man.dnssec-keyfromlabel.html revision 30c0c7470d5bfabd8f43c563f4eca636d06cc484
5cd4555ad444fd391002ae32450572054369fd42Rob Austein - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt - Copyright (C) 2000-2003 Internet Software Consortium.
b129f72d951663755496670606e5f7303e8f2dc2Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<!-- $Id$ -->
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2f5461d23b4044b62d4d668732611909d902e54dJeremy C. Reed<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
81f58902eb5a1c1ab22742c72bd6cf318acbc06aTinderbox User<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley generates a key pair of files that referencing a key object stored
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley in a cryptographic hardware service module (HSM). The private key
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews file can be used for DNSSEC signing of zone data as if it were a
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews but the key material is stored within the HSM, and the actual signing
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley takes place there.
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington The <code class="option">name</code> of the key is specified on the command
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley line. This must match the name of the zone for which the key is
9b6a170d22d61026d31bde87523f3320628b6ebcBrian Wellington being generated.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Selects the cryptographic algorithm. The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ECDSAP256SHA256 or ECDSAP384SHA384.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein These values are case insensitive.
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt If no algorithm is specified, then RSASHA1 will be used by
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt default, unless the <code class="option">-3</code> option is specified,
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt in which case NSEC3RSASHA1 will be used instead. (If
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews <code class="option">-3</code> is used and an algorithm is specified,
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt that algorithm will be checked for compatibility with NSEC3.)
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein algorithm, and DSA is recommended.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Note 2: DH automatically sets the -k flag.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use an NSEC3-capable algorithm to generate a DNSSEC key.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley If this option is used and no algorithm is explicitly
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley set on the command line, NSEC3RSASHA1 will be used by
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews Specifies the cryptographic hardware to use.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When BIND is built with OpenSSL PKCS#11 support, this defaults
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein to the string "pkcs11", which identifies an OpenSSL engine
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that can drive a cryptographic accelerator or hardware service
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein module. When BIND is built with native PKCS#11 cryptography
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (--enable-native-pkcs11), it defaults to the path of the PKCS#11
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein provider library specified via "--with-pkcs11".
c4f9e613e12f03795bee18cf2ca8e6a9d39d6468Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Specifies the label for a key pair in the crypto hardware.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein PKCS#11 support, the label is an arbitrary string that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein identifies a particular key. It may be preceded by an
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein optional OpenSSL engine name, followed by a colon, as in
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein support, the label is a PKCS#11 URI string in the format
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Keywords include "token", which identifies the HSM; "object", which
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein identifies the key; and "pin-source", which identifies a file from
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein which the HSM's PIN code can be obtained. The label will be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein stored in the on-disk "private" file.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If the label contains a
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">pin-source</code> field, tools using the generated
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein key files will be able to use the HSM for signing and other
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews operations without any need for an operator to manually enter
a769eca4e3b223866b01dc8f7a4dde8d9e49bab0Mark Andrews a PIN. Note: Making the HSM's PIN accessible in this manner
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley may reduce the security advantage of using an HSM; be sure
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley this is what you want to do before making use of this feature.
6043e41fcf5dc91aa8a981c966512d73bdec31c1Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
6043e41fcf5dc91aa8a981c966512d73bdec31c1Mark Andrews Specifies the owner type of the key. The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">nametype</code> must either be ZONE (for a DNSSEC
6043e41fcf5dc91aa8a981c966512d73bdec31c1Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
4eb998928b9aef0ceda42d7529980d658138698aEvan Hunt a host (KEY)),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein These values are case insensitive.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley Compatibility mode: generates an old-style key, without
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein will include the key's creation date in the metadata stored
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein with the private key, and other dates may be set there as well
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (publication date, activation date, etc). Keys that include
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein this data may be incompatible with older versions of BIND; the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">-C</code> option suppresses them.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley Indicates that the DNS record containing the key should have
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt the specified class. If not specified, class IN is used.
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt Set the specified flag in the flag field of the KEY/DNSKEY record.
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt The only recognized flags are KSK (Key Signing Key) and REVOKE.
e7c0d42b11358f08e04316d31c67c23261dcdf36Evan Hunt Generate a key, but do not publish it or sign with it. This
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington option is incompatible with -P and -A.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Prints a short summary of the options and arguments to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span><strong class="command">dnssec-keyfromlabel</strong></span>.
b435b1ded3def3159f597953d21dffc1615cb250Brian Wellington<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley Sets the directory in which the key files are to be written.
