doc/arm/man.dnssec-keyfromlabel.html

	man.dnssec-keyfromlabel.html revision 0f863f054cd14a83f8b8464d5976a97df39ee899
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<!--
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering -
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering - This Source Code Form is subject to the terms of the Mozilla Public
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering - License, v. 2.0. If a copy of the MPL was not distributed with this
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek - file, You can obtain one at http://mozilla.org/MPL/2.0/.
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering-->
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<html lang="en">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<head>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<title>dnssec-keyfromlabel</title>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering</head>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<div class="navheader">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<table width="100%" summary="Navigation header">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<tr>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<td width="20%" align="left">
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<th width="60%" align="center">Manual pages</th>
aa62a8936f5983770e90b791083d55107659f7a1Lennart Poettering<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek</td>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek</tr>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek</table>
a5c32cff1f56afe6f0c6c70d91a88a7a8238b2d7Harald Hoyer<hr>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek</div>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<div class="refentry">
aa62a8936f5983770e90b791083d55107659f7a1Lennart Poettering<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek  <div class="refnamediv">
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<h2>Name</h2>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<p>
aa62a8936f5983770e90b791083d55107659f7a1Lennart Poettering    <span class="application">dnssec-keyfromlabel</span>
aa62a8936f5983770e90b791083d55107659f7a1Lennart Poettering     &#8212; DNSSEC key generation tool
4c1fc3e404d648c70bd2f50ac50aeac6ece8872eDaniel Mack  </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek</div>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
aa62a8936f5983770e90b791083d55107659f7a1Lennart Poettering
c33b329709ebe2755181980a050d02ec7c81ed87Michal Schmidt
c33b329709ebe2755181980a050d02ec7c81ed87Michal Schmidt  <div class="refsynopsisdiv">
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<h2>Synopsis</h2>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    <div class="cmdsynopsis"><p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <code class="command">dnssec-keyfromlabel</code>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering       {-l <em class="replaceable"><code>label</code></em>}
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-3</code>]
c33b329709ebe2755181980a050d02ec7c81ed87Michal Schmidt       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
2fd069b18e525860514a70d3ea08410ca122d3e2Zbigniew Jędrzejewski-Szmek       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-G</code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-k</code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
40beecdb6d1c73e5acb62ebac2ccbfd7891f2418Daniel Mack       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
c33b329709ebe2755181980a050d02ec7c81ed87Michal Schmidt       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
c33b329709ebe2755181980a050d02ec7c81ed87Michal Schmidt       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
2fd069b18e525860514a70d3ea08410ca122d3e2Zbigniew Jędrzejewski-Szmek       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
2fd069b18e525860514a70d3ea08410ca122d3e2Zbigniew Jędrzejewski-Szmek       [<code class="option">-V</code>]
4a62c710b62a5a3c7a8a278b810b9d5b5a0c8f4fMichal Schmidt       [<code class="option">-y</code>]
4a62c710b62a5a3c7a8a278b810b9d5b5a0c8f4fMichal Schmidt       {name}
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering    </p></div>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering  </div>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek  <div class="refsection">
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering<a name="id-1.14.11.7"></a><h2>DESCRIPTION</h2>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      generates a key pair of files that referencing a key object stored
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      in a cryptographic hardware service module (HSM).  The private key
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      file can be used for DNSSEC signing of zone data as if it were a
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      but the key material is stored within the HSM, and the actual signing
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      takes place there.
e801700e9acdde60078eb1d41b41b06369b83541Zbigniew Jędrzejewski-Szmek    </p>
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering    <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      The <code class="option">name</code> of the key is specified on the command
2fd069b18e525860514a70d3ea08410ca122d3e2Zbigniew Jędrzejewski-Szmek      line.  This must match the name of the zone for which the key is
6524990fdc98370ecba5d9f73e67161e8798c010Lennart Poettering      being generated.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    </p>
096924092b664e992cec49e2ef4ce33443877ac8Michele Curti  </div>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering
4a62c710b62a5a3c7a8a278b810b9d5b5a0c8f4fMichal Schmidt  <div class="refsection">
4a62c710b62a5a3c7a8a278b810b9d5b5a0c8f4fMichal Schmidt<a name="id-1.14.11.8"></a><h2>OPTIONS</h2>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    <div class="variablelist"><dl class="variablelist">
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
e801700e9acdde60078eb1d41b41b06369b83541Zbigniew Jędrzejewski-Szmek        Selects the cryptographic algorithm.  The value of
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering        <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering        ECDSAP256SHA256 or ECDSAP384SHA384.
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering        These values are case insensitive.
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        If no algorithm is specified, then RSASHA1 will be used by
2fd069b18e525860514a70d3ea08410ca122d3e2Zbigniew Jędrzejewski-Szmek        default, unless the <code class="option">-3</code> option is specified,
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        in which case NSEC3RSASHA1 will be used instead.  (If
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        <code class="option">-3</code> is used and an algorithm is specified,
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        that algorithm will be checked for compatibility with NSEC3.)
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering      <p>
a5ccdb9884a730553bce96b6d041b28da30d668fLennart Poettering        Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
e2cc6eca73cd1df8be552d7c23f9ff3d69c06f1eLennart Poettering        algorithm, and DSA is recommended.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
eb2672893108e14d50bd79b7fc714b75c5427c0bLennart Poettering      <p>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering        Note 2: DH automatically sets the -k flag.
e801700e9acdde60078eb1d41b41b06369b83541Zbigniew Jędrzejewski-Szmek      </p>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering    </dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dt><span class="term">-3</span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering      <p>
601185b43da638b1c74153deae01dbd518680889Zbigniew Jędrzejewski-Szmek        Use an NSEC3-capable algorithm to generate a DNSSEC key.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        If this option is used and no algorithm is explicitly
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        set on the command line, NSEC3RSASHA1 will be used by
