dnssec-keyfromlabel.html revision bfb7b680bf88c1fdd9949197b71c512c532280a4
f743002678eb67b99bbc29fee116b65d9530fec0wrowe<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg<!--
5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
eeb7898b9c087040d44550f8a6b1a257783c9f0ahumbedooh -
eeb7898b9c087040d44550f8a6b1a257783c9f0ahumbedooh - This Source Code Form is subject to the terms of the Mozilla Public
eeb7898b9c087040d44550f8a6b1a257783c9f0ahumbedooh - License, v. 2.0. If a copy of the MPL was not distributed with this
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf - file, You can obtain one at http://mozilla.org/MPL/2.0/.
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf-->
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf<html lang="en">
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf<head>
eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf<title>dnssec-keyfromlabel</title>
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf</head>
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
4576c1a9ef54cd1e5555ee07d016a7f559f80338sf
9811aed12bbc71783d2e544ccb5fecd193843eadsf
9811aed12bbc71783d2e544ccb5fecd193843eadsf
9811aed12bbc71783d2e544ccb5fecd193843eadsf
d58a822aff1dfda25384d3d009f88f1883c95436kbrand
d58a822aff1dfda25384d3d009f88f1883c95436kbrand <div class="refnamediv">
d58a822aff1dfda25384d3d009f88f1883c95436kbrand<h2>Name</h2>
e02ff627c1e63137247e20493f6ef44b3bb1a095sf<p>
e02ff627c1e63137247e20493f6ef44b3bb1a095sf <span class="application">dnssec-keyfromlabel</span>
e02ff627c1e63137247e20493f6ef44b3bb1a095sf &#8212; DNSSEC key generation tool
39f33ff7759ccee97f161f789b0cab07e735a6bcjailletc </p>
39f33ff7759ccee97f161f789b0cab07e735a6bcjailletc</div>
39f33ff7759ccee97f161f789b0cab07e735a6bcjailletc
1366443dc565c33e7b449ae428bbfc4c86f33935drh
1366443dc565c33e7b449ae428bbfc4c86f33935drh
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung <div class="refsynopsisdiv">
88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung<h2>Synopsis</h2>
c896413ef7cc4cf8cea20c6783d0a93a9d77dc21jailletc <div class="cmdsynopsis"><p>
c896413ef7cc4cf8cea20c6783d0a93a9d77dc21jailletc <code class="command">dnssec-keyfromlabel</code>
c896413ef7cc4cf8cea20c6783d0a93a9d77dc21jailletc {-l <em class="replaceable"><code>label</code></em>}
bd3f5647b96d378d9c75c954e3f13582af32c643sf [<code class="option">-3</code>]
bd3f5647b96d378d9c75c954e3f13582af32c643sf [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
bd3f5647b96d378d9c75c954e3f13582af32c643sf [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
bd3f5647b96d378d9c75c954e3f13582af32c643sf [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
bd3f5647b96d378d9c75c954e3f13582af32c643sf [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
2a7beea91d46beb41f043a84eaad060047ee04aafabien [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
2a7beea91d46beb41f043a84eaad060047ee04aafabien [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
2a7beea91d46beb41f043a84eaad060047ee04aafabien [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
2a7beea91d46beb41f043a84eaad060047ee04aafabien [<code class="option">-G</code>]
9e430d18dde58791589bd699416c8319560dd067jim [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
9e430d18dde58791589bd699416c8319560dd067jim [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
9e430d18dde58791589bd699416c8319560dd067jim [<code class="option">-k</code>]
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
f6b9c755a0b793e8a3a3aebd327ca20a86478117sf [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
132ee6ac1c26d6e8953836316ba50734eefab47bsf [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
132ee6ac1c26d6e8953836316ba50734eefab47bsf [<code class="option">-V</code>]
132ee6ac1c26d6e8953836316ba50734eefab47bsf [<code class="option">-y</code>]
fc1459657a1fde206a847f9028930725d715f8b4trawick {name}
fc1459657a1fde206a847f9028930725d715f8b4trawick </p></div>
fc1459657a1fde206a847f9028930725d715f8b4trawick </div>
85eacfc96a04547ef25aabbc06440039715084c2jorton
85eacfc96a04547ef25aabbc06440039715084c2jorton <div class="refsection">
85eacfc96a04547ef25aabbc06440039715084c2jorton<a name="id-1.7"></a><h2>DESCRIPTION</h2>
f34da68471f256dca0ff770257c3e1f982f74cf1trawick
f34da68471f256dca0ff770257c3e1f982f74cf1trawick <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
f34da68471f256dca0ff770257c3e1f982f74cf1trawick generates a key pair of files that referencing a key object stored
68ba377fc3b124baa759662077c48077ebadb186minfrin in a cryptographic hardware service module (HSM). The private key
68ba377fc3b124baa759662077c48077ebadb186minfrin file can be used for DNSSEC signing of zone data as if it were a
68ba377fc3b124baa759662077c48077ebadb186minfrin conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
68ba377fc3b124baa759662077c48077ebadb186minfrin but the key material is stored within the HSM, and the actual signing
d776b0a2d2889ce1d13494873368f34327a2e1bbtrawick takes place there.
