man.dnssec-keyfromlabel.html revision 6d382c9fcec316a84a237779fb64bb471b6f9d43
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - Copyright (C) 2000-2003 Internet Software Consortium.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - Permission to use, copy, modify, and/or distribute this software for any
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - purpose with or without fee is hereby granted, provided that the above
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - copyright notice and this permission notice appear in all copies.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync - PERFORMANCE OF THIS SOFTWARE.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<!-- $Id$ -->
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync gets keys with the given label from a crypto hardware and builds
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync key files for DNSSEC (Secure DNS), as defined in RFC 2535
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync and RFC 4034.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync The <code class="option">name</code> of the key is specified on the command
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync line. This must match the name of the zone for which the key is
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync being generated.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Selects the cryptographic algorithm. The value of
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync ECDSAP256SHA256 or ECDSAP384SHA384.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync These values are case insensitive.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If no algorithm is specified, then RSASHA1 will be used by
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync default, unless the <code class="option">-3</code> option is specified,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync in which case NSEC3RSASHA1 will be used instead. (If
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="option">-3</code> is used and an algorithm is specified,
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that algorithm will be checked for compatibility with NSEC3.)
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync algorithm, and DSA is recommended.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Note 2: DH automatically sets the -k flag.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Use an NSEC3-capable algorithm to generate a DNSSEC key.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If this option is used and no algorithm is explicitly
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync set on the command line, NSEC3RSASHA1 will be used by
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Specifies the cryptographic hardware to use.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync When BIND is built with OpenSSL PKCS#11 support, this defaults
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync to the string "pkcs11", which identifies an OpenSSL engine
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync that can drive a cryptographic accelerator or hardware service
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync module. When BIND is built with native PKCS#11 cryptography
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (--enable-native-pkcs11), it defaults to the path of the PKCS#11
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync provider library specified via "--with-pkcs11".
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Specifies the label for a key pair in the crypto hardware.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync PKCS#11 support, the label is an arbitrary string that
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync identifies a particular key. It may be preceded by an
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync optional OpenSSL engine name, followed by a colon, as in
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync support, the label is a PKCS#11 URI string in the format
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Keywords include "token", which identifies the HSM; "object", which
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync identifies the key; and "pin-source", which identifies a file from
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync which the HSM's PIN code can be obtained. The label will be
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync stored in the on-disk "private" file.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync If the label contains a
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="option">pin-source</code> field, tools using the generated
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync key files will be able to use the HSM for signing and other
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync operations without any need for an operator to manually enter
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a PIN. Note: Making the HSM's PIN accessible in this manner
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync may reduce the security advantage of using an HSM; be sure
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync this is what you want to do before making use of this feature.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Specifies the owner type of the key. The value of
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="option">nametype</code> must either be ZONE (for a DNSSEC
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync a host (KEY)),
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync These values are case insensitive.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Compatibility mode: generates an old-style key, without
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync will include the key's creation date in the metadata stored
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync with the private key, and other dates may be set there as well
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync (publication date, activation date, etc). Keys that include
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync this data may be incompatible with older versions of BIND; the
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync <code class="option">-C</code> option suppresses them.
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync Indicates that the DNS record containing the key should have
4fd606d1f5abe38e1f42c38de1d2e895166bd0f4vboxsync the specified class. If not specified, class IN is used.