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        default.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    </dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
601185b43da638b1c74153deae01dbd518680889Zbigniew Jędrzejewski-Szmek        Specifies the cryptographic hardware to use.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        When BIND is built with OpenSSL PKCS#11 support, this defaults
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        to the string "pkcs11", which identifies an OpenSSL engine
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        that can drive a cryptographic accelerator or hardware service
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        module.  When BIND is built with native PKCS#11 cryptography
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        (--enable-native-pkcs11), it defaults to the path of the PKCS#11
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        provider library specified via "--with-pkcs11".
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    </dd>
eb9da376d76b48585b3b63b4f91903b54f7abd36Lennart Poettering<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        Specifies the label for a key pair in the crypto hardware.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        PKCS#11 support, the label is an arbitrary string that
601185b43da638b1c74153deae01dbd518680889Zbigniew Jędrzejewski-Szmek        identifies a particular key.  It may be preceded by an
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        optional OpenSSL engine name, followed by a colon, as in
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
601185b43da638b1c74153deae01dbd518680889Zbigniew Jędrzejewski-Szmek      </p>
601185b43da638b1c74153deae01dbd518680889Zbigniew Jędrzejewski-Szmek      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        support, the label is a PKCS#11 URI string in the format
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        Keywords include "token", which identifies the HSM; "object", which
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        identifies the key; and "pin-source", which identifies a file from
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        which the HSM's PIN code can be obtained.  The label will be
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        stored in the on-disk "private" file.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        If the label contains a
eb9da376d76b48585b3b63b4f91903b54f7abd36Lennart Poettering        <code class="option">pin-source</code> field, tools using the generated
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        key files will be able to use the HSM for signing and other
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        operations without any need for an operator to manually enter
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        a PIN.  Note: Making the HSM's PIN accessible in this manner
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        may reduce the security advantage of using an HSM; be sure
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        this is what you want to do before making use of this feature.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    </dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        Specifies the owner type of the key.  The value of
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        <code class="option">nametype</code> must either be ZONE (for a DNSSEC
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        a host (KEY)),
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        These values are case insensitive.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    </dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dt><span class="term">-C</span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        Compatibility mode:  generates an old-style key, without
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        any metadata.  By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        will include the key's creation date in the metadata stored
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        with the private key, and other dates may be set there as well
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        (publication date, activation date, etc).  Keys that include
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        this data may be incompatible with older versions of BIND; the
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        <code class="option">-C</code> option suppresses them.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    </dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        Indicates that the DNS record containing the key should have
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek        the specified class.  If not specified, class IN is used.
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      </p>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek    </dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek<dd>
19adb8a3204fefd91411b5f0f350c8bc6bcf75feZbigniew Jędrzejewski-Szmek      <p>
6edd7d0a09171ea5ae8e01b7b1cbcb0bdfbfeb16Lennart Poettering        Set the specified flag in the flag field of the KEY/DNSKEY record.
        The only recognized flags are KSK (Key Signing Key) and REVOKE.
      </p>
    </dd>
<dt><span class="term">-G</span></dt>
<dd>
      <p>
        Generate a key, but do not publish it or sign with it.  This
        option is incompatible with -P and -A.
      </p>
    </dd>
<dt><span class="term">-h</span></dt>
<dd>
      <p>
        Prints a short summary of the options and arguments to
        <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
      </p>
    </dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd>
      <p>
        Sets the directory in which the key files are to be written.
      </p>
    </dd>
<dt><span class="term">-k</span></dt>
<dd>
      <p>
        Generate KEY records rather than DNSKEY records.
      </p>
    </dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd>
      <p>
        Sets the default TTL to use for this key when it is converted
        into a DNSKEY RR.  If the key is imported into a zone,
        this is the TTL that will be used for it, unless there was
        already a DNSKEY RRset in place, in which case the existing TTL
        would take precedence.  Setting the default TTL to
        <code class="literal">0</code> or <code class="literal">none</code> removes it.
      </p>
    </dd>
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
<dd>
      <p>
        Sets the protocol value for the key.  The protocol
        is a number between 0 and 255.  The default is 3 (DNSSEC).
        Other possible values for this argument are listed in
        RFC 2535 and its successors.
      </p>
    </dd>
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
<dd>
      <p>
        Generate a key as an explicit successor to an existing key.
        The name, algorithm, size, and type of the key will be set
        to match the predecessor. The activation date of the new
        key will be set to the inactivation date of the existing
        one. The publication date will be set to the activation
        date minus the prepublication interval, which defaults to
        30 days.
      </p>
    </dd>
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
<dd>
      <p>
        Indicates the use of the key.  <code class="option">type</code> must be
        one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
        is AUTHCONF.  AUTH refers to the ability to authenticate
        data, and CONF the ability to encrypt data.
      </p>
    </dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd>
      <p>
        Sets the debugging level.
      </p>
    </dd>
<dt><span class="term">-V</span></dt>
<dd>
      <p>
        Prints version information.
      </p>
    </dd>
<dt><span class="term">-y</span></dt>
<dd>
      <p>
        Allows DNSSEC key files to be generated even if the key ID
        would collide with that of an existing key, in the event of
        either key being revoked.  (This is only safe to use if you
        are sure you won't be using RFC 5011 trust anchor maintenance
        with either of the keys involved.)
      </p>
    </dd>
</dl></div>
  </div>

