man.dnssec-keyfromlabel.html revision 6f1205897504b8f50b1785975482c995888dd630
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - purpose with or without fee is hereby granted, provided that the above
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - copyright notice and this permission notice appear in all copies.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont - PERFORMANCE OF THIS SOFTWARE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<table width="100%" summary="Navigation header">
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<th width="60%" align="center">Manual pages</th>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont generates a key pair of files that referencing a key object stored
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont in a cryptographic hardware service module (HSM). The private key
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater file can be used for DNSSEC signing of zone data as if it were a
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater but the key material is stored within the HSM, and the actual signing
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater takes place there.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater The <code class="option">name</code> of the key is specified on the command
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont line. This must match the name of the zone for which the key is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont being generated.
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
cd791043c8a6edbcacc2392575a9816d19b8157cTinderbox User Selects the cryptographic algorithm. The value of
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater ECDSAP256SHA256 or ECDSAP384SHA384.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater These values are case insensitive.
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater If no algorithm is specified, then RSASHA1 will be used by
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater default, unless the <code class="option">-3</code> option is specified,
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater in which case NSEC3RSASHA1 will be used instead. (If
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">-3</code> is used and an algorithm is specified,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont that algorithm will be checked for compatibility with NSEC3.)
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont algorithm, and DSA is recommended.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater Note 2: DH automatically sets the -k flag.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater Use an NSEC3-capable algorithm to generate a DNSSEC key.
2a6d4c9948b3f4f31311bd799d114585a30419a9Automatic Updater If this option is used and no algorithm is explicitly
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater set on the command line, NSEC3RSASHA1 will be used by
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Specifies the cryptographic hardware to use.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User that can drive a cryptographic accelerator or hardware service
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User module. When BIND is built with native PKCS#11 cryptography
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont provider library specified via "--with-pkcs11".
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Specifies the label for a key pair in the crypto hardware.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User PKCS#11 support, the label is an arbitrary string that
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User identifies a particular key. It may be preceded by an
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User optional OpenSSL engine name, followed by a colon, as in
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User support, the label is a PKCS#11 URI string in the format
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Keywords include "token", which identifies the HSM; "object", which
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User identifies the key; and "pin-source", which identifies a file from
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User which the HSM's PIN code can be obtained. The label will be
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User stored in the on-disk "private" file.
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User If the label contains a
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User <code class="option">pin-source</code> field, tools using the generated
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User key files will be able to use the HSM for signing and other
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User operations without any need for an operator to manually enter
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User a PIN. Note: Making the HSM's PIN accessible in this manner
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User may reduce the security advantage of using an HSM; be sure
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont this is what you want to do before making use of this feature.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Specifies the owner type of the key. The value of
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">nametype</code> must either be ZONE (for a DNSSEC
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater a host (KEY)),
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater These values are case insensitive.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Compatibility mode: generates an old-style key, without
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater will include the key's creation date in the metadata stored
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater with the private key, and other dates may be set there as well
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont (publication date, activation date, etc). Keys that include
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont this data may be incompatible with older versions of BIND; the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="option">-C</code> option suppresses them.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Indicates that the DNS record containing the key should have
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the specified class. If not specified, class IN is used.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Set the specified flag in the flag field of the KEY/DNSKEY record.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate a key, but do not publish it or sign with it. This
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont option is incompatible with -P and -A.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Prints a short summary of the options and arguments to
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <span><strong class="command">dnssec-keyfromlabel</strong></span>.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the directory in which the key files are to be written.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Generate KEY records rather than DNSKEY records.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Sets the default TTL to use for this key when it is converted
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater into a DNSKEY RR. If the key is imported into a zone,
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater this is the TTL that will be used for it, unless there was
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater already a DNSKEY RRset in place, in which case the existing TTL
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont would take precedence. Setting the default TTL to
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="literal">0</code> or <code class="literal">none</code> removes it.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the protocol value for the key. The protocol
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont is a number between 0 and 255. The default is 3 (DNSSEC).
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Other possible values for this argument are listed in
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont RFC 2535 and its successors.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Generate a key as an explicit successor to an existing key.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The name, algorithm, size, and type of the key will be set
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to match the predecessor. The activation date of the new
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key will be set to the inactivation date of the existing
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont one. The publication date will be set to the activation
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont date minus the prepublication interval, which defaults to
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater Indicates the use of the key. <code class="option">type</code> must be
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater is AUTHCONF. AUTH refers to the ability to authenticate
a3416b0a1b5482b6df32839445ca98c016945570Automatic Updater data, and CONF the ability to encrypt data.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User Sets the debugging level.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Prints version information.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Allows DNSSEC key files to be generated even if the key ID
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User would collide with that of an existing key, in the event of
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User either key being revoked. (This is only safe to use if you
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater are sure you won't be using RFC 5011 trust anchor maintenance
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater with either of the keys involved.)
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<a name="id2672041"></a><h2>TIMING OPTIONS</h2>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater If the argument begins with a '+' or '-', it is interpreted as
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater an offset from the present time. For convenience, if such an offset
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
5a24d24c8fba3480d707c0c902379ddb36501e12Automatic Updater then the offset is computed in years (defined as 365 24-hour days,
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater is computed in seconds. To explicitly prevent a date from being
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater set, use 'none' or 'never'.
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which a key is to be published to the zone.
79cf9524b15ca65f55fd6913e6cf01b5581c588aAutomatic Updater After that date, the key will be included in the zone but will
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater not be used to sign it. If not set, and if the -G option has
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater not been used, the default is "now".
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be activated. After that
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater date, the key will be included in the zone and used to sign
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater it. If not set, and if the -G option has not been used, the
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater default is "now".
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater Sets the date on which the key is to be revoked. After that
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater date, the key will be flagged as revoked. It will be included
50066670817cdf9e86c832066d73715232b29680Tinderbox User in the zone and will be used to sign it.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the date on which the key is to be retired. After that
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont date, the key will still be included in the zone, but it
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont will not be used to sign it.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the date on which the key is to be deleted. After that
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont date, the key will no longer be included in the zone. (It
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater may remain in the key repository, however.)
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont Sets the prepublication interval for a key. If set, then
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the publication and activation dates must be separated by at least
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont this much time. If the activation date is specified but the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont publication date isn't, then the publication date will default
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to this much time before the activation date; conversely, if
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the publication date is specified but activation date isn't,
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater then activation will be set to this much time after publication.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont If the key is being created as an explicit successor to another
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont key, then the default prepublication interval is 30 days;
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont otherwise it is zero.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont As with date offsets, if the argument is followed by one of
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
c7d32c0b0ff4c01f0d4479af3410d3c06044d48aAutomatic Updater interval is measured in years, months, weeks, days, hours,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont or minutes, respectively. Without a suffix, the interval is
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont measured in seconds.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<a name="id2672163"></a><h2>GENERATED KEY FILES</h2>
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User successfully,
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont to the standard output. This is an identification string for
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont the key files it has generated.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">nnnn</code> is the key name.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">aaa</code> is the numeric representation
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont of the algorithm.
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<li><p><code class="filename">iiiii</code> is the key identifier (or
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont creates two files, with names based
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont contains the public key, and
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <code class="filename">.key</code> file contains a DNS KEY record
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont can be inserted into a zone file (directly or with a $INCLUDE
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont The <code class="filename">.private</code> file contains