man.dnssec-keyfromlabel.html revision 6f1205897504b8f50b1785975482c995888dd630
bf52162f2d05c1fb1a107c7ef108de73f739b3edpquerna - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
9c67ffea79ab184351b5d554b57814e13285e758jim - Copyright (C) 2000-2003 Internet Software Consortium.
6ec154950417d0b32082f6590ffa3acc3e0c3d49sf - Permission to use, copy, modify, and/or distribute this software for any
6ec154950417d0b32082f6590ffa3acc3e0c3d49sf - purpose with or without fee is hereby granted, provided that the above
6ec154950417d0b32082f6590ffa3acc3e0c3d49sf - copyright notice and this permission notice appear in all copies.
b38e1e2f118f67818f88faee827f4b3a2881e908sf - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
b38e1e2f118f67818f88faee827f4b3a2881e908sf - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
b38e1e2f118f67818f88faee827f4b3a2881e908sf - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
33e53d7c6aa5d004d96ea11d7f3ca35b30e82544trawick - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
33e53d7c6aa5d004d96ea11d7f3ca35b30e82544trawick - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
20e0c71be778348516719e1e58a9f55c8e78c570trawick - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
027f7b141f164258b254c38319d06452b25d7660trawick - PERFORMANCE OF THIS SOFTWARE.
977c4527be5a21182f24fc22a40a79d576a52f86trawick<!-- $Id$ -->
7fef9f66804ea10d5bf343cdd3d607465e8340cajim<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
7fef9f66804ea10d5bf343cdd3d607465e8340cajim<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
3770ed746d69c7a4111cba9966169bd5d7a509a6poirier<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
3770ed746d69c7a4111cba9966169bd5d7a509a6poirier<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
3770ed746d69c7a4111cba9966169bd5d7a509a6poirier<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
3770ed746d69c7a4111cba9966169bd5d7a509a6poirier<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
7bd92b29516bc4bf7351d35aa447dbe68f1e8bb4jorton<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a81c0c1ae464b2063a21b45f80c9da8d89bb840ecovener<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
ffae06377667a5d8f9699ac7512134de7000a83dminfrin<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
ffae06377667a5d8f9699ac7512134de7000a83dminfrin<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
8f066564bfc0fd6ddc6ca4b2f2410615554597d1jim<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
4acc1efe19ac2e6f2df0abb4d5bf99bd8ae3c5c6jim<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
29ecbd9db1622e74964264d078336f7604d65093jim<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
da40dfabefd6f8eb8450e9a097c594ee2ab13e3eminfrin<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
da40dfabefd6f8eb8450e9a097c594ee2ab13e3eminfrin generates a key pair of files that referencing a key object stored
da40dfabefd6f8eb8450e9a097c594ee2ab13e3eminfrin in a cryptographic hardware service module (HSM). The private key
59d316b83d42d2a07e25c20d8c35a07b369618bdsf file can be used for DNSSEC signing of zone data as if it were a
59d316b83d42d2a07e25c20d8c35a07b369618bdsf conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
59d316b83d42d2a07e25c20d8c35a07b369618bdsf but the key material is stored within the HSM, and the actual signing
59d316b83d42d2a07e25c20d8c35a07b369618bdsf takes place there.
8602c898d4e06a7e7b9d6b7cf4b172a8e7310987sf The <code class="option">name</code> of the key is specified on the command
8602c898d4e06a7e7b9d6b7cf4b172a8e7310987sf line. This must match the name of the zone for which the key is
8602c898d4e06a7e7b9d6b7cf4b172a8e7310987sf being generated.
4acc1efe19ac2e6f2df0abb4d5bf99bd8ae3c5c6jim<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
3e2582713ed6883683272fbc628a27419d0ed543minfrin Selects the cryptographic algorithm. The value of
3e2582713ed6883683272fbc628a27419d0ed543minfrin <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
2c132b1e3610da2fb9e6b3594a313efa3ff29e22minfrin DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
2c132b1e3610da2fb9e6b3594a313efa3ff29e22minfrin ECDSAP256SHA256 or ECDSAP384SHA384.
