man.dnssec-keyfromlabel.html revision 5d564da348e890e42f63eebf2dced9a05b41f4fb
135bcc2e42a94543f11af2a4196b13552ab46d89Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence - purpose with or without fee is hereby granted, provided that the above
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<table width="100%" summary="Navigation header">
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<th width="60%" align="center">Manual pages</th>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
6b7257f756eb0530cdf54df9a7fab8d51a5001c3David Lawrence generates a key pair of files that referencing a key object stored
6b7257f756eb0530cdf54df9a7fab8d51a5001c3David Lawrence in a cryptographic hardware service module (HSM). The private key
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence file can be used for DNSSEC signing of zone data as if it were a
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
826c281a05cb89c9c28621937dc83fa676a5b207David Lawrence but the key material is stored within the HSM, and the actual signing
ab7c67129234bbaa03c2529729d8da746a453a49Michael Graff takes place there.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence The <code class="option">name</code> of the key is specified on the command
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews line. This must match the name of the zone for which the key is
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence being generated.
747abb4993e03b8812514e4476bff67f5248c717Evan Hunt<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
2c34cafc1c7c5176c3f34dc80ba889c54fdec681David Lawrence Selects the cryptographic algorithm. The value of
364a82f7c25b62967678027043425201a5e5171aBob Halley <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
0c73b546ecfa49b9d1c8fdb9a48d4cd62176124aDavid Lawrence ECDSAP256SHA256 or ECDSAP384SHA384.
996f4a8bc34cb0203ce6a40ff82bca8bf32423ccAndreas Gustafsson These values are case insensitive.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence If no algorithm is specified, then RSASHA1 will be used by
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence default, unless the <code class="option">-3</code> option is specified,
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence in which case NSEC3RSASHA1 will be used instead. (If
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence <code class="option">-3</code> is used and an algorithm is specified,
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence that algorithm will be checked for compatibility with NSEC3.)
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence algorithm, and DSA is recommended.
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington Note 2: DH automatically sets the -k flag.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Use an NSEC3-capable algorithm to generate a DNSSEC key.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence If this option is used and no algorithm is explicitly
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence set on the command line, NSEC3RSASHA1 will be used by
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington Specifies the cryptographic hardware to use.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence When BIND is built with OpenSSL PKCS#11 support, this defaults
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence to the string "pkcs11", which identifies an OpenSSL engine
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence that can drive a cryptographic accelerator or hardware service
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence module. When BIND is built with native PKCS#11 cryptography
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence (--enable-native-pkcs11), it defaults to the path of the PKCS#11
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence provider library specified via "--with-pkcs11".
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Specifies the label for a key pair in the crypto hardware.
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews PKCS#11 support, the label is an arbitrary string that
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews identifies a particular key. It may be preceded by an
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews optional OpenSSL engine name, followed by a colon, as in
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
77685300d90f3072f2b8249f4237a7e4c574ec0fDavid Lawrence When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
77685300d90f3072f2b8249f4237a7e4c574ec0fDavid Lawrence support, the label is a PKCS#11 URI string in the format
77685300d90f3072f2b8249f4237a7e4c574ec0fDavid Lawrence "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
77685300d90f3072f2b8249f4237a7e4c574ec0fDavid Lawrence Keywords include "token", which identifies the HSM; "object", which
77685300d90f3072f2b8249f4237a7e4c574ec0fDavid Lawrence identifies the key; and "pin-source", which identifies a file from
77685300d90f3072f2b8249f4237a7e4c574ec0fDavid Lawrence which the HSM's PIN code can be obtained. The label will be
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence stored in the on-disk "private" file.
826c281a05cb89c9c28621937dc83fa676a5b207David Lawrence If the label contains a
2298aec5a165b22f893559fad7ede008be74c17cDavid Lawrence <code class="option">pin-source</code> field, tools using the generated
826c281a05cb89c9c28621937dc83fa676a5b207David Lawrence key files will be able to use the HSM for signing and other
826c281a05cb89c9c28621937dc83fa676a5b207David Lawrence operations without any need for an operator to manually enter
2298aec5a165b22f893559fad7ede008be74c17cDavid Lawrence a PIN. Note: Making the HSM's PIN accessible in this manner
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence may reduce the security advantage of using an HSM; be sure
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence this is what you want to do before making use of this feature.
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence Specifies the owner type of the key. The value of
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence <code class="option">nametype</code> must either be ZONE (for a DNSSEC
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
bc12a0c0d031e5d6b2e004e3b0f4b3c93534cdc7David Lawrence a host (KEY)),
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews These values are case insensitive.
