dnssec-keyfromlabel.html revision bbbf2e27d3a981163dab139497d6b2dc85449db0
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence - Permission to use, copy, modify, and/or distribute this software for any
7c74e180c206e6ed99e8beb820da5f399d845c3eDavid Lawrence - purpose with or without fee is hereby granted, provided that the above
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - copyright notice and this permission notice appear in all copies.
15a44745412679c30a6d022733925af70a38b715David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
15a44745412679c30a6d022733925af70a38b715David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
15a44745412679c30a6d022733925af70a38b715David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15a44745412679c30a6d022733925af70a38b715David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15a44745412679c30a6d022733925af70a38b715David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15a44745412679c30a6d022733925af70a38b715David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15a44745412679c30a6d022733925af70a38b715David Lawrence - PERFORMANCE OF THIS SOFTWARE.
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
866d106459313499d0ca7bfccb4b2d23d5e4377cDavid Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
64e41159a919b0711321fe688ca5da4f4d1b7d80Bob Halley<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff gets keys with the given label from a crypto hardware and builds
3d776d762914d1b675b4fd49728ce353ccf6f77eBrian Wellington key files for DNSSEC (Secure DNS), as defined in RFC 2535
ccdac53c027e8964753b36c4d8c7b0e98af501c2Michael Graff and RFC 4034.
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence The <code class="option">name</code> of the key is specified on the command
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence line. This must match the name of the zone for which the key is
75a4dd0d377dca2f85cea44e28bf110314c1fe8cDavid Lawrence being generated.
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence Selects the cryptographic algorithm. The value of
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence ECDSAP256SHA256 or ECDSAP384SHA384.
e893dce91279d7313a579f72caae3941f6dc5a27David Lawrence These values are case insensitive.
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff If no algorithm is specified, then RSASHA1 will be used by
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff default, unless the <code class="option">-3</code> option is specified,
8e06cea14c857429ab7e7299af2dce5eeeaa5ff0Michael Graff in which case NSEC3RSASHA1 will be used instead. (If
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson <code class="option">-3</code> is used and an algorithm is specified,
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson that algorithm will be checked for compatibility with NSEC3.)
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
3ecf3394e37dc2848a09ffc643565d454e9e6974Andreas Gustafsson algorithm, and DSA is recommended.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Note 2: DH automatically sets the -k flag.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Use an NSEC3-capable algorithm to generate a DNSSEC key.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence If this option is used and no algorithm is explicitly
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence set on the command line, NSEC3RSASHA1 will be used by
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Specifies the cryptographic hardware to use.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence When BIND is built with OpenSSL PKCS#11 support, this defaults
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence to the string "pkcs11", which identifies an OpenSSL engine
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence that can drive a cryptographic accelerator or hardware service
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence module. When BIND is built with native PKCS#11 cryptography
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence (--enable-native-pkcs11), it defaults to the path of the PKCS#11
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence provider library specified via "--with-pkcs11".
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence Specifies the label for a key pair in the crypto hardware.
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence PKCS#11 support, the label is an arbitrary string that
ae4cbb69eef32ced103fe4561e8d2031ee4c3497David Lawrence identifies a particular key. It may be preceded by an
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence optional OpenSSL engine name, followed by a colon, as in
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence support, the label is a PKCS#11 URI string in the format
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Keywords include "token", which identifies the HSM; "object", which
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence identifies the key; and "pin-source", which identifies a file from
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence which the HSM's PIN code can be obtained. The label will be
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence stored in the on-disk "private" file.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence If the label contains a
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence <code class="option">pin-source</code> field, tools using the generated
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence key files will be able to use the HSM for signing and other
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence operations without any need for an operator to manually enter
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence a PIN. Note: Making the HSM's PIN accessible in this manner
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence may reduce the security advantage of using an HSM; be sure
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence this is what you want to do before making use of this feature.
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence Specifies the owner type of the key. The value of
0293ad13207aa29bd5844cdc87d085ffc009d749David Lawrence <code class="option">nametype</code> must either be ZONE (for a DNSSEC
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence a host (KEY)),
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence These values are case insensitive.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Compatibility mode: generates an old-style key, without
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff will include the key's creation date in the metadata stored
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff with the private key, and other dates may be set there as well
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff (publication date, activation date, etc). Keys that include
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff this data may be incompatible with older versions of BIND; the
1ce985ab3c6670662d555c108b35fed84a6a1001David Lawrence <code class="option">-C</code> option suppresses them.
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence Indicates that the DNS record containing the key should have
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence the specified class. If not specified, class IN is used.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence Set the specified flag in the flag field of the KEY/DNSKEY record.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence The only recognized flags are KSK (Key Signing Key) and REVOKE.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence Generate a key, but do not publish it or sign with it. This
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence option is incompatible with -P and -A.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence Prints a short summary of the options and arguments to
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence <span><strong class="command">dnssec-keyfromlabel</strong></span>.