d776b0a2d2889ce1d13494873368f34327a2e1bbtrawick </p>
f4ca9f6f002fece336168a16355434ca966f96a9trawick <p>
57db302f0875a6c93a79333b8941cea4c1827272jim The <code class="option">name</code> of the key is specified on the command
57db302f0875a6c93a79333b8941cea4c1827272jim line. This must match the name of the zone for which the key is
57db302f0875a6c93a79333b8941cea4c1827272jim being generated.
57db302f0875a6c93a79333b8941cea4c1827272jim </p>
78f94f1d06c4e6828ce04d618221e0fcecb57849humbedooh </div>
78f94f1d06c4e6828ce04d618221e0fcecb57849humbedooh
78f94f1d06c4e6828ce04d618221e0fcecb57849humbedooh <div class="refsection">
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick<a name="id-1.8"></a><h2>OPTIONS</h2>
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick
536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick <div class="variablelist"><dl class="variablelist">
70caa242e6b90e0d6f0fabb56b8c5c2fb51717b3jorton<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
985a4368b93c3e9171a57897ad9454c8dbf4cdf6jorton<dd>
70caa242e6b90e0d6f0fabb56b8c5c2fb51717b3jorton <p>
70caa242e6b90e0d6f0fabb56b8c5c2fb51717b3jorton Selects the cryptographic algorithm. The value of
109e2a09790de3fb315d36d6232a14ab66c8eb0ahumbedooh <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
109e2a09790de3fb315d36d6232a14ab66c8eb0ahumbedooh DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
109e2a09790de3fb315d36d6232a14ab66c8eb0ahumbedooh ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
74e7a30182af5e68f14ccb8d57918b22b982db8bhumbedooh These values are case insensitive.
74e7a30182af5e68f14ccb8d57918b22b982db8bhumbedooh </p>
74e7a30182af5e68f14ccb8d57918b22b982db8bhumbedooh <p>
10961a2f60207cb873d889bb28b1f0ef707a4311humbedooh If no algorithm is specified, then RSASHA1 will be used by
10961a2f60207cb873d889bb28b1f0ef707a4311humbedooh default, unless the <code class="option">-3</code> option is specified,
10961a2f60207cb873d889bb28b1f0ef707a4311humbedooh in which case NSEC3RSASHA1 will be used instead. (If
0448378b899e8df0c060360f17c0af692adf17bchumbedooh <code class="option">-3</code> is used and an algorithm is specified,
0448378b899e8df0c060360f17c0af692adf17bchumbedooh that algorithm will be checked for compatibility with NSEC3.)
