dnssec-keyfromlabel.html revision bfb7b680bf88c1fdd9949197b71c512c532280a4
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <span class="application">dnssec-keyfromlabel</span>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater — DNSSEC key generation tool
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="command">dnssec-keyfromlabel</code>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater {-l <em class="replaceable"><code>label</code></em>}
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
575e15fed997a3ad1cb35c5b9ef34ab24ce47e72Automatic Updater [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
fdd80e9a55c70b36a3bf3e409b86897301c44ff8Automatic Updater [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews generates a key pair of files that referencing a key object stored
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in a cryptographic hardware service module (HSM). The private key
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file can be used for DNSSEC signing of zone data as if it were a
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater but the key material is stored within the HSM, and the actual signing
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater takes place there.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater The <code class="option">name</code> of the key is specified on the command
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater line. This must match the name of the zone for which the key is
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater being generated.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <div class="variablelist"><dl class="variablelist">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Selects the cryptographic algorithm. The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater If no algorithm is specified, then RSASHA1 will be used by
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater default, unless the <code class="option">-3</code> option is specified,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in which case NSEC3RSASHA1 will be used instead. (If
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater <code class="option">-3</code> is used and an algorithm is specified,
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater that algorithm will be checked for compatibility with NSEC3.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater algorithm, and DSA is recommended.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Note 2: DH automatically sets the -k flag.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater Use an NSEC3-capable algorithm to generate a DNSSEC key.
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater If this option is used and no algorithm is explicitly
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews set on the command line, NSEC3RSASHA1 will be used by
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
2f8d63983c297c62630044d28a6f66676b4d339dMark Andrews Specifies the cryptographic hardware to use.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater When BIND is built with OpenSSL PKCS#11 support, this defaults
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater to the string "pkcs11", which identifies an OpenSSL engine
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater that can drive a cryptographic accelerator or hardware service
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater module. When BIND is built with native PKCS#11 cryptography
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater (--enable-native-pkcs11), it defaults to the path of the PKCS#11
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater provider library specified via "--with-pkcs11".
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Specifies the label for a key pair in the crypto hardware.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater PKCS#11 support, the label is an arbitrary string that
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater identifies a particular key. It may be preceded by an
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater optional OpenSSL engine name, followed by a colon, as in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews support, the label is a PKCS#11 URI string in the format
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater Keywords include "token", which identifies the HSM; "object", which
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater identifies the key; and "pin-source", which identifies a file from
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater which the HSM's PIN code can be obtained. The label will be
64affc54f96a2c71cbd10ed71e246ce0746259aaAutomatic Updater stored in the on-disk "private" file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the label contains a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">pin-source</code> field, tools using the generated
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key files will be able to use the HSM for signing and other
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews operations without any need for an operator to manually enter
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a PIN. Note: Making the HSM's PIN accessible in this manner
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may reduce the security advantage of using an HSM; be sure
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this is what you want to do before making use of this feature.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Specifies the owner type of the key. The value of
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <code class="option">nametype</code> must either be ZONE (for a DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a host (KEY)),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Compatibility mode: generates an old-style key, without
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will include the key's creation date in the metadata stored
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater with the private key, and other dates may be set there as well
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater (publication date, activation date, etc). Keys that include
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater this data may be incompatible with older versions of BIND; the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="option">-C</code> option suppresses them.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Indicates that the DNS record containing the key should have
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the specified class. If not specified, class IN is used.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
575e15fed997a3ad1cb35c5b9ef34ab24ce47e72Automatic Updater Set the specified flag in the flag field of the KEY/DNSKEY record.
575e15fed997a3ad1cb35c5b9ef34ab24ce47e72Automatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
575e15fed997a3ad1cb35c5b9ef34ab24ce47e72Automatic Updater Generate a key, but do not publish it or sign with it. This
575e15fed997a3ad1cb35c5b9ef34ab24ce47e72Automatic Updater option is incompatible with -P and -A.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints a short summary of the options and arguments to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the directory in which the key files are to be written.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate KEY records rather than DNSKEY records.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the default TTL to use for this key when it is converted
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater into a DNSKEY RR. If the key is imported into a zone,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater this is the TTL that will be used for it, unless there was
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater already a DNSKEY RRset in place, in which case the existing TTL
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater would take precedence. Setting the default TTL to
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="literal">0</code> or <code class="literal">none</code> removes it.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the protocol value for the key. The protocol
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater is a number between 0 and 255. The default is 3 (DNSSEC).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Other possible values for this argument are listed in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews RFC 2535 and its successors.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate a key as an explicit successor to an existing key.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The name, algorithm, size, and type of the key will be set
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to match the predecessor. The activation date of the new
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key will be set to the inactivation date of the existing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews one. The publication date will be set to the activation
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date minus the prepublication interval, which defaults to
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Indicates the use of the key. <code class="option">type</code> must be
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater is AUTHCONF. AUTH refers to the ability to authenticate
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater data, and CONF the ability to encrypt data.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the debugging level.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Prints version information.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Allows DNSSEC key files to be generated even if the key ID
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater would collide with that of an existing key, in the event of
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater either key being revoked. (This is only safe to use if you
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater are sure you won't be using RFC 5011 trust anchor maintenance
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater with either of the keys involved.)
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater an offset from the present time. For convenience, if such an offset
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater then the offset is computed in years (defined as 365 24-hour days,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
fdd80e9a55c70b36a3bf3e409b86897301c44ff8Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is computed in seconds. To explicitly prevent a date from being
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews set, use 'none' or 'never'.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <div class="variablelist"><dl class="variablelist">
90153b6536f7a5078e1c157c980110dbcd7fe205Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which a key is to be published to the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews After that date, the key will be included in the zone but will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not be used to sign it. If not set, and if the -G option has
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not been used, the default is "now".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the CDS and CDNSKEY records which match
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this key are to be published to the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be activated. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will be included in the zone and used to sign
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews it. If not set, and if the -G option has not been used, the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews default is "now".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews Sets the date on which the key is to be revoked. After that
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews date, the key will be flagged as revoked. It will be included
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in the zone and will be used to sign it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be retired. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will still be included in the zone, but it
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will not be used to sign it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be deleted. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will no longer be included in the zone. (It
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may remain in the key repository, however.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the CDS and CDNSKEY records which match
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this key are to be deleted.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the prepublication interval for a key. If set, then
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the publication and activation dates must be separated by at least
fdd80e9a55c70b36a3bf3e409b86897301c44ff8Automatic Updater this much time. If the activation date is specified but the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews publication date isn't, then the publication date will default
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to this much time before the activation date; conversely, if
c6c78f699b55b3344fb6b17ddc854cbae4610468Automatic Updater the publication date is specified but activation date isn't,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then activation will be set to this much time after publication.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the key is being created as an explicit successor to another
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key, then the default prepublication interval is 30 days;
fdd80e9a55c70b36a3bf3e409b86897301c44ff8Automatic Updater otherwise it is zero.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews As with date offsets, if the argument is followed by one of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews interval is measured in years, months, weeks, days, hours,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews or minutes, respectively. Without a suffix, the interval is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews measured in seconds.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews successfully,
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews to the standard output. This is an identification string for
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the key files it has generated.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <p><code class="filename">nnnn</code> is the key name.