man.dnssec-keyfromlabel.html revision c2258eedf2d9d0207b45b90014f8fde5413b41a3
08cb74ca432a8c24e39f17dedce527e6a47b8001jerenkrantz - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - This Source Code Form is subject to the terms of the Mozilla Public
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - License, v. 2.0. If a copy of the MPL was not distributed with this
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - file, You can obtain one at http://mozilla.org/MPL/2.0/.
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb generates a key pair of files that referencing a key object stored
7b4c4bb891261e613de39a021d7554fd08132fc5rbb in a cryptographic hardware service module (HSM). The private key
7b4c4bb891261e613de39a021d7554fd08132fc5rbb file can be used for DNSSEC signing of zone data as if it were a
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
b900452c9c36031434d318880f023c0fb9143325rbb but the key material is stored within the HSM, and the actual signing
e6cc28a5eb3371ba0c38e941855e71ff0054f50erbb takes place there.
c2549f0b237ac86f3623a601a766969d805dbc2and The <code class="option">name</code> of the key is specified on the command
98e28ee4e3e3972abeb1bfd509c0e79c54c871f6nd line. This must match the name of the zone for which the key is
98e28ee4e3e3972abeb1bfd509c0e79c54c871f6nd being generated.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
97789c9dcc4cc724c9b80fb9b428d128c58e3e0and Selects the cryptographic algorithm. The value of
97789c9dcc4cc724c9b80fb9b428d128c58e3e0and <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
97789c9dcc4cc724c9b80fb9b428d128c58e3e0and DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
97789c9dcc4cc724c9b80fb9b428d128c58e3e0and ECDSAP256SHA256 or ECDSAP384SHA384.
97789c9dcc4cc724c9b80fb9b428d128c58e3e0and These values are case insensitive.
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein If no algorithm is specified, then RSASHA1 will be used by
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein default, unless the <code class="option">-3</code> option is specified,
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein in which case NSEC3RSASHA1 will be used instead. (If
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein <code class="option">-3</code> is used and an algorithm is specified,
e33a549ef7ad9ce23f4719d91de915e9ecedaecfgstein that algorithm will be checked for compatibility with NSEC3.)
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb algorithm, and DSA is recommended.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Note 2: DH automatically sets the -k flag.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Use an NSEC3-capable algorithm to generate a DNSSEC key.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb If this option is used and no algorithm is explicitly
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb set on the command line, NSEC3RSASHA1 will be used by
9633c1d322367e32b0d2f34fe263bf9c8d002956wrowe<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
91a9b0a5d1aa9614c3d3361a66ebf570b5d0319cbrianp Specifies the cryptographic hardware to use.
6dbbe8404a34c20c8594a21848a7c25c9728dbebnd When BIND is built with OpenSSL PKCS#11 support, this defaults
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb to the string "pkcs11", which identifies an OpenSSL engine
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb that can drive a cryptographic accelerator or hardware service
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb module. When BIND is built with native PKCS#11 cryptography
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd (--enable-native-pkcs11), it defaults to the path of the PKCS#11
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb provider library specified via "--with-pkcs11".
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Specifies the label for a key pair in the crypto hardware.
17dc8282ea6b3ad1bbc661b498de9ec2e9987edejim When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb PKCS#11 support, the label is an arbitrary string that
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb identifies a particular key. It may be preceded by an
8af5758aea36531db09fa538df0753253ee34a6fwrowe optional OpenSSL engine name, followed by a colon, as in
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd support, the label is a PKCS#11 URI string in the format
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd Keywords include "token", which identifies the HSM; "object", which
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd identifies the key; and "pin-source", which identifies a file from
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb which the HSM's PIN code can be obtained. The label will be
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb stored in the on-disk "private" file.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb If the label contains a
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="option">pin-source</code> field, tools using the generated
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb key files will be able to use the HSM for signing and other
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb operations without any need for an operator to manually enter
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb a PIN. Note: Making the HSM's PIN accessible in this manner
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb may reduce the security advantage of using an HSM; be sure
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb this is what you want to do before making use of this feature.
2fa5b5878e7567e2875807c3e2a2b3b0d3ef74bewrowe<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Specifies the owner type of the key. The value of
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="option">nametype</code> must either be ZONE (for a DNSSEC
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb a host (KEY)),
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh These values are case insensitive.
117e2968318323d2ad2187fcd4de379d2eca245cwrowe Compatibility mode: generates an old-style key, without
117e2968318323d2ad2187fcd4de379d2eca245cwrowe any metadata. By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
fee307b71a6c49d46a7ea2921b90df4243bf9db4wrowe will include the key's creation date in the metadata stored
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar with the private key, and other dates may be set there as well
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar (publication date, activation date, etc). Keys that include
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar this data may be incompatible with older versions of BIND; the
b8daf4c5ea3d5bb2111b1b021de6d3cd891e403bcoar<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
8496c88debb9962575dac2b1ef9b81984d7bd759brianp Indicates that the DNS record containing the key should have
3d43d1454a609c00b8f35a19b416b86b85a029e6wrowe the specified class. If not specified, class IN is used.
8496c88debb9962575dac2b1ef9b81984d7bd759brianp<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Set the specified flag in the flag field of the KEY/DNSKEY record.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The only recognized flags are KSK (Key Signing Key) and REVOKE.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Generate a key, but do not publish it or sign with it. This
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz option is incompatible with -P and -A.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Prints a short summary of the options and arguments to
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Sets the directory in which the key files are to be written.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Generate KEY records rather than DNSKEY records.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Sets the default TTL to use for this key when it is converted
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz into a DNSKEY RR. If the key is imported into a zone,
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz this is the TTL that will be used for it, unless there was
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz already a DNSKEY RRset in place, in which case the existing TTL
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz would take precedence. Setting the default TTL to
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz <code class="literal">0</code> or <code class="literal">none</code> removes it.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Sets the protocol value for the key. The protocol
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz is a number between 0 and 255. The default is 3 (DNSSEC).