2c132b1e3610da2fb9e6b3594a313efa3ff29e22minfrin These values are case insensitive.
a46801e6532423aa7bd184471eb49158d7c9ae62sf If no algorithm is specified, then RSASHA1 will be used by
808a26d70f28498b9d7252a70d9fb23def781901minfrin default, unless the <code class="option">-3</code> option is specified,
808a26d70f28498b9d7252a70d9fb23def781901minfrin in which case NSEC3RSASHA1 will be used instead. (If
ef12246b88300687bf1faaf56d115dd8d8d82761jorton <code class="option">-3</code> is used and an algorithm is specified,
6f9bf764bc79571d1da19dfbbd78527fca278a8eminfrin that algorithm will be checked for compatibility with NSEC3.)
6f9bf764bc79571d1da19dfbbd78527fca278a8eminfrin Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
7d59a9f282af9dce031b61062a0d941641101237rpluem algorithm, and DSA is recommended.
e63e8b4b886d2144fed7946d0fbe8d27386be2dcjorton Note 2: DH automatically sets the -k flag.
223c64b836fbc2bc8611da9604379dfe13f56abasf Use an NSEC3-capable algorithm to generate a DNSSEC key.
bf507cc1e6ad55303c3d436c6ca153f46c788be6sf If this option is used and no algorithm is explicitly
bf507cc1e6ad55303c3d436c6ca153f46c788be6sf set on the command line, NSEC3RSASHA1 will be used by
93cf7fc650197b941ae31a7c7e51e901b129e954igalic<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
a1b1c78faf7969affb320f5c8eb270ffa21314c4rjung Specifies the cryptographic hardware to use.
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton When BIND is built with OpenSSL PKCS#11 support, this defaults
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton to the string "pkcs11", which identifies an OpenSSL engine
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton that can drive a cryptographic accelerator or hardware service
a2558ec3af4391b7da7fe61e1e53383bbd0174b9jorton module. When BIND is built with native PKCS#11 cryptography
8d6b3720340d0bd7f8d25e2a8563527e97a48df8jorton (--enable-native-pkcs11), it defaults to the path of the PKCS#11
8d6b3720340d0bd7f8d25e2a8563527e97a48df8jorton provider library specified via "--with-pkcs11".
48e4b65042d94992c50f1db6c0b0cdbd99ca77e8sf<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
48e4b65042d94992c50f1db6c0b0cdbd99ca77e8sf Specifies the label for a key pair in the crypto hardware.
47ae8ca3c79d279b2e5424d6b8cf5e4e61ea968fjim When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
47ae8ca3c79d279b2e5424d6b8cf5e4e61ea968fjim PKCS#11 support, the label is an arbitrary string that
47ae8ca3c79d279b2e5424d6b8cf5e4e61ea968fjim identifies a particular key. It may be preceded by an
47ae8ca3c79d279b2e5424d6b8cf5e4e61ea968fjim optional OpenSSL engine name, followed by a colon, as in
47ae8ca3c79d279b2e5424d6b8cf5e4e61ea968fjim "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
397df70abe0bdd78a84fb6c38c02641bcfeadceasf When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
9b5fe1d4ec48643fb819bbce9dc80f93f444fb48sf support, the label is a PKCS#11 URI string in the format
9b5fe1d4ec48643fb819bbce9dc80f93f444fb48sf "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
9b5fe1d4ec48643fb819bbce9dc80f93f444fb48sf Keywords include "token", which identifies the HSM; "object", which
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf identifies the key; and "pin-source", which identifies a file from
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf which the HSM's PIN code can be obtained. The label will be
dd9f60fdfeb73f829fe0b260b7975b4b22be0838sf stored in the on-disk "private" file.
