man.dnssec-keyfromlabel.html revision a3416b0a1b5482b6df32839445ca98c016945570
fdd80e9a55c70b36a3bf3e409b86897301c44ff8Automatic Updater - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<!-- $Id: man.dnssec-keyfromlabel.html,v 1.86 2010/01/20 01:14:19 tbox Exp $ -->
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
922312472e2e05ebc64993d465999c5351b83036Automatic Updater<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<table width="100%" summary="Navigation header">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<th width="60%" align="center">Manual pages</th>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<a name="id2607088"></a><h2>DESCRIPTION</h2>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont gets keys with the given label from a crypto hardware and builds
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key files for DNSSEC (Secure DNS), as defined in RFC 2535
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The <code class="option">name</code> of the key is specified on the command
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater line. This must match the name of the zone for which the key is
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater being generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater Selects the cryptographic algorithm. The value of
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater These values are case insensitive.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater If no algorithm is specified, then RSASHA1 will be used by
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater default, unless the <code class="option">-3</code> option is specified,
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater in which case NSEC3RSASHA1 will be used instead. (If
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater <code class="option">-3</code> is used and an algorithm is specified,
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater that algorithm will be checked for compatibility with NSEC3.)
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater algorithm, and DSA is recommended.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 2: DH automatically sets the -k flag.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater Use an NSEC3-capable algorithm to generate a DNSSEC key.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater If this option is used and no algorithm is explicitly
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater set on the command line, NSEC3RSASHA1 will be used by
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater Specifies the name of the crypto hardware (OpenSSL engine).
64affc54f96a2c71cbd10ed71e246ce0746259aaAutomatic Updater When compiled with PKCS#11 support it defaults to "pkcs11".
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater Specifies the label of the key pair in the crypto hardware.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater The label may be preceded by an optional OpenSSL engine name,
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater separated by a colon, as in "pkcs11:keylabel".
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the owner type of the key. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">nametype</code> must either be ZONE (for a DNSSEC
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont a host (KEY)),
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater These values are case insensitive.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Compatibility mode: generates an old-style key, without
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater will include the key's creation date in the metadata stored
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater with the private key, and other dates may be set there as well
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater (publication date, activation date, etc). Keys that include
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater this data may be incompatible with older versions of BIND; the
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <code class="option">-C</code> option suppresses them.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the specified class. If not specified, class IN is used.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Set the specified flag in the flag field of the KEY/DNSKEY record.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Generate a key, but do not publish it or sign with it. This
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater option is incompatible with -P and -A.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Prints a short summary of the options and arguments to
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater <span><strong class="command">dnssec-keyfromlabel</strong></span>.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the directory in which the key files are to be written.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate KEY records rather than DNSKEY records.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the protocol value for the key. The protocol
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is a number between 0 and 255. The default is 3 (DNSSEC).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Other possible values for this argument are listed in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RFC 2535 and its successors.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates the use of the key. <code class="option">type</code> must be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is AUTHCONF. AUTH refers to the ability to authenticate
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont data, and CONF the ability to encrypt data.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the debugging level.
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater Allows DNSSEC key files to be generated even if the key ID
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater would collide with that of an existing key, in the event of
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater either key being revoked. (This is only safe to use if you
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater are sure you won't be using RFC 5011 trust anchor maintenance
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater with either of the keys involved.)
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<a name="id2607749"></a><h2>TIMING OPTIONS</h2>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater If the argument begins with a '+' or '-', it is interpreted as
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater an offset from the present time. For convenience, if such an offset
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater then the offset is computed in years (defined as 365 24-hour days,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater is computed in seconds.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which a key is to be published to the zone.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater After that date, the key will be included in the zone but will
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater not be used to sign it. If not set, and if the -G option has
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater not been used, the default is "now".
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be activated. After that
5a24d24c8fba3480d707c0c902379ddb36501e12Automatic Updater date, the key will be included in the zone and used to sign
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater it. If not set, and if the -G option has not been used, the
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater default is "now".
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be revoked. After that
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater date, the key will be flagged as revoked. It will be included
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater in the zone and will be used to sign it.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Sets the date on which the key is to be retired. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will still be included in the zone, but it
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater will not be used to sign it.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be deleted. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will no longer be included in the zone. (It
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater may remain in the key repository, however.)
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<a name="id2610032"></a><h2>GENERATED KEY FILES</h2>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont successfully,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the standard output. This is an identification string for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the key files it has generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">nnnn</code> is the key name.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">aaa</code> is the numeric representation
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater of the algorithm.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">iiiii</code> is the key identifier (or
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont creates two files, with names based
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont contains the public key, and
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <code class="filename">.key</code> file contains a DNS KEY record
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont can be inserted into a zone file (directly or with a $INCLUDE
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The <code class="filename">.private</code> file contains
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater algorithm-specific
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont fields. For obvious security reasons, this file does not have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont general read permission.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="corpauthor">Internet Systems Consortium</span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<table width="100%" summary="Navigation footer">
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
922312472e2e05ebc64993d465999c5351b83036Automatic Updater<span class="application">dnssec-dsfromkey</span>�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>