  <div class="refsection">
<a name="id-1.14.11.9"></a><h2>TIMING OPTIONS</h2>


    <p>
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
      an offset from the present time.  For convenience, if such an offset
      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
      then the offset is computed in years (defined as 365 24-hour days,
      ignoring leap years), months (defined as 30 24-hour days), weeks,
      days, hours, or minutes, respectively.  Without a suffix, the offset
      is computed in seconds.  To explicitly prevent a date from being
      set, use 'none' or 'never'.
    </p>

    <div class="variablelist"><dl class="variablelist">
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
      <p>
        Sets the date on which a key is to be published to the zone.
        After that date, the key will be included in the zone but will
        not be used to sign it.  If not set, and if the -G option has
        not been used, the default is "now".
      </p>
    </dd>
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
      <p>
        Sets the date on which the CDS and CDNSKEY records which match
        this key are to be published to the zone.
      </p>
    </dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
      <p>
        Sets the date on which the key is to be activated.  After that
        date, the key will be included in the zone and used to sign
        it.  If not set, and if the -G option has not been used, the
        default is "now".
      </p>
    </dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
      <p>
        Sets the date on which the key is to be revoked.  After that
        date, the key will be flagged as revoked.  It will be included
        in the zone and will be used to sign it.
      </p>
    </dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
      <p>
        Sets the date on which the key is to be retired.  After that
        date, the key will still be included in the zone, but it
        will not be used to sign it.
      </p>
    </dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
      <p>
        Sets the date on which the key is to be deleted.  After that
        date, the key will no longer be included in the zone.  (It
        may remain in the key repository, however.)
      </p>
    </dd>
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd>
      <p>
        Sets the date on which the CDS and CDNSKEY records which match
        this key are to be deleted.
      </p>
    </dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
          <p>
            Sets the prepublication interval for a key.  If set, then
            the publication and activation dates must be separated by at least
            this much time.  If the activation date is specified but the
            publication date isn't, then the publication date will default
            to this much time before the activation date; conversely, if
            the publication date is specified but activation date isn't,
            then activation will be set to this much time after publication.
          </p>
          <p>
            If the key is being created as an explicit successor to another
            key, then the default prepublication interval is 30 days;
            otherwise it is zero.
          </p>
          <p>
            As with date offsets, if the argument is followed by one of
            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
            interval is measured in years, months, weeks, days, hours,
            or minutes, respectively.  Without a suffix, the interval is
            measured in seconds.
          </p>
        </dd>
</dl></div>
  </div>

  <div class="refsection">
<a name="id-1.14.11.10"></a><h2>GENERATED KEY FILES</h2>

    <p>
      When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
      successfully,
      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
      to the standard output.  This is an identification string for
      the key files it has generated.
    </p>
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
    <p><code class="filename">nnnn</code> is the key name.
    </p>
      </li>
<li class="listitem">
    <p><code class="filename">aaa</code> is the numeric representation
      of the algorithm.
    </p>
      </li>
<li class="listitem">
    <p><code class="filename">iiiii</code> is the key identifier (or
      footprint).
    </p>
      </li>
</ul></div>
    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
      creates two files, with names based
      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
      contains the public key, and
      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
      private key.
    </p>
    <p>
      The <code class="filename">.key</code> file contains a DNS KEY record
      that
      can be inserted into a zone file (directly or with a $INCLUDE
      statement).
    </p>
    <p>
      The <code class="filename">.private</code> file contains
      algorithm-specific
      fields.  For obvious security reasons, this file does not have
      general read permission.
    </p>
  </div>

  <div class="refsection">
<a name="id-1.14.11.11"></a><h2>SEE ALSO</h2>

    <p><span class="citerefentry">
    <span class="refentrytitle">dnssec-keygen</span>(8)
      </span>,
      <span class="citerefentry">
    <span class="refentrytitle">dnssec-signzone</span>(8)
      </span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4034</em>,
      <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
    </p>
  </div>

</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-importkey</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>
</td>
</tr>
</table>
</div>
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1</p>
</body>
</html>