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews Compatibility mode: generates an old-style key, without
5273184ae1ae4fbb30c54d59c6c40ab2c68312afMark Andrews any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence will include the key's creation date in the metadata stored
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein with the private key, and other dates may be set there as well
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence (publication date, activation date, etc). Keys that include
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence this data may be incompatible with older versions of BIND; the
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence <code class="option">-C</code> option suppresses them.
9282d220f4e731fe72372ca06bc6a4f0c1aaaa35Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
9282d220f4e731fe72372ca06bc6a4f0c1aaaa35Mark Andrews Indicates that the DNS record containing the key should have
b28d2a3d7b00bc9a0b0a5a894f345a028f3416deAndreas Gustafsson the specified class. If not specified, class IN is used.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington Set the specified flag in the flag field of the KEY/DNSKEY record.
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington The only recognized flags are KSK (Key Signing Key) and REVOKE.
9282d220f4e731fe72372ca06bc6a4f0c1aaaa35Mark Andrews Generate a key, but do not publish it or sign with it. This
b28d2a3d7b00bc9a0b0a5a894f345a028f3416deAndreas Gustafsson option is incompatible with -P and -A.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Prints a short summary of the options and arguments to
b28d2a3d7b00bc9a0b0a5a894f345a028f3416deAndreas Gustafsson <span><strong class="command">dnssec-keyfromlabel</strong></span>.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Sets the directory in which the key files are to be written.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Generate KEY records rather than DNSKEY records.
b28d2a3d7b00bc9a0b0a5a894f345a028f3416deAndreas Gustafsson<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence Sets the default TTL to use for this key when it is converted
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence into a DNSKEY RR. If the key is imported into a zone,
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence this is the TTL that will be used for it, unless there was
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence already a DNSKEY RRset in place, in which case the existing TTL
a2734fa74aecefc958622b01467398985041cec1Mark Andrews would take precedence. Setting the default TTL to
a2734fa74aecefc958622b01467398985041cec1Mark Andrews <code class="literal">0</code> or <code class="literal">none</code> removes it.
9282d220f4e731fe72372ca06bc6a4f0c1aaaa35Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Sets the protocol value for the key. The protocol
a2734fa74aecefc958622b01467398985041cec1Mark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Other possible values for this argument are listed in
9282d220f4e731fe72372ca06bc6a4f0c1aaaa35Mark Andrews RFC 2535 and its successors.
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Generate a key as an explicit successor to an existing key.
a2734fa74aecefc958622b01467398985041cec1Mark Andrews The name, algorithm, size, and type of the key will be set
a2734fa74aecefc958622b01467398985041cec1Mark Andrews to match the predecessor. The activation date of the new
a2734fa74aecefc958622b01467398985041cec1Mark Andrews key will be set to the inactivation date of the existing
a2734fa74aecefc958622b01467398985041cec1Mark Andrews one. The publication date will be set to the activation
a2734fa74aecefc958622b01467398985041cec1Mark Andrews date minus the prepublication interval, which defaults to
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Indicates the use of the key. <code class="option">type</code> must be
9282d220f4e731fe72372ca06bc6a4f0c1aaaa35Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
a2734fa74aecefc958622b01467398985041cec1Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
a2734fa74aecefc958622b01467398985041cec1Mark Andrews data, and CONF the ability to encrypt data.
a2734fa74aecefc958622b01467398985041cec1Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Sets the debugging level.
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Prints version information.
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Allows DNSSEC key files to be generated even if the key ID
3030ea490caca7a9747e8e7df0e5e859f94306a9Mark Andrews would collide with that of an existing key, in the event of
9282d220f4e731fe72372ca06bc6a4f0c1aaaa35Mark Andrews either key being revoked. (This is only safe to use if you
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews are sure you won't be using RFC 5011 trust anchor maintenance
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews with either of the keys involved.)
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence<a name="id2675640"></a><h2>TIMING OPTIONS</h2>
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews an offset from the present time. For convenience, if such an offset
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews is computed in seconds. To explicitly prevent a date from being
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews set, use 'none' or 'never'.
433e06a25cdd92d665abda3e64c2c65f4a3f9b21Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Sets the date on which a key is to be published to the zone.
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence After that date, the key will be included in the zone but will
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews not be used to sign it. If not set, and if the -G option has
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews not been used, the default is "now".
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence Sets the date on which the key is to be activated. After that
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence date, the key will be included in the zone and used to sign
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews it. If not set, and if the -G option has not been used, the
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews default is "now".
