man.dnssec-keyfromlabel.html revision fdd80e9a55c70b36a3bf3e409b86897301c44ff8
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
1167fc7904c5f0a472f8df207ac46dd52c7f1ec8Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater - purpose with or without fee is hereby granted, provided that the above
46da3117812814a29432a8d9a9ccf8acdbfdadceAutomatic Updater - copyright notice and this permission notice appear in all copies.
fe84edc17e0d582cf7b4270f8df9d4742a107b1cAutomatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
79b273c187a4aa1016a62181983dfdd0521681aeMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b253dcf9668f95e141bce9556dc88e30d3305a1dTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - PERFORMANCE OF THIS SOFTWARE.
e20309353e6246485c521278131d3fced73d7957Tinderbox User<!-- $Id: man.dnssec-keyfromlabel.html,v 1.85 2010/01/08 01:14:07 tbox Exp $ -->
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<table width="100%" summary="Navigation header">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<th width="60%" align="center">Manual pages</th>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<a name="id2607051"></a><h2>DESCRIPTION</h2>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater gets keys with the given label from a crypto hardware and builds
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater key files for DNSSEC (Secure DNS), as defined in RFC 2535
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews and RFC 4034.
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User The <code class="option">name</code> of the key is specified on the command
e20309353e6246485c521278131d3fced73d7957Tinderbox User line. This must match the name of the zone for which the key is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews being generated.
c59750de3ea3c7d5890000fb4606e8f5835a52aaTinderbox User<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
ec7751119a08c6a7250f3187beed69a8b836d349Tinderbox User Selects the cryptographic algorithm. The value of
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
114f7780384371121918624ae2c80ecfce545683Tinderbox User DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updater These values are case insensitive.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson If no algorithm is specified, then RSASHA1 will be used by
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater default, unless the <code class="option">-3</code> option is specified,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater in which case NSEC3RSASHA1 will be used instead. (If
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews <code class="option">-3</code> is used and an algorithm is specified,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater that algorithm will be checked for compatibility with NSEC3.)
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson algorithm, and DSA is recommended.
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews Note 2: DH automatically sets the -k flag.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Use an NSEC3-capable algorithm to generate a DNSSEC key.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User If this option is used and no algorithm is explicitly
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User set on the command line, NSEC3RSASHA1 will be used by
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Specifies the name of the crypto hardware (OpenSSL engine).
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews When compiled with PKCS#11 support it defaults to "pkcs11".
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Specifies the label of the key pair in the crypto hardware.
2ba8f584b97cbab864570e38fd26b8cb90961428Tinderbox User The label may be preceded by an optional OpenSSL engine name,
a308b69ac66fadf66863484f301314d6e6a3f1d2Automatic Updater separated by a colon, as in "pkcs11:keylabel".
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews Specifies the owner type of the key. The value of
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews a host (KEY)),
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews These values are case insensitive.
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater Compatibility mode: generates an old-style key, without
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater will include the key's creation date in the metadata stored
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater with the private key, and other dates may be set there as well
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater (publication date, activation date, etc). Keys that include
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater this data may be incompatible with older versions of BIND; the
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <code class="option">-C</code> option suppresses them.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Indicates that the DNS record containing the key should have
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson the specified class. If not specified, class IN is used.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater Set the specified flag in the flag field of the KEY/DNSKEY record.
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Generate a key, but do not publish it or sign with it. This
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User option is incompatible with -P and -A.
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User Prints a short summary of the options and arguments to
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User <span><strong class="command">dnssec-keyfromlabel</strong></span>.
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater Sets the directory in which the key files are to be written.
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater Generate KEY records rather than DNSKEY records.
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater Sets the protocol value for the key. The protocol
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User is a number between 0 and 255. The default is 3 (DNSSEC).
e85565067cf73f8cc21ee29b11761659f1d47ee9Automatic Updater Other possible values for this argument are listed in
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater RFC 2535 and its successors.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater Indicates the use of the key. <code class="option">type</code> must be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is AUTHCONF. AUTH refers to the ability to authenticate
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater data, and CONF the ability to encrypt data.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater Sets the debugging level.
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater<a name="id2607700"></a><h2>TIMING OPTIONS</h2>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
dbd021853bb1cd6ab128e8da8865f5965030aedcTinderbox User an offset from the present time. For convenience, if such an offset
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User then the offset is computed in years (defined as 365 24-hour days,
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User ignoring leap years), months (defined as 30 24-hour days), weeks,
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews is computed in seconds.
bbb069be941f649228760edcc241122933c066d2Automatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater Sets the date on which a key is to be published to the zone.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews After that date, the key will be included in the zone but will
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User not be used to sign it. If not set, and if the -G option has
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater not been used, the default is "now".
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Sets the date on which the key is to be activated. After that
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews date, the key will be included in the zone and used to sign
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews it. If not set, and if the -G option has not been used, the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews default is "now".
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User Sets the date on which the key is to be revoked. After that
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User date, the key will be flagged as revoked. It will be included
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater in the zone and will be used to sign it.
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User<dt><span class="term">-U <em class="replaceable"><code>date/offset</code></em></span></dt>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User Sets the date on which the key is to be retired. After that
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User date, the key will still be included in the zone, but it
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater will not be used to sign it.
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Sets the date on which the key is to be deleted. After that
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater date, the key will no longer be included in the zone. (It
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater may remain in the key repository, however.)
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<a name="id2609914"></a><h2>GENERATED KEY FILES</h2>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
e20309353e6246485c521278131d3fced73d7957Tinderbox User successfully,
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User to the standard output. This is an identification string for
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User the key files it has generated.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<li><p><code class="filename">nnnn</code> is the key name.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<li><p><code class="filename">aaa</code> is the numeric representation
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews of the algorithm.
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews<li><p><code class="filename">iiiii</code> is the key identifier (or
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews creates two files, with names based
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater contains the public key, and
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews private key.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews The <code class="filename">.key</code> file contains a DNS KEY record
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews can be inserted into a zone file (directly or with a $INCLUDE
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater The <code class="filename">.private</code> file contains
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews algorithm-specific
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater fields. For obvious security reasons, this file does not have
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater general read permission.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater<table width="100%" summary="Navigation footer">
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<span class="application">dnssec-dsfromkey</span>�</td>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>