4bcaefbcd3ced942139fdc830e007c6ea2b8d2feDavid Lawrence<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff Sets the directory in which the key files are to be written.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff Generate KEY records rather than DNSKEY records.
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
657ce0b9d84fbd66514df53d61a087e8f1161187Michael Graff Sets the default TTL to use for this key when it is converted
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff into a DNSKEY RR. If the key is imported into a zone,
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff this is the TTL that will be used for it, unless there was
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff already a DNSKEY RRset in place, in which case the existing TTL
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff would take precedence. Setting the default TTL to
90407942d3afe50f04ccea361de3b164a5a1702dMichael Graff <code class="literal">0</code> or <code class="literal">none</code> removes it.
13faa8b6a2d0d45e0659049983928366252ab3faMichael Graff<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington Sets the protocol value for the key. The protocol
13faa8b6a2d0d45e0659049983928366252ab3faMichael Graff is a number between 0 and 255. The default is 3 (DNSSEC).
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington Other possible values for this argument are listed in
13faa8b6a2d0d45e0659049983928366252ab3faMichael Graff RFC 2535 and its successors.
13faa8b6a2d0d45e0659049983928366252ab3faMichael Graff<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff Indicates the use of the key. <code class="option">type</code> must be
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington is AUTHCONF. AUTH refers to the ability to authenticate
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington data, and CONF the ability to encrypt data.
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington Sets the debugging level.
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington Allows DNSSEC key files to be generated even if the key ID
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington would collide with that of an existing key, in the event of
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington either key being revoked. (This is only safe to use if you
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington are sure you won't be using RFC 5011 trust anchor maintenance
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington with either of the keys involved.)
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington<a name="id2544025"></a><h2>TIMING OPTIONS</h2>
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington If the argument begins with a '+' or '-', it is interpreted as
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington an offset from the present time. For convenience, if such an offset
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington then the offset is computed in years (defined as 365 24-hour days,
5f9e583552f53de12062bfff12e47250abce378fBrian Wellington ignoring leap years), months (defined as 30 24-hour days), weeks,
08a768e82ad64ede97f640c88e02984b59122753Michael Graff days, hours, or minutes, respectively. Without a suffix, the offset
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff is computed in seconds. To explicitly prevent a date from being
e915367e40b579d18ac13c9c58c15fec614d9890Michael Graff set, use 'none' or 'never'.
08a768e82ad64ede97f640c88e02984b59122753Michael Graff<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
08a768e82ad64ede97f640c88e02984b59122753Michael Graff Sets the date on which a key is to be published to the zone.
08a768e82ad64ede97f640c88e02984b59122753Michael Graff After that date, the key will be included in the zone but will
08a768e82ad64ede97f640c88e02984b59122753Michael Graff not be used to sign it. If not set, and if the -G option has
08a768e82ad64ede97f640c88e02984b59122753Michael Graff not been used, the default is "now".
08a768e82ad64ede97f640c88e02984b59122753Michael Graff<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington Sets the date on which the key is to be activated. After that
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington date, the key will be included in the zone and used to sign
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington it. If not set, and if the -G option has not been used, the
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington default is "now".
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington Sets the date on which the key is to be revoked. After that
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington date, the key will be flagged as revoked. It will be included
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington in the zone and will be used to sign it.
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington Sets the date on which the key is to be retired. After that
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington date, the key will still be included in the zone, but it
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington will not be used to sign it.
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington Sets the date on which the key is to be deleted. After that
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington date, the key will no longer be included in the zone. (It
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington may remain in the key repository, however.)
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington<a name="id2544123"></a><h2>GENERATED KEY FILES</h2>
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
3ec6b563d7b6cb11a047f23faa2a0f206ccd93e7Brian Wellington successfully,
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington to the standard output. This is an identification string for
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington the key files it has generated.
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington<li><p><code class="filename">nnnn</code> is the key name.
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington<li><p><code class="filename">aaa</code> is the numeric representation
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington of the algorithm.
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington<li><p><code class="filename">iiiii</code> is the key identifier (or
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington creates two files, with names based
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington contains the public key, and
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington The <code class="filename">.key</code> file contains a DNS KEY record
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington can be inserted into a zone file (directly or with a $INCLUDE
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington The <code class="filename">.private</code> file contains
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington algorithm-specific
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington fields. For obvious security reasons, this file does not have
a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington general read permission.
1706598239da403b86f4befa4c08175d9e101014Andreas Gustafsson<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
1706598239da403b86f4befa4c08175d9e101014Andreas Gustafsson <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
1706598239da403b86f4befa4c08175d9e101014Andreas Gustafsson <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
df3c4c7988b9bae7d121a8ac9ed17a23366a948dDavid Lawrence <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
1706598239da403b86f4befa4c08175d9e101014Andreas Gustafsson<p><span class="corpauthor">Internet Systems Consortium</span>