley will include the key's creation date in the metadata stored
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley with the private key, and other dates may be set there as well
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley (publication date, activation date, etc). Keys that include
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley this data may be incompatible with older versions of BIND; the
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley <code class="option">-C</code> option suppresses them.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Indicates that the DNS record containing the key should have
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley the specified class. If not specified, class IN is used.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence Set the specified flag in the flag field of the KEY/DNSKEY record.
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence The only recognized flags are KSK (Key Signing Key) and REVOKE.
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence </p></dd>
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence<dt><span class="term">-G</span></dt>
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence<dd><p>
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence Generate a key, but do not publish it or sign with it. This
a9558a6c63d9c6dbb2f3800b39ccb008652fcde3Mark Andrews option is incompatible with -P and -A.
a9558a6c63d9c6dbb2f3800b39ccb008652fcde3Mark Andrews </p></dd>
a9558a6c63d9c6dbb2f3800b39ccb008652fcde3Mark Andrews<dt><span class="term">-h</span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dd><p>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Prints a short summary of the options and arguments to
0014d6342b0d50ae37126ac16d5bf821d02ffff7David Lawrence <span><strong class="command">dnssec-keyfromlabel</strong></span>.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Sets the directory in which the key files are to be written.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-k</span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Generate KEY records rather than DNSKEY records.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Sets the default TTL to use for this key when it is converted
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley into a DNSKEY RR. If the key is imported into a zone,
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley this is the TTL that will be used for it, unless there was
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley already a DNSKEY RRset in place, in which case the existing TTL
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley would take precedence. Setting the default TTL to
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley <code class="literal">0</code> or <code class="literal">none</code> removes it.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Sets the protocol value for the key. The protocol
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley is a number between 0 and 255. The default is 3 (DNSSEC).
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Other possible values for this argument are listed in
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley RFC 2535 and its successors.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Indicates the use of the key. <code class="option">type</code> must be
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley is AUTHCONF. AUTH refers to the ability to authenticate
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley data, and CONF the ability to encrypt data.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Sets the debugging level.
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley </p></dd>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dt><span class="term">-y</span></dt>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley<dd><p>
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley Allows DNSSEC key files to be generated even if the key ID
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley would collide with that of an existing key, in the event of
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley either key being revoked. (This is only safe to use if you
0b72c791466d0807bcf22522b5ddb7da902c2720Bob Halley are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543977"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543051"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key files it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543124"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4034</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543157"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>