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews Generate KEY records rather than DNSKEY records.
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the default TTL to use for this key when it is converted
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein into a DNSKEY RR. If the key is imported into a zone,
122c58bd11790c7576cdb1c6fd8e4439d0d7f7a5Mark Andrews this is the TTL that will be used for it, unless there was
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein already a DNSKEY RRset in place, in which case the existing TTL
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein would take precedence. Setting the default TTL to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="literal">0</code> or <code class="literal">none</code> removes it.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the protocol value for the key. The protocol
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is a number between 0 and 255. The default is 3 (DNSSEC).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Other possible values for this argument are listed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RFC 2535 and its successors.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Generate a key as an explicit successor to an existing key.
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley The name, algorithm, size, and type of the key will be set
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt to match the predecessor. The activation date of the new
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt key will be set to the inactivation date of the existing
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley one. The publication date will be set to the activation
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt date minus the prepublication interval, which defaults to
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Indicates the use of the key. <code class="option">type</code> must be
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt is AUTHCONF. AUTH refers to the ability to authenticate
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt data, and CONF the ability to encrypt data.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the debugging level.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Prints version information.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Allows DNSSEC key files to be generated even if the key ID
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt would collide with that of an existing key, in the event of
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt either key being revoked. (This is only safe to use if you
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt are sure you won't be using RFC 5011 trust anchor maintenance
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt with either of the keys involved.)
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt If the argument begins with a '+' or '-', it is interpreted as
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt an offset from the present time. For convenience, if such an offset
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt then the offset is computed in years (defined as 365 24-hour days,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt ignoring leap years), months (defined as 30 24-hour days), weeks,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt days, hours, or minutes, respectively. Without a suffix, the offset
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt is computed in seconds. To explicitly prevent a date from being
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn set, use 'none' or 'never'.
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn Sets the date on which a key is to be published to the zone.
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn After that date, the key will be included in the zone but will
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn not be used to sign it. If not set, and if the -G option has
8009525601d946805fae58b037cf7dad0da516f8Curtis Blackburn not been used, the default is "now".
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the date on which the key is to be activated. After that
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt date, the key will be included in the zone and used to sign
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt it. If not set, and if the -G option has not been used, the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt default is "now".
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the date on which the key is to be revoked. After that
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt date, the key will be flagged as revoked. It will be included
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt in the zone and will be used to sign it.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the date on which the key is to be retired. After that
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt date, the key will still be included in the zone, but it
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt will not be used to sign it.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the date on which the key is to be deleted. After that
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt date, the key will no longer be included in the zone. (It
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt may remain in the key repository, however.)
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt Sets the prepublication interval for a key. If set, then
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the publication and activation dates must be separated by at least
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt this much time. If the activation date is specified but the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt publication date isn't, then the publication date will default
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt to this much time before the activation date; conversely, if
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the publication date is specified but activation date isn't,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt then activation will be set to this much time after publication.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt If the key is being created as an explicit successor to another
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt key, then the default prepublication interval is 30 days;
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt otherwise it is zero.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt As with date offsets, if the argument is followed by one of
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt interval is measured in years, months, weeks, days, hours,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt or minutes, respectively. Without a suffix, the interval is
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt measured in seconds.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<a name="id2672824"></a><h2>GENERATED KEY FILES</h2>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt successfully,
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt to the standard output. This is an identification string for
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt the key files it has generated.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<li><p><code class="filename">nnnn</code> is the key name.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<li><p><code class="filename">aaa</code> is the numeric representation
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt of the algorithm.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<li><p><code class="filename">iiiii</code> is the key identifier (or
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt creates two files, with names based
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt contains the public key, and
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt private key.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt The <code class="filename">.key</code> file contains a DNS KEY record
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt can be inserted into a zone file (directly or with a $INCLUDE
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt The <code class="filename">.private</code> file contains
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt algorithm-specific
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt fields. For obvious security reasons, this file does not have
4610465ed9408cbe434dbfb8be8ea53f48969c91Bob Halley general read permission.
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<span class="application">dnssec-importkey</span>�</td>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>
1b2a4ce2b112ec91b0f13c411144e721c7952914Evan Hunt<p style="text-align: center;">BIND 9.11.0pre-alpha</p>