135e1d6a301398168e3b2e5125508828591e1673niq If the label contains a
135e1d6a301398168e3b2e5125508828591e1673niq <code class="option">pin-source</code> field, tools using the generated
135e1d6a301398168e3b2e5125508828591e1673niq key files will be able to use the HSM for signing and other
135e1d6a301398168e3b2e5125508828591e1673niq operations without any need for an operator to manually enter
135e1d6a301398168e3b2e5125508828591e1673niq a PIN. Note: Making the HSM's PIN accessible in this manner
c7de70e936ac1e36c25676fe62e65dbacb947619minfrin may reduce the security advantage of using an HSM; be sure
c7de70e936ac1e36c25676fe62e65dbacb947619minfrin this is what you want to do before making use of this feature.
c7de70e936ac1e36c25676fe62e65dbacb947619minfrin<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
c7de70e936ac1e36c25676fe62e65dbacb947619minfrin Specifies the owner type of the key. The value of
1b1621900bd89ddc496d721c865a726f635ebd7esf <code class="option">nametype</code> must either be ZONE (for a DNSSEC
1b1621900bd89ddc496d721c865a726f635ebd7esf zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
1b1621900bd89ddc496d721c865a726f635ebd7esf a host (KEY)),
1b1621900bd89ddc496d721c865a726f635ebd7esf USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
1b1621900bd89ddc496d721c865a726f635ebd7esf These values are case insensitive.
c094add0a23fe1120fd33711ba2e2d084f5629a1sf Compatibility mode: generates an old-style key, without
c094add0a23fe1120fd33711ba2e2d084f5629a1sf any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
c094add0a23fe1120fd33711ba2e2d084f5629a1sf will include the key's creation date in the metadata stored
12b26f433fd7d6fc9f76413d7c2cabf4fa5cb300sf with the private key, and other dates may be set there as well
12b26f433fd7d6fc9f76413d7c2cabf4fa5cb300sf (publication date, activation date, etc). Keys that include
12b26f433fd7d6fc9f76413d7c2cabf4fa5cb300sf this data may be incompatible with older versions of BIND; the
26f56d4a3c12077d605362e97490e34522fa4814covener <code class="option">-C</code> option suppresses them.
26f56d4a3c12077d605362e97490e34522fa4814covener<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2cef7e294acb5d8b8b5dcb21a55438da0b73f63figalic Indicates that the DNS record containing the key should have
2cef7e294acb5d8b8b5dcb21a55438da0b73f63figalic the specified class. If not specified, class IN is used.
2d2de64c25c1519122a76150a7daf2c05f53fd9asf<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
2d2de64c25c1519122a76150a7daf2c05f53fd9asf Set the specified flag in the flag field of the KEY/DNSKEY record.
27c5ebb7d411a214f5b6b55a881086ce086d3dd3covener The only recognized flags are KSK (Key Signing Key) and REVOKE.
7697b1b7376a532163c621e050b70c90dcb15d66covener Generate a key, but do not publish it or sign with it. This
7697b1b7376a532163c621e050b70c90dcb15d66covener option is incompatible with -P and -A.
9e0536cd66a389bdaa758a825b8bbd8fea665a3eigalic Prints a short summary of the options and arguments to
9e0536cd66a389bdaa758a825b8bbd8fea665a3eigalic <span><strong class="command">dnssec-keyfromlabel</strong></span>.
862bbb262644e8aefae1bf352552b01908ecae0eminfrin<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
862bbb262644e8aefae1bf352552b01908ecae0eminfrin Sets the directory in which the key files are to be written.
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf Generate KEY records rather than DNSKEY records.
