man.dnssec-keyfromlabel.html revision 731cc132f22dbc9e0ecd7035dce314a61076d31b
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Permission to use, copy, modify, and distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater<!-- $Id: man.dnssec-keyfromlabel.html,v 1.18 2008/09/25 04:45:05 tbox Exp $ -->
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="prev" href="man.host.html" title="host">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<table width="100%" summary="Navigation header">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a accesskey="p" href="man.host.html">Prev</a>�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<th width="60%" align="center">Manual pages</th>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater<a name="id2602398"></a><h2>DESCRIPTION</h2>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont gets keys with the given label from a crypto hardware and builds
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key files for DNSSEC (Secure DNS), as defined in RFC 2535
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater Selects the cryptographic algorithm. The value of
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater These values are case insensitive.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater algorithm, and DSA is recommended.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 2: DH automatically sets the -k flag.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the label of keys in the crypto hardware
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (PKCS#11 device).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the owner type of the key. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">nametype</code> must either be ZONE (for a DNSSEC
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont a host (KEY)),
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont These values are
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont case insensitive.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the specified class. If not specified, class IN is used.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Set the specified flag in the flag field of the KEY/DNSKEY record.
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater The only recognized flag is KSK (Key Signing Key) DNSKEY.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Prints a short summary of the options and arguments to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <span><strong class="command">dnssec-keygen</strong></span>.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate KEY records rather than DNSKEY records.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the protocol value for the generated key. The protocol
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is a number between 0 and 255. The default is 3 (DNSSEC).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Other possible values for this argument are listed in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RFC 2535 and its successors.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates the use of the key. <code class="option">type</code> must be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is AUTHCONF. AUTH refers to the ability to authenticate
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont data, and CONF the ability to encrypt data.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the debugging level.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater<a name="id2602677"></a><h2>GENERATED KEY FILES</h2>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont successfully,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the standard output. This is an identification string for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the key files it has generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">nnnn</code> is the key name.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">aaa</code> is the numeric representation
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">iiiii</code> is the key identifier (or
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont creates two files, with names based
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont contains the public key, and
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <code class="filename">.key</code> file contains a DNS KEY record
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont can be inserted into a zone file (directly or with a $INCLUDE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <code class="filename">.private</code> file contains algorithm
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont fields. For obvious security reasons, this file does not have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont general read permission.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="corpauthor">Internet Systems Consortium</span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<table width="100%" summary="Navigation footer">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a accesskey="p" href="man.host.html">Prev</a>�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="40%" align="left" valign="top">host�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>