man.dnssec-keyfromlabel.html revision 28b3569d6248168e6c00caab951521cc8141a49d
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - Copyright (C) 2000-2003 Internet Software Consortium.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - Permission to use, copy, modify, and distribute this software for any
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - purpose with or without fee is hereby granted, provided that the above
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - copyright notice and this permission notice appear in all copies.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen - PERFORMANCE OF THIS SOFTWARE.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<!-- $Id: man.dnssec-keyfromlabel.html,v 1.3 2008/04/01 01:11:50 tbox Exp $ -->
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<link rel="prev" href="man.host.html" title="host">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<table width="100%" summary="Navigation header">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<a accesskey="p" href="man.host.html">Prev</a>�</td>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<th width="60%" align="center">Manual pages</th>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen gets keys with the given label from a crypto hardware and builds
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen key files for DNSSEC (Secure DNS), as defined in RFC 2535
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen and RFC 4034.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Selects the cryptographic algorithm. The value of
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen or RSASHA1, DSA or DH (Diffie Hellman). These values
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen are case insensitive.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen algorithm, and DSA is recommended.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Note 2: DH automatically sets the -k flag.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Specifies the label of keys in the crypto hardware
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen (PKCS#11 device).
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Specifies the owner type of the key. The value of
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen <code class="option">nametype</code> must either be ZONE (for a DNSSEC
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen a host (KEY)),
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen These values are
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen case insensitive.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Indicates that the DNS record containing the key should have
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen the specified class. If not specified, class IN is used.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Set the specified flag in the flag field of the KEY/DNSKEY record.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen The only recognized flag is KSK (Key Signing Key) DNSKEY.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Prints a short summary of the options and arguments to
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen <span><strong class="command">dnssec-keygen</strong></span>.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Generate KEY records rather than DNSKEY records.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Sets the protocol value for the generated key. The protocol
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen is a number between 0 and 255. The default is 3 (DNSSEC).
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Other possible values for this argument are listed in
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen RFC 2535 and its successors.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Indicates the use of the key. <code class="option">type</code> must be
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen is AUTHCONF. AUTH refers to the ability to authenticate
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen data, and CONF the ability to encrypt data.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen Sets the debugging level.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<a name="id2598915"></a><h2>GENERATED KEY FILES</h2>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen successfully,
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen to the standard output. This is an identification string for
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen the key files it has generated.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<li><p><code class="filename">nnnn</code> is the key name.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<li><p><code class="filename">aaa</code> is the numeric representation
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<li><p><code class="filename">iiiii</code> is the key identifier (or
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen creates two files, with names based
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen contains the public key, and
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen The <code class="filename">.key</code> file contains a DNS KEY record
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen can be inserted into a zone file (directly or with a $INCLUDE
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen The <code class="filename">.private</code> file contains algorithm
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen fields. For obvious security reasons, this file does not have
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen general read permission.
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<p><span class="corpauthor">Internet Systems Consortium</span>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<table width="100%" summary="Navigation footer">
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<a accesskey="p" href="man.host.html">Prev</a>�</td>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<td width="40%" align="left" valign="top">host�</td>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
d176f84ce5ca2073f4dfbafb457b9c74f6bf0d76Timo Sirainen<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>