dnssec-keyfromlabel.html revision c7d32c0b0ff4c01f0d4479af3410d3c06044d48a
52c1cac19a87d591152634a1de44a0311383b359Automatic Updater - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - purpose with or without fee is hereby granted, provided that the above
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - copyright notice and this permission notice appear in all copies.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<!-- $Id: dnssec-keyfromlabel.html,v 1.9 2009/09/08 01:14:42 tbox Exp $ -->
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-U <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<a name="id2543467"></a><h2>DESCRIPTION</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont gets keys with the given label from a crypto hardware and builds
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont key files for DNSSEC (Secure DNS), as defined in RFC 2535
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont and RFC 4034.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The <code class="option">name</code> of the key is specified on the command
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater line. This must match the name of the zone for which the key is
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater being generated.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Selects the cryptographic algorithm. The value of
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <code class="option">algorithm</code> must be one of RSAMD5 (RSA),
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater These values are case insensitive.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont algorithm, and DSA is recommended.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Note 2: DH automatically sets the -k flag.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Specifies the label of keys in the crypto hardware
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont (PKCS#11 device).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Specifies the owner type of the key. The value of
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont <code class="option">nametype</code> must either be ZONE (for a DNSSEC
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont a host (KEY)),
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater These values are case insensitive.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Compatibility mode: generates an old-style key, without
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater will include the key's creation date in the metadata stored
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater with the private key, and other dates may be set there as well
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater (publication date, activation date, etc). Keys that include
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater this data may be incompatible with older versions of BIND; the
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <code class="option">-C</code> option suppresses them.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Indicates that the DNS record containing the key should have
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont the specified class. If not specified, class IN is used.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Set the specified flag in the flag field of the KEY/DNSKEY record.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Prints a short summary of the options and arguments to
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <span><strong class="command">dnssec-keyfromlabel</strong></span>.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the directory in which the key files are to be written.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Generate KEY records rather than DNSKEY records.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the protocol value for the key. The protocol
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont is a number between 0 and 255. The default is 3 (DNSSEC).
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Other possible values for this argument are listed in
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont RFC 2535 and its successors.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Indicates the use of the key. <code class="option">type</code> must be
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont is AUTHCONF. AUTH refers to the ability to authenticate
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont data, and CONF the ability to encrypt data.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont Sets the debugging level.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<a name="id2543717"></a><h2>TIMING OPTIONS</h2>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater If the argument begins with a '+' or '-', it is interpreted as
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater an offset from the present time. For convenience, if such an offset
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater then the offset is computed in years (defined as 365 24-hour days,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater is computed in seconds.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which a key is to be published to the zone.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater After that date, the key will be included in the zone but will
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater not be used to sign it.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be activated. After that
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater date, the key will be included and the zone and used to sign
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be revoked. After that
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater date, the key will be flagged as revoked. It will be included
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater in the zone and will be used to sign it.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be unpublished. After that
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater date, the key will no longer be included in the zone, but it
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater may remain in the key repository.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be deleted. After that
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater date, the key can be removed from the key repository.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater NOTE: Keys are not currently deleted automatically; this field
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater is included for informational purposes and for future
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<a name="id2543815"></a><h2>GENERATED KEY FILES</h2>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont successfully,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont to the standard output. This is an identification string for
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont the key files it has generated.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<li><p><code class="filename">nnnn</code> is the key name.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<li><p><code class="filename">aaa</code> is the numeric representation
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater of the algorithm.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<li><p><code class="filename">iiiii</code> is the key identifier (or
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont creates two files, with names based
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont contains the public key, and
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont The <code class="filename">.key</code> file contains a DNS KEY record
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont can be inserted into a zone file (directly or with a $INCLUDE
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The <code class="filename">.private</code> file contains
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater algorithm-specific
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont fields. For obvious security reasons, this file does not have
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont general read permission.
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
90f35c2f2a1c660f3b96eec413036d238df395f6Francis Dupont<p><span class="corpauthor">Internet Systems Consortium</span>