dnssec-keyfromlabel.html revision 5a24d24c8fba3480d707c0c902379ddb36501e12
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: dnssec-keyfromlabel.html,v 1.13 2009/10/17 01:14:35 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein gets keys with the given label from a crypto hardware and builds
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key files for DNSSEC (Secure DNS), as defined in RFC 2535
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein and RFC 4034.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="option">name</code> of the key is specified on the command
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein line. This must match the name of the zone for which the key is
5fa6a064b8301e4f274bd132fd577def59e4fb4cTinderbox User being generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Selects the cryptographic algorithm. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">algorithm</code> must be one of RSAMD5 (RSA),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User These values are case insensitive.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User If no algorithm is specified, then RSASHA1 will be used by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein default, unless the <code class="option">-3</code> option is specified,
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User in which case NSEC3RSASHA1 will be used instead.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User algorithm, and DSA is recommended.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 2: DH automatically sets the -k flag.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User Use an NSEC3-capable algorithm to generate a DNSSEC key.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User If this option is used and no algorithm is explicitly
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User set on the command line, NSEC3RSASHA1 will be used by
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the name of the crypto hardware (OpenSSL engine).
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User When compiled with PKCS#11 support it defaults to "pcks11".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User Specifies the label of the key pair in the crypto hardware.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The label may be preceded by an optional OpenSSL engine name,
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User separated by a colon, as in "pkcs11:keylabel".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the owner type of the key. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">nametype</code> must either be ZONE (for a DNSSEC
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a host (KEY)),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These values are case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Compatibility mode: generates an old-style key, without
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User will include the key's creation date in the metadata stored
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User with the private key, and other dates may be set there as well
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User (publication date, activation date, etc). Keys that include
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User this data may be incompatible with older versions of BIND; the
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User <code class="option">-C</code> option suppresses them.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Indicates that the DNS record containing the key should have
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the specified class. If not specified, class IN is used.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater Set the specified flag in the flag field of the KEY/DNSKEY record.
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User Generate a key, but do not publish it or sign with it. This
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User option is incompatible with -P and -A.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User Prints a short summary of the options and arguments to
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User <span><strong class="command">dnssec-keyfromlabel</strong></span>.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User Sets the directory in which the key files are to be written.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User Generate KEY records rather than DNSKEY records.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Sets the protocol value for the key. The protocol
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User is a number between 0 and 255. The default is 3 (DNSSEC).
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User Other possible values for this argument are listed in
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User RFC 2535 and its successors.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User Indicates the use of the key. <code class="option">type</code> must be
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User is AUTHCONF. AUTH refers to the ability to authenticate
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater data, and CONF the ability to encrypt data.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User Sets the debugging level.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User If the argument begins with a '+' or '-', it is interpreted as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein an offset from the present time. For convenience, if such an offset
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ignoring leap years), months (defined as 30 24-hour days), weeks,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein days, hours, or minutes, respectively. Without a suffix, the offset
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is computed in seconds.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which a key is to be published to the zone.
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User After that date, the key will be included in the zone but will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein not be used to sign it. If not set, and if the -G option has
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein not been used, the default is "now".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User Sets the date on which the key is to be activated. After that
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User date, the key will be included in the zone and used to sign
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it. If not set, and if the -G option has not been used, the
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User default is "now".
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be revoked. After that
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User date, the key will be flagged as revoked. It will be included
d9184858dd5d7677050a813d444c281c56f697aaTinderbox User in the zone and will be used to sign it.
5d564da348e890e42f63eebf2dced9a05b41f4fbTinderbox User<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
5d564da348e890e42f63eebf2dced9a05b41f4fbTinderbox User Sets the date on which the key is to be retired. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will still be included in the zone, but it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will not be used to sign it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater Sets the date on which the key is to be deleted. After that
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User date, the key will no longer be included in the zone. (It
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater may remain in the key repository, however.)
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater<a name="id2544017"></a><h2>GENERATED KEY FILES</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User successfully,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the standard output. This is an identification string for
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User the key files it has generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<li><p><code class="filename">nnnn</code> is the key name.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User<li><p><code class="filename">aaa</code> is the numeric representation
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the algorithm.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User<li><p><code class="filename">iiiii</code> is the key identifier (or
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater creates two files, with names based
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews contains the public key, and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein private key.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User The <code class="filename">.key</code> file contains a DNS KEY record
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein can be inserted into a zone file (directly or with a $INCLUDE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <code class="filename">.private</code> file contains
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User algorithm-specific
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User fields. For obvious security reasons, this file does not have
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User general read permission.
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
aa6c5a3e331958d3c92c2facdbd2b8daa55b5959Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>