5bbabc874e3fcfbea08c199f7a79ee05b4817a70sf<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
aec9747aa70c1dce98e536e8eef5a6a0ab0f1d6cjim Sets the default TTL to use for this key when it is converted
aec9747aa70c1dce98e536e8eef5a6a0ab0f1d6cjim into a DNSKEY RR. If the key is imported into a zone,
7b7e8ba34e262064914ceedacd5f7d9201b6575ccovener this is the TTL that will be used for it, unless there was
7b7e8ba34e262064914ceedacd5f7d9201b6575ccovener already a DNSKEY RRset in place, in which case the existing TTL
7b7e8ba34e262064914ceedacd5f7d9201b6575ccovener would take precedence. Setting the default TTL to
220bc4233b21982d7c51842a1774db0ba6172ca4covener <code class="literal">0</code> or <code class="literal">none</code> removes it.
220bc4233b21982d7c51842a1774db0ba6172ca4covener<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
6f2fbf354b34981f398cf0313aa44702ea2a7066covener Sets the protocol value for the key. The protocol
6f2fbf354b34981f398cf0313aa44702ea2a7066covener is a number between 0 and 255. The default is 3 (DNSSEC).
6f2fbf354b34981f398cf0313aa44702ea2a7066covener Other possible values for this argument are listed in
6f2fbf354b34981f398cf0313aa44702ea2a7066covener RFC 2535 and its successors.
9e7c7a8fa19c33d1e90f8f7ffab69beacbe72566covener<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
9e7c7a8fa19c33d1e90f8f7ffab69beacbe72566covener Generate a key as an explicit successor to an existing key.
a961006b347d6527ccaeab9cf019a4e68d26bfb0covener The name, algorithm, size, and type of the key will be set
a961006b347d6527ccaeab9cf019a4e68d26bfb0covener to match the predecessor. The activation date of the new
a961006b347d6527ccaeab9cf019a4e68d26bfb0covener key will be set to the inactivation date of the existing
e3f43882b4f7ac7d1aa679be4b319cca04fd22eecovener one. The publication date will be set to the activation
e3f43882b4f7ac7d1aa679be4b319cca04fd22eecovener date minus the prepublication interval, which defaults to
8dea7832dea3789fe0b90c434c284bcaad96d40fcovener<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
999661242470e4dc0258982d5f183efc2d157ae7covener Indicates the use of the key. <code class="option">type</code> must be
0bfcc4d046f6735af2f15981fb53e4c0680b4731covener one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
b761a57b4e63006c287823270876ab40d3212160covener is AUTHCONF. AUTH refers to the ability to authenticate
b761a57b4e63006c287823270876ab40d3212160covener data, and CONF the ability to encrypt data.
b761a57b4e63006c287823270876ab40d3212160covener<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5d92fff82718cd018f0b61a10b9ad4d2b8064c95rpluem Sets the debugging level.
01195d035ccef88e72009e9607157d5eddcb6b7drjung Prints version information.
0ed19acadd3d3dd593759173d87d2243e97914e2sf Allows DNSSEC key files to be generated even if the key ID
0ed19acadd3d3dd593759173d87d2243e97914e2sf would collide with that of an existing key, in the event of
0ed19acadd3d3dd593759173d87d2243e97914e2sf either key being revoked. (This is only safe to use if you
0ed19acadd3d3dd593759173d87d2243e97914e2sf are sure you won't be using RFC 5011 trust anchor maintenance
041b426f9b15072b59a32f132e6d04173ab3df68covener with either of the keys involved.)
