man.dnssec-keyfromlabel.html revision a3f8c8e20780e488141d200acdfea6c5f3303513
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - Permission to use, copy, modify, and/or distribute this software for any
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - purpose with or without fee is hereby granted, provided that the above
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - copyright notice and this permission notice appear in all copies.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync - PERFORMANCE OF THIS SOFTWARE.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<!-- $Id: man.dnssec-keyfromlabel.html,v 1.114 2011/03/18 01:14:34 tbox Exp $ -->
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync gets keys with the given label from a crypto hardware and builds
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync key files for DNSSEC (Secure DNS), as defined in RFC 2535
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync and RFC 4034.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync The <code class="option">name</code> of the key is specified on the command
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync line. This must match the name of the zone for which the key is
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync being generated.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Selects the cryptographic algorithm. The value of
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync These values are case insensitive.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync If no algorithm is specified, then RSASHA1 will be used by
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync default, unless the <code class="option">-3</code> option is specified,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync in which case NSEC3RSASHA1 will be used instead. (If
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <code class="option">-3</code> is used and an algorithm is specified,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync that algorithm will be checked for compatibility with NSEC3.)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync algorithm, and DSA is recommended.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Note 2: DH automatically sets the -k flag.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Use an NSEC3-capable algorithm to generate a DNSSEC key.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync If this option is used and no algorithm is explicitly
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync set on the command line, NSEC3RSASHA1 will be used by
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Specifies the name of the crypto hardware (OpenSSL engine).
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync When compiled with PKCS#11 support it defaults to "pkcs11".
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Specifies the label of the key pair in the crypto hardware.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync The label may be preceded by an optional OpenSSL engine name,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync separated by a colon, as in "pkcs11:keylabel".
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Specifies the owner type of the key. The value of
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <code class="option">nametype</code> must either be ZONE (for a DNSSEC
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync a host (KEY)),
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync These values are case insensitive.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Compatibility mode: generates an old-style key, without
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync will include the key's creation date in the metadata stored
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync with the private key, and other dates may be set there as well
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync (publication date, activation date, etc). Keys that include
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync this data may be incompatible with older versions of BIND; the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <code class="option">-C</code> option suppresses them.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Indicates that the DNS record containing the key should have
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync the specified class. If not specified, class IN is used.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Set the specified flag in the flag field of the KEY/DNSKEY record.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync The only recognized flags are KSK (Key Signing Key) and REVOKE.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Generate a key, but do not publish it or sign with it. This
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync option is incompatible with -P and -A.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Prints a short summary of the options and arguments to
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <span><strong class="command">dnssec-keyfromlabel</strong></span>.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the directory in which the key files are to be written.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Generate KEY records rather than DNSKEY records.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the default TTL to use for this key when it is converted
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync into a DNSKEY RR. If the key is imported into a zone,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync this is the TTL that will be used for it, unless there was
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync already a DNSKEY RRset in place, in which case the existing TTL
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync would take precedence. Setting the default TTL to
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <code class="literal">0</code> or <code class="literal">none</code> removes it.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the protocol value for the key. The protocol
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync is a number between 0 and 255. The default is 3 (DNSSEC).
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Other possible values for this argument are listed in
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync RFC 2535 and its successors.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Indicates the use of the key. <code class="option">type</code> must be
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync is AUTHCONF. AUTH refers to the ability to authenticate
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync data, and CONF the ability to encrypt data.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the debugging level.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Allows DNSSEC key files to be generated even if the key ID
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync would collide with that of an existing key, in the event of
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync either key being revoked. (This is only safe to use if you
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync are sure you won't be using RFC 5011 trust anchor maintenance
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync with either of the keys involved.)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync If the argument begins with a '+' or '-', it is interpreted as
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync an offset from the present time. For convenience, if such an offset
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync then the offset is computed in years (defined as 365 24-hour days,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync ignoring leap years), months (defined as 30 24-hour days), weeks,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync days, hours, or minutes, respectively. Without a suffix, the offset
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync is computed in seconds.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the date on which a key is to be published to the zone.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync After that date, the key will be included in the zone but will
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync not be used to sign it. If not set, and if the -G option has
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync not been used, the default is "now".
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the date on which the key is to be activated. After that
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync date, the key will be included in the zone and used to sign
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync it. If not set, and if the -G option has not been used, the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync default is "now".
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the date on which the key is to be revoked. After that
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync date, the key will be flagged as revoked. It will be included
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync in the zone and will be used to sign it.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the date on which the key is to be retired. After that
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync date, the key will still be included in the zone, but it
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync will not be used to sign it.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync Sets the date on which the key is to be deleted. After that
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync date, the key will no longer be included in the zone. (It
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync may remain in the key repository, however.)
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<a name="id2666371"></a><h2>GENERATED KEY FILES</h2>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync successfully,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync to the standard output. This is an identification string for
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync the key files it has generated.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<li><p><code class="filename">nnnn</code> is the key name.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<li><p><code class="filename">aaa</code> is the numeric representation
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync of the algorithm.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<li><p><code class="filename">iiiii</code> is the key identifier (or
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync footprint).
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync creates two files, with names based
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync contains the public key, and
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync private key.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync The <code class="filename">.key</code> file contains a DNS KEY record
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync can be inserted into a zone file (directly or with a $INCLUDE
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync statement).
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync The <code class="filename">.private</code> file contains
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync algorithm-specific
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync fields. For obvious security reasons, this file does not have
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync general read permission.
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<p><span class="corpauthor">Internet Systems Consortium</span>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<span class="application">dnssec-dsfromkey</span>�</td>
a734c64bff58bda2fa48c2795453e092167b0ff7vboxsync<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>