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz Other possible values for this argument are listed in
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz RFC 2535 and its successors.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh Generate a key as an explicit successor to an existing key.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz The name, algorithm, size, and type of the key will be set
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz to match the predecessor. The activation date of the new
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh key will be set to the inactivation date of the existing
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz one. The publication date will be set to the activation
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz date minus the prepublication interval, which defaults to
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh Indicates the use of the key. <code class="option">type</code> must be
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz is AUTHCONF. AUTH refers to the ability to authenticate
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz data, and CONF the ability to encrypt data.
6db5333c9461942b8af724b101e687af541d4d4cjerenkrantz<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Sets the debugging level.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Prints version information.
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe Allows DNSSEC key files to be generated even if the key ID
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe would collide with that of an existing key, in the event of
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb either key being revoked. (This is only safe to use if you
f47b4ed53b56586ac250c2f70f511ef4e4e8332bwrowe are sure you won't be using RFC 5011 trust anchor maintenance
c7a6672576191ea4e30c4e3c8f6819b2fec85515wrowe with either of the keys involved.)
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh If the argument begins with a '+' or '-', it is interpreted as
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh an offset from the present time. For convenience, if such an offset
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh then the offset is computed in years (defined as 365 24-hour days,
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh ignoring leap years), months (defined as 30 24-hour days), weeks,
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh days, hours, or minutes, respectively. Without a suffix, the offset
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb is computed in seconds. To explicitly prevent a date from being
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb set, use 'none' or 'never'.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh Sets the date on which a key is to be published to the zone.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh After that date, the key will be included in the zone but will
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh not be used to sign it. If not set, and if the -G option has
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh not been used, the default is "now".
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Sets the date on which the CDS and CDNSKEY records which match
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb this key are to be published to the zone.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
43c3e6a4b559b76b750c245ee95e2782c15b4296jim Sets the date on which the key is to be activated. After that
103a93c625bcde1a6a7a5155b64dcda36f612180pquerna date, the key will be included in the zone and used to sign
103a93c625bcde1a6a7a5155b64dcda36f612180pquerna it. If not set, and if the -G option has not been used, the
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb default is "now".
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Sets the date on which the key is to be revoked. After that
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb date, the key will be flagged as revoked. It will be included
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb in the zone and will be used to sign it.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb Sets the date on which the key is to be retired. After that
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe date, the key will still be included in the zone, but it
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb will not be used to sign it.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe Sets the date on which the key is to be deleted. After that
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh date, the key will no longer be included in the zone. (It
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe may remain in the key repository, however.)
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh Sets the date on which the CDS and CDNSKEY records which match
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh this key are to be deleted.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
6dbbe8404a34c20c8594a21848a7c25c9728dbebnd Sets the prepublication interval for a key. If set, then
6dbbe8404a34c20c8594a21848a7c25c9728dbebnd the publication and activation dates must be separated by at least
6dbbe8404a34c20c8594a21848a7c25c9728dbebnd this much time. If the activation date is specified but the
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh publication date isn't, then the publication date will default
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb to this much time before the activation date; conversely, if
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe the publication date is specified but activation date isn't,
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe then activation will be set to this much time after publication.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh If the key is being created as an explicit successor to another
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb key, then the default prepublication interval is 30 days;
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh otherwise it is zero.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb As with date offsets, if the argument is followed by one of
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
cd9eb79cfbf9bc730ccacc3a3774b1fe1b99ed53wrowe interval is measured in years, months, weeks, days, hours,
fee307b71a6c49d46a7ea2921b90df4243bf9db4wrowe or minutes, respectively. Without a suffix, the interval is
fee307b71a6c49d46a7ea2921b90df4243bf9db4wrowe measured in seconds.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb successfully,
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh to the standard output. This is an identification string for
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb the key files it has generated.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<li class="listitem"><p><code class="filename">nnnn</code> is the key name.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh<li class="listitem"><p><code class="filename">aaa</code> is the numeric representation
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb of the algorithm.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<li class="listitem"><p><code class="filename">iiiii</code> is the key identifier (or
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb footprint).
98e28ee4e3e3972abeb1bfd509c0e79c54c871f6nd<p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb creates two files, with names based
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb contains the public key, and
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb private key.
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb The <code class="filename">.key</code> file contains a DNS KEY record
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe can be inserted into a zone file (directly or with a $INCLUDE
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe statement).
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe The <code class="filename">.private</code> file contains
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe algorithm-specific
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe fields. For obvious security reasons, this file does not have
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe general read permission.
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
5d3e5520c34648220ed0cd9dc01c2c203257c86fnd <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
b5aeecf5035421d10ea2bb15d300f910b751ada6jorton <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
2261031aa94be82d7e6b1b8c367afc1b282317f5ianh<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
141b1a93f508248cbc0e9a124cc38041eb3e2562rbb<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
bd381e76ecf9b101c77d22a7a8f8a34c2e9913aawrowe<span class="application">dnssec-importkey</span>�</td>
bd381e76ecf9b101c77d22a7a8f8a34c2e9913aawrowe<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
f0a2d16b9c4129ec9deeb2131fdefe7e51dd1f38wrowe<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>
117e2968318323d2ad2187fcd4de379d2eca245cwrowe<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0rc1</p>