15ff8c621815e8337abc10638f2b2853ee6fd076minfrin Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
15ff8c621815e8337abc10638f2b2853ee6fd076minfrin If the argument begins with a '+' or '-', it is interpreted as
15ff8c621815e8337abc10638f2b2853ee6fd076minfrin an offset from the present time. For convenience, if such an offset
21ccb6cd9272c9066a8f5bb3e7785f46115289desf is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
21ccb6cd9272c9066a8f5bb3e7785f46115289desf then the offset is computed in years (defined as 365 24-hour days,
21ccb6cd9272c9066a8f5bb3e7785f46115289desf ignoring leap years), months (defined as 30 24-hour days), weeks,
b0ac1e83f8582a9b5a72bff798ffb31a419c8adesf days, hours, or minutes, respectively. Without a suffix, the offset
b0ac1e83f8582a9b5a72bff798ffb31a419c8adesf is computed in seconds. To explicitly prevent a date from being
b0ac1e83f8582a9b5a72bff798ffb31a419c8adesf set, use 'none' or 'never'.
b682e60dd82772dba52ba77138e494f15c00a551trawick<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
b682e60dd82772dba52ba77138e494f15c00a551trawick Sets the date on which a key is to be published to the zone.
b682e60dd82772dba52ba77138e494f15c00a551trawick After that date, the key will be included in the zone but will
79c754eb51681c3389cd966753e902c429f78939trawick not be used to sign it. If not set, and if the -G option has
79c754eb51681c3389cd966753e902c429f78939trawick not been used, the default is "now".
8651de219ec5f595af20afdc9da41ce72aaa50d5minfrin<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
8651de219ec5f595af20afdc9da41ce72aaa50d5minfrin Sets the date on which the key is to be activated. After that
8651de219ec5f595af20afdc9da41ce72aaa50d5minfrin date, the key will be included in the zone and used to sign
8fae12696bce44be9ce4c56888690cad8ac7b8f9sf it. If not set, and if the -G option has not been used, the
8fae12696bce44be9ce4c56888690cad8ac7b8f9sf default is "now".
8fae12696bce44be9ce4c56888690cad8ac7b8f9sf<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
8fae12696bce44be9ce4c56888690cad8ac7b8f9sf Sets the date on which the key is to be revoked. After that
d5612bd28e194390b2c74fcf712d564b0e002684sf date, the key will be flagged as revoked. It will be included
d5612bd28e194390b2c74fcf712d564b0e002684sf in the zone and will be used to sign it.
4ea161d94782fa56f4b36d496f35ff8577c43065covener<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
4ea161d94782fa56f4b36d496f35ff8577c43065covener Sets the date on which the key is to be retired. After that
b588214d6e6fe09abe709e83e894921fbc7e25c8covener date, the key will still be included in the zone, but it
b588214d6e6fe09abe709e83e894921fbc7e25c8covener will not be used to sign it.
c64fc4e9830bb1ffdc3491aef5ed3be5b90c466bcovener<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
c64fc4e9830bb1ffdc3491aef5ed3be5b90c466bcovener Sets the date on which the key is to be deleted. After that
c64fc4e9830bb1ffdc3491aef5ed3be5b90c466bcovener date, the key will no longer be included in the zone. (It
ae5efbbf49a7ca6d233209a4d011550989e22556covener may remain in the key repository, however.)
ae5efbbf49a7ca6d233209a4d011550989e22556covener<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
8c2bb916633b1eb3dccf91c776363bbc3a6145decovener Sets the prepublication interval for a key. If set, then
8c2bb916633b1eb3dccf91c776363bbc3a6145decovener the publication and activation dates must be separated by at least
503bec4c591d28ac6cec7182294cdef2ec6a9829covener this much time. If the activation date is specified but the
503bec4c591d28ac6cec7182294cdef2ec6a9829covener publication date isn't, then the publication date will default
503bec4c591d28ac6cec7182294cdef2ec6a9829covener to this much time before the activation date; conversely, if
503bec4c591d28ac6cec7182294cdef2ec6a9829covener the publication date is specified but activation date isn't,
c00149c3cb27e0381362d07ccf2143574b4f600dsf then activation will be set to this much time after publication.
766b0a4793197ccef3dfa202d1fee1e1f929ffa7sf If the key is being created as an explicit successor to another
766b0a4793197ccef3dfa202d1fee1e1f929ffa7sf key, then the default prepublication interval is 30 days;
766b0a4793197ccef3dfa202d1fee1e1f929ffa7sf otherwise it is zero.
