man.dnssec-keyfromlabel.html revision 5fa6a064b8301e4f274bd132fd577def59e4fb4c
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - purpose with or without fee is hereby granted, provided that the above
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - copyright notice and this permission notice appear in all copies.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<th width="60%" align="center">Manual pages</th>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews generates a key pair of files that referencing a key object stored
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in a cryptographic hardware service module (HSM). The private key
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews file can be used for DNSSEC signing of zone data as if it were a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews but the key material is stored within the HSM, and the actual signing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews takes place there.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The <code class="option">name</code> of the key is specified on the command
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews line. This must match the name of the zone for which the key is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews being generated.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater Selects the cryptographic algorithm. The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ECDSAP256SHA256 or ECDSAP384SHA384.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews If no algorithm is specified, then RSASHA1 will be used by
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews default, unless the <code class="option">-3</code> option is specified,
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews in which case NSEC3RSASHA1 will be used instead. (If
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">-3</code> is used and an algorithm is specified,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews that algorithm will be checked for compatibility with NSEC3.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews algorithm, and DSA is recommended.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Note 2: DH automatically sets the -k flag.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Use an NSEC3-capable algorithm to generate a DNSSEC key.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If this option is used and no algorithm is explicitly
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater set on the command line, NSEC3RSASHA1 will be used by
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the cryptographic hardware to use.
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews When BIND is built with OpenSSL PKCS#11 support, this defaults
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to the string "pkcs11", which identifies an OpenSSL engine
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews that can drive a cryptographic accelerator or hardware service
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews module. When BIND is built with native PKCS#11 cryptography
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (--enable-native-pkcs11), it defaults to the path of the PKCS#11
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews provider library specified via "--with-pkcs11".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the label for a key pair in the crypto hardware.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews PKCS#11 support, the label is an arbitrary string that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews identifies a particular key. It may be preceded by an
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews optional OpenSSL engine name, followed by a colon, as in
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews support, the label is a PKCS#11 URI string in the format
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews Keywords include "token", which identifies the HSM; "object", which
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews identifies the key; and "pin-source", which identifies a file from
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews which the HSM's PIN code can be obtained. The label will be
a057e8e33baa5fa369be28a9680585200ce3ff73Mark Andrews stored in the on-disk "private" file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the label contains a
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">pin-source</code> field, tools using the generated
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key files will be able to use the HSM for signing and other
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews operations without any need for an operator to manually enter
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a PIN. Note: Making the HSM's PIN accessible in this manner
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may reduce the security advantage of using an HSM; be sure
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this is what you want to do before making use of this feature.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the owner type of the key. The value of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">nametype</code> must either be ZONE (for a DNSSEC
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a host (KEY)),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Compatibility mode: generates an old-style key, without
bf056b7184b38281c1b0bf0cf21b5982fa1a4edaMark Andrews any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will include the key's creation date in the metadata stored
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews with the private key, and other dates may be set there as well
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (publication date, activation date, etc). Keys that include
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this data may be incompatible with older versions of BIND; the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">-C</code> option suppresses them.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Indicates that the DNS record containing the key should have
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the specified class. If not specified, class IN is used.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Set the specified flag in the flag field of the KEY/DNSKEY record.
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews The only recognized flags are KSK (Key Signing Key) and REVOKE.
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews Generate a key, but do not publish it or sign with it. This
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews option is incompatible with -P and -A.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints a short summary of the options and arguments to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">dnssec-keyfromlabel</strong></span>.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the directory in which the key files are to be written.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate KEY records rather than DNSKEY records.
f7b41fd9291b8f4dba27e2b57e1d93f0913a4f1dMark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the default TTL to use for this key when it is converted
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews into a DNSKEY RR. If the key is imported into a zone,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this is the TTL that will be used for it, unless there was
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews already a DNSKEY RRset in place, in which case the existing TTL
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews would take precedence. Setting the default TTL to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="literal">0</code> or <code class="literal">none</code> removes it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
285254345ce5ab270848f8c11f7be146793f1e00Mark Andrews Sets the protocol value for the key. The protocol
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is a number between 0 and 255. The default is 3 (DNSSEC).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Other possible values for this argument are listed in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews RFC 2535 and its successors.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate a key as an explicit successor to an existing key.
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews The name, algorithm, size, and type of the key will be set
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews to match the predecessor. The activation date of the new
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews key will be set to the inactivation date of the existing
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews one. The publication date will be set to the activation
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews date minus the prepublication interval, which defaults to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews Indicates the use of the key. <code class="option">type</code> must be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews data, and CONF the ability to encrypt data.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the debugging level.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints version information.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Allows DNSSEC key files to be generated even if the key ID
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews would collide with that of an existing key, in the event of
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews either key being revoked. (This is only safe to use if you
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews are sure you won't be using RFC 5011 trust anchor maintenance
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews with either of the keys involved.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews an offset from the present time. For convenience, if such an offset
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is computed in seconds. To explicitly prevent a date from being
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews set, use 'none' or 'never'.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which a key is to be published to the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews After that date, the key will be included in the zone but will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not be used to sign it. If not set, and if the -G option has
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not been used, the default is "now".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be activated. After that
1224c3b69b3d18f7127aa042644936af25a2d679Mark Andrews date, the key will be included in the zone and used to sign
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews it. If not set, and if the -G option has not been used, the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews default is "now".
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
9fbbfb5757a1e3e86d7dea62c4e63ffc2303ca2bAutomatic Updater Sets the date on which the key is to be revoked. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will be flagged as revoked. It will be included
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in the zone and will be used to sign it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be retired. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will still be included in the zone, but it
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews will not be used to sign it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be deleted. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will no longer be included in the zone. (It
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews may remain in the key repository, however.)
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews Sets the prepublication interval for a key. If set, then
4abdfc917e6635a7c81d1f931a0c79227e72d025Mark Andrews the publication and activation dates must be separated by at least
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews this much time. If the activation date is specified but the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews publication date isn't, then the publication date will default
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews to this much time before the activation date; conversely, if
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the publication date is specified but activation date isn't,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then activation will be set to this much time after publication.