0448378b899e8df0c060360f17c0af692adf17bchumbedooh </p>
60a765cccbd3f3b5997b65b0034220c79f78369etrawick <p>
60a765cccbd3f3b5997b65b0034220c79f78369etrawick Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
60a765cccbd3f3b5997b65b0034220c79f78369etrawick algorithm, and DSA is recommended.
e7ca863b04ee2a7aea7738cadbf51ce5e6c5245dhumbedooh </p>
e7ca863b04ee2a7aea7738cadbf51ce5e6c5245dhumbedooh <p>
e7ca863b04ee2a7aea7738cadbf51ce5e6c5245dhumbedooh Note 2: DH automatically sets the -k flag.
e7ca863b04ee2a7aea7738cadbf51ce5e6c5245dhumbedooh </p>
91654e263480f0fdc2a03d782ff23f8dad07cf79humbedooh </dd>
91814c869ca39ce45dfe147307d2a831cac6ecbehumbedooh<dt><span class="term">-3</span></dt>
91654e263480f0fdc2a03d782ff23f8dad07cf79humbedooh<dd>
79c5787b92ac5f0e1cc82393816c77a006399316trawick <p>
79c5787b92ac5f0e1cc82393816c77a006399316trawick Use an NSEC3-capable algorithm to generate a DNSSEC key.
79c5787b92ac5f0e1cc82393816c77a006399316trawick If this option is used and no algorithm is explicitly
79c5787b92ac5f0e1cc82393816c77a006399316trawick set on the command line, NSEC3RSASHA1 will be used by
c967bf3bc89e8aa60dbd30d9da388e448ddc1cc4trawick default.
79c5787b92ac5f0e1cc82393816c77a006399316trawick </p>
79c5787b92ac5f0e1cc82393816c77a006399316trawick </dd>
79c5787b92ac5f0e1cc82393816c77a006399316trawick<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
79c5787b92ac5f0e1cc82393816c77a006399316trawick<dd>
79c5787b92ac5f0e1cc82393816c77a006399316trawick <p>
12b987b969f03ef98d9175a53d849ab62f5684fecovener Specifies the cryptographic hardware to use.
12b987b969f03ef98d9175a53d849ab62f5684fecovener </p>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton <p>
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton When BIND is built with OpenSSL PKCS#11 support, this defaults
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton to the string "pkcs11", which identifies an OpenSSL engine
7b395e4e878c28a4784919cfd2e704ddd14a3390jorton that can drive a cryptographic accelerator or hardware service
536e48c08d674acac5d44929318f2ad928edc361jorton module. When BIND is built with native PKCS#11 cryptography
536e48c08d674acac5d44929318f2ad928edc361jorton (--enable-native-pkcs11), it defaults to the path of the PKCS#11
e81785da447b469da66f218b3f0244aab507958djorton provider library specified via "--with-pkcs11".
e81785da447b469da66f218b3f0244aab507958djorton </p>
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton </dd>
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton<dd>
459eaf0826f995b73a0dc066f59ea10d2824e72dsf <p>
459eaf0826f995b73a0dc066f59ea10d2824e72dsf Specifies the label for a key pair in the crypto hardware.
459eaf0826f995b73a0dc066f59ea10d2824e72dsf </p>
459eaf0826f995b73a0dc066f59ea10d2824e72dsf <p>
53e9b27aba029b18be814df40bcf6f0428771d1efuankg When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
53e9b27aba029b18be814df40bcf6f0428771d1efuankg PKCS#11 support, the label is an arbitrary string that
53e9b27aba029b18be814df40bcf6f0428771d1efuankg identifies a particular key. It may be preceded by an
53e9b27aba029b18be814df40bcf6f0428771d1efuankg optional OpenSSL engine name, followed by a colon, as in
53e9b27aba029b18be814df40bcf6f0428771d1efuankg "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
6bb524f1895f30265a1431afc460977d391cb36bsf </p>
6bb524f1895f30265a1431afc460977d391cb36bsf <p>
ca61ccd0c306c2c72df153688ba1b49f3eceed80sf When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
6bb524f1895f30265a1431afc460977d391cb36bsf support, the label is a PKCS#11 URI string in the format
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin Keywords include "token", which identifies the HSM; "object", which
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin identifies the key; and "pin-source", which identifies a file from
e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin which the HSM's PIN code can be obtained. The label will be
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin stored in the on-disk "private" file.