97b692bfc8673c8858f03498f81a993ac0c04c01sf As with date offsets, if the argument is followed by one of
5e6cf205d2b0c848e15c65dab9711805395a5108minfrin the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
5e6cf205d2b0c848e15c65dab9711805395a5108minfrin interval is measured in years, months, weeks, days, hours,
5e6cf205d2b0c848e15c65dab9711805395a5108minfrin or minutes, respectively. Without a suffix, the interval is
5e6cf205d2b0c848e15c65dab9711805395a5108minfrin measured in seconds.
40b22d3b20454959fe51fdc89907908d77701078minfrin When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
40b22d3b20454959fe51fdc89907908d77701078minfrin successfully,
40b22d3b20454959fe51fdc89907908d77701078minfrin it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
b4a00883f358625923365ca1560c96edec172a52sf to the standard output. This is an identification string for
b4a00883f358625923365ca1560c96edec172a52sf the key files it has generated.
0553e62d75ef12d9a6646bb874be1fbf9e4c1dfbsf<li><p><code class="filename">nnnn</code> is the key name.
0553e62d75ef12d9a6646bb874be1fbf9e4c1dfbsf<li><p><code class="filename">aaa</code> is the numeric representation
87af9ffc3a42633fe12e11a0ff77bc099ecdca82sf of the algorithm.
f58bb3da705eb7ec926f4883597fc2eb1336a360minfrin<li><p><code class="filename">iiiii</code> is the key identifier (or
f58bb3da705eb7ec926f4883597fc2eb1336a360minfrin footprint).
be192cefa381d5bae6868034687471754cb43175sf<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
be192cefa381d5bae6868034687471754cb43175sf creates two files, with names based
be192cefa381d5bae6868034687471754cb43175sf on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
be192cefa381d5bae6868034687471754cb43175sf contains the public key, and
f4a0825e91eec135b5e41c697439e9a13014fa2cminfrin <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
f4a0825e91eec135b5e41c697439e9a13014fa2cminfrin private key.
5876f43a746f688a32b7201bced8591ddf19bd43minfrin The <code class="filename">.key</code> file contains a DNS KEY record
5876f43a746f688a32b7201bced8591ddf19bd43minfrin can be inserted into a zone file (directly or with a $INCLUDE
5876f43a746f688a32b7201bced8591ddf19bd43minfrin statement).
bbba414c5bbf770e505778265bbe7a4a0e4fbdaaniq The <code class="filename">.private</code> file contains
4aef34911af88f96c5b6d9b71a550a5a97bbc0b6minfrin algorithm-specific
4aef34911af88f96c5b6d9b71a550a5a97bbc0b6minfrin fields. For obvious security reasons, this file does not have
4aef34911af88f96c5b6d9b71a550a5a97bbc0b6minfrin general read permission.
4cefc38158672f5de8119886d9754cf0609a9371minfrin<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
4cefc38158672f5de8119886d9754cf0609a9371minfrin <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
4cefc38158672f5de8119886d9754cf0609a9371minfrin <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
11d3c510dca5b5178ad4739ffc1567ef2155bda9minfrin <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
1a8c329935111a5059363efe927d631371b78414minfrin<p><span class="corpauthor">Internet Systems Consortium</span>
fc58f0ff708564b67cd578c626b6500d1cd63a51sf<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
fc58f0ff708564b67cd578c626b6500d1cd63a51sf<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
4e5fe1d203ddf3956a77be3c797c01fd4be8b211sf<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
dcb4802d9ea9fc4ba89671e8f8faa70c9535b202minfrin<span class="application">dnssec-importkey</span>�</td>
dcb4802d9ea9fc4ba89671e8f8faa70c9535b202minfrin<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
dcb4802d9ea9fc4ba89671e8f8faa70c9535b202minfrin<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>