man.dnssec-keyfromlabel.html revision dcfda24abf565c442d058cbf81b2180d847a1b3e
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
a5636b773fa05a272b6876afd99309c0b3090e2fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - purpose with or without fee is hereby granted, provided that the above
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User - copyright notice and this permission notice appear in all copies.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
137fdbc214e99c4cbe57551e9e14f2015c2e42aeTinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
02b47c5d62e1e827743684c28a08e871da454a2dMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - PERFORMANCE OF THIS SOFTWARE.
e20309353e6246485c521278131d3fced73d7957Tinderbox User<!-- $Id: man.dnssec-keyfromlabel.html,v 1.107 2011/01/05 01:14:07 tbox Exp $ -->
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<table width="100%" summary="Navigation header">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<th width="60%" align="center">Manual pages</th>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
e9e4257668ff6c4e583b0c0db2508650b0b677b8Tinderbox User<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt gets keys with the given label from a crypto hardware and builds
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User key files for DNSSEC (Secure DNS), as defined in RFC 2535
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews The <code class="option">name</code> of the key is specified on the command
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater line. This must match the name of the zone for which the key is
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews being generated.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater Selects the cryptographic algorithm. The value of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews These values are case insensitive.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If no algorithm is specified, then RSASHA1 will be used by
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User default, unless the <code class="option">-3</code> option is specified,
e20309353e6246485c521278131d3fced73d7957Tinderbox User in which case NSEC3RSASHA1 will be used instead. (If
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="option">-3</code> is used and an algorithm is specified,
24934f08b9ff81c2be711e566e8002d145573031Tinderbox User that algorithm will be checked for compatibility with NSEC3.)
18920d790825d96ca3943aa2dcb6eb80dc611c5fTinderbox User Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews algorithm, and DSA is recommended.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Note 2: DH automatically sets the -k flag.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Use an NSEC3-capable algorithm to generate a DNSSEC key.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If this option is used and no algorithm is explicitly
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson set on the command line, NSEC3RSASHA1 will be used by
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the name of the crypto hardware (OpenSSL engine).
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews When compiled with PKCS#11 support it defaults to "pkcs11".
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the label of the key pair in the crypto hardware.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The label may be preceded by an optional OpenSSL engine name,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews separated by a colon, as in "pkcs11:keylabel".
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Specifies the owner type of the key. The value of
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <code class="option">nametype</code> must either be ZONE (for a DNSSEC
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews a host (KEY)),
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews These values are case insensitive.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User Compatibility mode: generates an old-style key, without
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews will include the key's creation date in the metadata stored
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews with the private key, and other dates may be set there as well
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews (publication date, activation date, etc). Keys that include
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews this data may be incompatible with older versions of BIND; the
28a5dd720187fddb16055a0f64b63a7b66f29f64Mark Andrews <code class="option">-C</code> option suppresses them.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the specified class. If not specified, class IN is used.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User Generate a key, but do not publish it or sign with it. This
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater option is incompatible with -P and -A.
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews Prints a short summary of the options and arguments to
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span><strong class="command">dnssec-keyfromlabel</strong></span>.
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews Sets the directory in which the key files are to be written.
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater Generate KEY records rather than DNSKEY records.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Sets the protocol value for the key. The protocol
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater is a number between 0 and 255. The default is 3 (DNSSEC).
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Other possible values for this argument are listed in
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews RFC 2535 and its successors.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
fa0326cc2cf428f67575b6ba3b97b528a31b0010Tinderbox User Indicates the use of the key. <code class="option">type</code> must be
e16b482740c5e7ad4c27e271fa829b957cdf67d4Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews data, and CONF the ability to encrypt data.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Sets the debugging level.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Allows DNSSEC key files to be generated even if the key ID
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson would collide with that of an existing key, in the event of
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews either key being revoked. (This is only safe to use if you
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews are sure you won't be using RFC 5011 trust anchor maintenance
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews with either of the keys involved.)
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews If the argument begins with a '+' or '-', it is interpreted as
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater an offset from the present time. For convenience, if such an offset
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews then the offset is computed in years (defined as 365 24-hour days,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews is computed in seconds.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews Sets the date on which a key is to be published to the zone.
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews After that date, the key will be included in the zone but will
5f7586ddbd3edd11272cdd30ed613d936129328bTinderbox User not be used to sign it. If not set, and if the -G option has
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews not been used, the default is "now".
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Sets the date on which the key is to be activated. After that
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews date, the key will be included in the zone and used to sign
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User it. If not set, and if the -G option has not been used, the
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews default is "now".
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews Sets the date on which the key is to be revoked. After that
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User date, the key will be flagged as revoked. It will be included
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews in the zone and will be used to sign it.
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User Sets the date on which the key is to be retired. After that
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater date, the key will still be included in the zone, but it
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will not be used to sign it.
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
8e5fce1f9ceba17dd7e3ff0eb287e1e999c14249Mark Andrews Sets the date on which the key is to be deleted. After that
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User date, the key will no longer be included in the zone. (It
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews may remain in the key repository, however.)
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<a name="id2615601"></a><h2>GENERATED KEY FILES</h2>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews successfully,
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater to the standard output. This is an identification string for
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews the key files it has generated.
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater<li><p><code class="filename">nnnn</code> is the key name.
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<li><p><code class="filename">aaa</code> is the numeric representation
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater of the algorithm.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<li><p><code class="filename">iiiii</code> is the key identifier (or
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User creates two files, with names based
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews contains the public key, and
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater The <code class="filename">.key</code> file contains a DNS KEY record
91d187ce035f39073f0732ff2a401a45c3c955fbMark Andrews can be inserted into a zone file (directly or with a $INCLUDE
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User The <code class="filename">.private</code> file contains
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews algorithm-specific
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews fields. For obvious security reasons, this file does not have
bf5e2127e92e52cbf661e77dd6a76e5aef43542fTinderbox User general read permission.
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
dc238a06bffa79de141ee7655765e2df91498a8aTinderbox User <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<table width="100%" summary="Navigation footer">
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
0eb371ca0dab50ae3462e98794a6126198c52f4bMark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<span class="application">dnssec-dsfromkey</span>�</td>
e20309353e6246485c521278131d3fced73d7957Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>