5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<html>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<head>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<title>dnssec-keyfromlabel</title>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</head>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="navheader">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<table width="100%" summary="Navigation header">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<tr>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<td width="20%" align="left">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<th width="60%" align="center">Manual pages</th>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</td>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</tr>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</table>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<hr>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="refentry" lang="en">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="refnamediv">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<h2>Name</h2>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="refsynopsisdiv">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<h2>Synopsis</h2>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="refsect1" lang="en">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="id2614857"></a><h2>DESCRIPTION</h2>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p><span><strong class="command">dnssec-keyfromlabel</strong></span>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen gets keys with the given label from a crypto hardware and builds

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen key files for DNSSEC (Secure DNS), as defined in RFC 2535

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen and RFC 4034.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen The <code class="option">name</code> of the key is specified on the command

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen line. This must match the name of the zone for which the key is

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen being generated.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="refsect1" lang="en">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="id2614877"></a><h2>OPTIONS</h2>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="variablelist"><dl>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Selects the cryptographic algorithm. The value of

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen ECDSAP256SHA256 or ECDSAP384SHA384.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen These values are case insensitive.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen If no algorithm is specified, then RSASHA1 will be used by

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen default, unless the <code class="option">-3</code> option is specified,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen in which case NSEC3RSASHA1 will be used instead. (If

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen <code class="option">-3</code> is used and an algorithm is specified,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen that algorithm will be checked for compatibility with NSEC3.)

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen algorithm, and DSA is recommended.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Note 2: DH automatically sets the -k flag.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-3</span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Use an NSEC3-capable algorithm to generate a DNSSEC key.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen If this option is used and no algorithm is explicitly

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen set on the command line, NSEC3RSASHA1 will be used by

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen default.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Specifies the name of the crypto hardware (OpenSSL engine).

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen When compiled with PKCS#11 support it defaults to "pkcs11".

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Specifies the label of the key pair in the crypto hardware.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen The label may be preceded by an optional OpenSSL engine name,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen separated by a colon, as in "pkcs11:keylabel".

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Specifies the owner type of the key. The value of

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen <code class="option">nametype</code> must either be ZONE (for a DNSSEC

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen a host (KEY)),

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen These values are case insensitive.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-C</span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Compatibility mode: generates an old-style key, without

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen will include the key's creation date in the metadata stored

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen with the private key, and other dates may be set there as well

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen (publication date, activation date, etc). Keys that include

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen this data may be incompatible with older versions of BIND; the

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen <code class="option">-C</code> option suppresses them.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Indicates that the DNS record containing the key should have

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen the specified class. If not specified, class IN is used.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Set the specified flag in the flag field of the KEY/DNSKEY record.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen The only recognized flags are KSK (Key Signing Key) and REVOKE.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-G</span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Generate a key, but do not publish it or sign with it. This

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen option is incompatible with -P and -A.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-h</span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Prints a short summary of the options and arguments to

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen <span><strong class="command">dnssec-keyfromlabel</strong></span>.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Sets the directory in which the key files are to be written.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-k</span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Generate KEY records rather than DNSKEY records.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Sets the default TTL to use for this key when it is converted

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen into a DNSKEY RR. If the key is imported into a zone,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen this is the TTL that will be used for it, unless there was

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen already a DNSKEY RRset in place, in which case the existing TTL

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen would take precedence. Setting the default TTL to

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen <code class="literal">0</code> or <code class="literal">none</code> removes it.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Sets the protocol value for the key. The protocol

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen is a number between 0 and 255. The default is 3 (DNSSEC).

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Other possible values for this argument are listed in

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen RFC 2535 and its successors.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Indicates the use of the key. <code class="option">type</code> must be

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen is AUTHCONF. AUTH refers to the ability to authenticate

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen data, and CONF the ability to encrypt data.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Sets the debugging level.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-y</span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Allows DNSSEC key files to be generated even if the key ID

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen would collide with that of an existing key, in the event of

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen either key being revoked. (This is only safe to use if you

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen are sure you won't be using RFC 5011 trust anchor maintenance

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen with either of the keys involved.)

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</dl></div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen</div>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="refsect1" lang="en">

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<a name="id2616980"></a><h2>TIMING OPTIONS</h2>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen If the argument begins with a '+' or '-', it is interpreted as

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen an offset from the present time. For convenience, if such an offset

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen then the offset is computed in years (defined as 365 24-hour days,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen ignoring leap years), months (defined as 30 24-hour days), weeks,

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen days, hours, or minutes, respectively. Without a suffix, the offset

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen is computed in seconds.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<div class="variablelist"><dl>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Sets the date on which a key is to be published to the zone.

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen After that date, the key will be included in the zone but will

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen not be used to sign it. If not set, and if the -G option has

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen not been used, the default is "now".

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dd><p>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen Sets the date on which the key is to be activated. After that

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen date, the key will be included in the zone and used to sign

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen it. If not set, and if the -G option has not been used, the

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen default is "now".

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen </p></dd>

5c124de5c36bfc236d55578429df5f048f0d0a07Jamie Bowen<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>

<dd><p>

Sets the date on which the key is to be revoked. After that

date, the key will be flagged as revoked. It will be included

in the zone and will be used to sign it.

</p></dd>

<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>

<dd><p>

Sets the date on which the key is to be retired. After that

date, the key will still be included in the zone, but it

will not be used to sign it.

</p></dd>

<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>

<dd><p>

Sets the date on which the key is to be deleted. After that

date, the key will no longer be included in the zone. (It

may remain in the key repository, however.)

</p></dd>

</dl></div>

</div>

<div class="refsect1" lang="en">

<a name="id2617214"></a><h2>GENERATED KEY FILES</h2>

<p>

When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes

successfully,

it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>

to the standard output. This is an identification string for

the key files it has generated.

</p>

<div class="itemizedlist"><ul type="disc">

<li><p><code class="filename">nnnn</code> is the key name.

</p></li>

<li><p><code class="filename">aaa</code> is the numeric representation

of the algorithm.

</p></li>

<li><p><code class="filename">iiiii</code> is the key identifier (or

footprint).

</p></li>

</ul></div>

<p><span><strong class="command">dnssec-keyfromlabel</strong></span>

creates two files, with names based

on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>

contains the public key, and

<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the

private key.

</p>

<p>

The <code class="filename">.key</code> file contains a DNS KEY record

that

can be inserted into a zone file (directly or with a $INCLUDE

statement).

</p>

<p>

The <code class="filename">.private</code> file contains

algorithm-specific

fields. For obvious security reasons, this file does not have

general read permission.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2617308"></a><h2>SEE ALSO</h2>

<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

<em class="citetitle">BIND 9 Administrator Reference Manual</em>,

<em class="citetitle">RFC 4034</em>.

</p>

</div>

<div class="refsect1" lang="en">

<a name="id2617341"></a><h2>AUTHOR</h2>

<p><span class="corpauthor">Internet Systems Consortium</span>

</p>

</div>

</div>

<div class="navfooter">

<hr>

<table width="100%" summary="Navigation footer">

<tr>

<td width="40%" align="left">

<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>

<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>

<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>

</td>

</tr>

<tr>

<td width="40%" align="left" valign="top">

<span class="application">dnssec-dsfromkey</span>�</td>

<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>

</td>

</tr>

</table>

</div>

</body>

</html>