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
a2734fa74aecefc958622b01467398985041cec1Mark Andrews Sets the date on which the key is to be revoked. After that
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews date, the key will be flagged as revoked. It will be included
f93fad20d476484fc7a2ea4b38a26e6f902115b4Mark Andrews in the zone and will be used to sign it.
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews Sets the date on which the key is to be retired. After that
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence date, the key will still be included in the zone, but it
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews will not be used to sign it.
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews Sets the date on which the key is to be deleted. After that
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews date, the key will no longer be included in the zone. (It
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews may remain in the key repository, however.)
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews Sets the prepublication interval for a key. If set, then
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews the publication and activation dates must be separated by at least
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews this much time. If the activation date is specified but the
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews publication date isn't, then the publication date will default
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews to this much time before the activation date; conversely, if
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence the publication date is specified but activation date isn't,
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews then activation will be set to this much time after publication.
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews If the key is being created as an explicit successor to another
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews key, then the default prepublication interval is 30 days;
e502b133d630bda0ee64c1e2ce6729d96750d8abMark Andrews otherwise it is zero.
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews As with date offsets, if the argument is followed by one of
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
34e5a08809dda3276252269ebddd1616e62081a2Mark Andrews interval is measured in years, months, weeks, days, hours,
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence or minutes, respectively. Without a suffix, the interval is
8b7304a34c751e519ede7d00b77f1f962c0a37e4David Lawrence measured in seconds.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence<a name="id2675762"></a><h2>GENERATED KEY FILES</h2>
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
996f4a8bc34cb0203ce6a40ff82bca8bf32423ccAndreas Gustafsson it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
996f4a8bc34cb0203ce6a40ff82bca8bf32423ccAndreas Gustafsson to the standard output. This is an identification string for
996f4a8bc34cb0203ce6a40ff82bca8bf32423ccAndreas Gustafsson the key files it has generated.
996f4a8bc34cb0203ce6a40ff82bca8bf32423ccAndreas Gustafsson<div class="itemizedlist"><ul type="disc">
7ec4367f3d578170a9495ff3c851b248c1656f08Andreas Gustafsson<li><p><code class="filename">nnnn</code> is the key name.
b7e031d5173476224027407d8e23eaa7557fc396Andreas Gustafsson<li><p><code class="filename">aaa</code> is the numeric representation
b7e031d5173476224027407d8e23eaa7557fc396Andreas Gustafsson of the algorithm.
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington<li><p><code class="filename">iiiii</code> is the key identifier (or
b7e031d5173476224027407d8e23eaa7557fc396Andreas Gustafsson<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
b7e031d5173476224027407d8e23eaa7557fc396Andreas Gustafsson creates two files, with names based
b7e031d5173476224027407d8e23eaa7557fc396Andreas Gustafsson on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
b7e031d5173476224027407d8e23eaa7557fc396Andreas Gustafsson contains the public key, and
b7e031d5173476224027407d8e23eaa7557fc396Andreas Gustafsson <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
50b7860fff04e18d13be24899829da467da4132cDavid Lawrence The <code class="filename">.key</code> file contains a DNS KEY record
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington can be inserted into a zone file (directly or with a $INCLUDE
50b7860fff04e18d13be24899829da467da4132cDavid Lawrence The <code class="filename">.private</code> file contains
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann algorithm-specific
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann fields. For obvious security reasons, this file does not have
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann general read permission.
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
32babe43eb479d2ae8736f9985a84d1b9d95a33aScott Mann<p><span class="corpauthor">Internet Systems Consortium</span>
672056d560d973cac1c0d02f087e059eef8f948fBrian Wellington<table width="100%" summary="Navigation footer">
bb5de152900ed45191b73116a5d18dbb74a0ef92Brian Wellington<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
672056d560d973cac1c0d02f087e059eef8f948fBrian Wellington<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
672056d560d973cac1c0d02f087e059eef8f948fBrian Wellington<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
ba35e9924e95c45f8ae536f453b9064740e49841Andreas Gustafsson<td width="40%" align="left" valign="top">
ba35e9924e95c45f8ae536f453b9064740e49841Andreas Gustafsson<span class="application">dnssec-importkey</span>�</td>
ba35e9924e95c45f8ae536f453b9064740e49841Andreas Gustafsson<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
ba35e9924e95c45f8ae536f453b9064740e49841Andreas Gustafsson<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>
d144ea1d1c08204c3a86ca0ebbc6d203a8270260Brian Wellington<p style="text-align: center;">BIND 9.11.0pre-alpha</p>