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin </p>
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin <p>
23f1535d6a60817d2846bac0aea230ea475d7dccminfrin If the label contains a
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung <code class="option">pin-source</code> field, tools using the generated
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung key files will be able to use the HSM for signing and other
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung operations without any need for an operator to manually enter
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung a PIN. Note: Making the HSM's PIN accessible in this manner
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung may reduce the security advantage of using an HSM; be sure
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung this is what you want to do before making use of this feature.
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung </p>
ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung </dd>
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick<dd>
0827cb14e550f6f65018431c22c2c913631c8f25kbrand <p>
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick Specifies the owner type of the key. The value of
ae600ca541efc686b34f8b1f21bd3d0741d37674covener <code class="option">nametype</code> must either be ZONE (for a DNSSEC
6249dfa569d3b4f1f539665b979a80c6e335d93etrawick zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
cfa64348224b66dd1c9979b809406c4d15b1c137fielding a host (KEY)),
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
cfa64348224b66dd1c9979b809406c4d15b1c137fielding These values are case insensitive.
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim </p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding </dd>
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim<dt><span class="term">-C</span></dt>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding<dd>
74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim <p>
cfa64348224b66dd1c9979b809406c4d15b1c137fielding Compatibility mode: generates an old-style key, without
any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
will include the key's creation date in the metadata stored
with the private key, and other dates may be set there as well
(publication date, activation date, etc). Keys that include
this data may be incompatible with older versions of BIND; the
<code class="option">-C</code> option suppresses them.
</p>
</dd>
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
<dd>
<p>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</p>
</dd>
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
<dd>
<p>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flags are KSK (Key Signing Key) and REVOKE.
</p>
</dd>
<dt><span class="term">-G</span></dt>
<dd>
<p>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</p>
</dd>
<dt><span class="term">-h</span></dt>
<dd>
<p>
Prints a short summary of the options and arguments to
<span class="command"><strong>dnssec-keyfromlabel</strong></span>.
</p>
</dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
<p>
Sets the directory in which the key files are to be written.
</p>
</dd>
<dt><span class="term">-k</span></dt>
<dd>
<p>
Generate KEY records rather than DNSKEY records.
</p>
</dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
<p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p>
</dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
<p>
Sets the protocol value for the key. The protocol
is a number between 0 and 255. The default is 3 (DNSSEC).
Other possible values for this argument are listed in
RFC 2535 and its successors.
</p>
</dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd>
<p>
Generate a key as an explicit successor to an existing key.
The name, algorithm, size, and type of the key will be set
to match the predecessor. The activation date of the new
key will be set to the inactivation date of the existing
one. The publication date will be set to the activation
date minus the prepublication interval, which defaults to
30 days.
</p>
</dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
<p>
Indicates the use of the key. <code class="option">type</code> must be
one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
is AUTHCONF. AUTH refers to the ability to authenticate
data, and CONF the ability to encrypt data.
</p>
</dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
<p>
Sets the debugging level.
</p>
</dd>
<dt><span class="term">-V</span></dt>
<dd>
<p>
Prints version information.
</p>
</dd>
<dt><span class="term">-y</span></dt>
<dd>
<p>
Allows DNSSEC key files to be generated even if the key ID
would collide with that of an existing key, in the event of
either key being revoked. (This is only safe to use if you
are sure you won't be using RFC 5011 trust anchor maintenance
with either of the keys involved.)
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
</p>
<div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</p>
</dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be published to the zone.
</p>
</dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it. If not set, and if the -G option has not been used, the
default is "now".
</p>
</dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p>
</dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p>
</dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p>
</dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
<p>
Sets the date on which the CDS and CDNSKEY records which match
this key are to be deleted.
</p>
</dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsection">
<a name="id-1.10"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key files it has generated.
</p>
<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
<p><code class="filename">nnnn</code> is the key name.
</p>
</li>
<li class="listitem">
<p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p>
</li>
<li class="listitem">
<p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p>
</li>
</ul></div>
<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsection">
<a name="id-1.11"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry">
<span class="refentrytitle">dnssec-keygen</span>(8)
</span>,
<span class="citerefentry">
<span class="refentrytitle">dnssec-signzone</span>(8)
</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4034</em>,
<em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
</p>
</div>
</div></body>
</html>