man.dnssec-keyfromlabel.html revision bbbf2e27d3a981163dab139497d6b2dc85449db0
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Permission to use, copy, modify, and/or distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<table width="100%" summary="Navigation header">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<th width="60%" align="center">Manual pages</th>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont gets keys with the given label from a crypto hardware and builds
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key files for DNSSEC (Secure DNS), as defined in RFC 2535
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont and RFC 4034.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <code class="option">name</code> of the key is specified on the command
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont line. This must match the name of the zone for which the key is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont being generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Selects the cryptographic algorithm. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont ECDSAP256SHA256 or ECDSAP384SHA384.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont These values are case insensitive.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If no algorithm is specified, then RSASHA1 will be used by
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont default, unless the <code class="option">-3</code> option is specified,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont in which case NSEC3RSASHA1 will be used instead. (If
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">-3</code> is used and an algorithm is specified,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont that algorithm will be checked for compatibility with NSEC3.)
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont algorithm, and DSA is recommended.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 2: DH automatically sets the -k flag.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Use an NSEC3-capable algorithm to generate a DNSSEC key.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If this option is used and no algorithm is explicitly
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont set on the command line, NSEC3RSASHA1 will be used by
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the cryptographic hardware to use.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When BIND is built with OpenSSL PKCS#11 support, this defaults
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the string "pkcs11", which identifies an OpenSSL engine
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont that can drive a cryptographic accelerator or hardware service
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont module. When BIND is built with native PKCS#11 cryptography
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (--enable-native-pkcs11), it defaults to the path of the PKCS#11
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont provider library specified via "--with-pkcs11".
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the label for a key pair in the crypto hardware.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont PKCS#11 support, the label is an arbitrary string that
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont identifies a particular key. It may be preceded by an
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont optional OpenSSL engine name, followed by a colon, as in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont support, the label is a PKCS#11 URI string in the format
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Keywords include "token", which identifies the HSM; "object", which
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont identifies the key; and "pin-source", which identifies a file from
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont which the HSM's PIN code can be obtained. The label will be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont stored in the on-disk "private" file.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If the label contains a
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">pin-source</code> field, tools using the generated
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key files will be able to use the HSM for signing and other
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont operations without any need for an operator to manually enter
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont a PIN. Note: Making the HSM's PIN accessible in this manner
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont may reduce the security advantage of using an HSM; be sure
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont this is what you want to do before making use of this feature.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the owner type of the key. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">nametype</code> must either be ZONE (for a DNSSEC
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont a host (KEY)),
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont These values are case insensitive.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Compatibility mode: generates an old-style key, without
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont will include the key's creation date in the metadata stored
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont with the private key, and other dates may be set there as well
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (publication date, activation date, etc). Keys that include
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont this data may be incompatible with older versions of BIND; the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">-C</code> option suppresses them.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the specified class. If not specified, class IN is used.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Set the specified flag in the flag field of the KEY/DNSKEY record.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The only recognized flags are KSK (Key Signing Key) and REVOKE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate a key, but do not publish it or sign with it. This
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont option is incompatible with -P and -A.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Prints a short summary of the options and arguments to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <span><strong class="command">dnssec-keyfromlabel</strong></span>.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the directory in which the key files are to be written.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate KEY records rather than DNSKEY records.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the default TTL to use for this key when it is converted
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont into a DNSKEY RR. If the key is imported into a zone,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont this is the TTL that will be used for it, unless there was
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont already a DNSKEY RRset in place, in which case the existing TTL
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont would take precedence. Setting the default TTL to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="literal">0</code> or <code class="literal">none</code> removes it.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the protocol value for the key. The protocol
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is a number between 0 and 255. The default is 3 (DNSSEC).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Other possible values for this argument are listed in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RFC 2535 and its successors.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates the use of the key. <code class="option">type</code> must be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is AUTHCONF. AUTH refers to the ability to authenticate