man.dnssec-keyfromlabel.html revision 7e3f5fbcf871f22707e7da5e4c69573a4fdc64b5
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - Copyright (C) 2000-2003 Internet Software Consortium.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - Permission to use, copy, modify, and/or distribute this software for any
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - purpose with or without fee is hereby granted, provided that the above
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - copyright notice and this permission notice appear in all copies.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn - PERFORMANCE OF THIS SOFTWARE.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<!-- $Id$ -->
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<table width="100%" summary="Navigation header">
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<th width="60%" align="center">Manual pages</th>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn generates a key pair of files that referencing a key object stored
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn in a cryptographic hardware service module (HSM). The private key
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn file can be used for DNSSEC signing of zone data as if it were a
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn but the key material is stored within the HSM, and the actual signing
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn takes place there.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn The <code class="option">name</code> of the key is specified on the command
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn line. This must match the name of the zone for which the key is
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn being generated.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Selects the cryptographic algorithm. The value of
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn ECDSAP256SHA256 or ECDSAP384SHA384.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn These values are case insensitive.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn If no algorithm is specified, then RSASHA1 will be used by
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn default, unless the <code class="option">-3</code> option is specified,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn in which case NSEC3RSASHA1 will be used instead. (If
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <code class="option">-3</code> is used and an algorithm is specified,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn that algorithm will be checked for compatibility with NSEC3.)
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn algorithm, and DSA is recommended.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Note 2: DH automatically sets the -k flag.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Use an NSEC3-capable algorithm to generate a DNSSEC key.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn If this option is used and no algorithm is explicitly
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn set on the command line, NSEC3RSASHA1 will be used by
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Specifies the cryptographic hardware to use.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn When BIND is built with OpenSSL PKCS#11 support, this defaults
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn to the string "pkcs11", which identifies an OpenSSL engine
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn that can drive a cryptographic accelerator or hardware service
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn module. When BIND is built with native PKCS#11 cryptography
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn (--enable-native-pkcs11), it defaults to the path of the PKCS#11
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn provider library specified via "--with-pkcs11".
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Specifies the label for a key pair in the crypto hardware.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn PKCS#11 support, the label is an arbitrary string that
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn identifies a particular key. It may be preceded by an
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn optional OpenSSL engine name, followed by a colon, as in
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn support, the label is a PKCS#11 URI string in the format
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Keywords include "token", which identifies the HSM; "object", which
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn identifies the key; and "pin-source", which identifies a file from
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn which the HSM's PIN code can be obtained. The label will be
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn stored in the on-disk "private" file.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn If the label contains a
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <code class="option">pin-source</code> field, tools using the generated
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn key files will be able to use the HSM for signing and other
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn operations without any need for an operator to manually enter
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn a PIN. Note: Making the HSM's PIN accessible in this manner
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn may reduce the security advantage of using an HSM; be sure
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn this is what you want to do before making use of this feature.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Specifies the owner type of the key. The value of
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <code class="option">nametype</code> must either be ZONE (for a DNSSEC
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn a host (KEY)),
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn These values are case insensitive.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Compatibility mode: generates an old-style key, without
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn will include the key's creation date in the metadata stored
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn with the private key, and other dates may be set there as well
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn (publication date, activation date, etc). Keys that include
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn this data may be incompatible with older versions of BIND; the
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <code class="option">-C</code> option suppresses them.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Indicates that the DNS record containing the key should have
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn the specified class. If not specified, class IN is used.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Set the specified flag in the flag field of the KEY/DNSKEY record.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn The only recognized flags are KSK (Key Signing Key) and REVOKE.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Generate a key, but do not publish it or sign with it. This
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn option is incompatible with -P and -A.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Prints a short summary of the options and arguments to
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <span><strong class="command">dnssec-keyfromlabel</strong></span>.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the directory in which the key files are to be written.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Generate KEY records rather than DNSKEY records.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the default TTL to use for this key when it is converted
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn into a DNSKEY RR. If the key is imported into a zone,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn this is the TTL that will be used for it, unless there was
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn already a DNSKEY RRset in place, in which case the existing TTL
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn would take precedence. Setting the default TTL to
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <code class="literal">0</code> or <code class="literal">none</code> removes it.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the protocol value for the key. The protocol
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn is a number between 0 and 255. The default is 3 (DNSSEC).
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Other possible values for this argument are listed in
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn RFC 2535 and its successors.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Generate a key as an explicit successor to an existing key.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn The name, algorithm, size, and type of the key will be set
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn to match the predecessor. The activation date of the new
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn key will be set to the inactivation date of the existing
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn one. The publication date will be set to the activation
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn date minus the prepublication interval, which defaults to
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Indicates the use of the key. <code class="option">type</code> must be
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn is AUTHCONF. AUTH refers to the ability to authenticate
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn data, and CONF the ability to encrypt data.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the debugging level.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Prints version information.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Allows DNSSEC key files to be generated even if the key ID
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn would collide with that of an existing key, in the event of
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn either key being revoked. (This is only safe to use if you
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn are sure you won't be using RFC 5011 trust anchor maintenance
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn with either of the keys involved.)
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn If the argument begins with a '+' or '-', it is interpreted as
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn an offset from the present time. For convenience, if such an offset
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn then the offset is computed in years (defined as 365 24-hour days,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn ignoring leap years), months (defined as 30 24-hour days), weeks,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn days, hours, or minutes, respectively. Without a suffix, the offset
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn is computed in seconds. To explicitly prevent a date from being
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn set, use 'none' or 'never'.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the date on which a key is to be published to the zone.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn After that date, the key will be included in the zone but will
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn not be used to sign it. If not set, and if the -G option has
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn not been used, the default is "now".
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the date on which the key is to be activated. After that
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn date, the key will be included in the zone and used to sign
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn it. If not set, and if the -G option has not been used, the
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn default is "now".
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the date on which the key is to be revoked. After that
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn date, the key will be flagged as revoked. It will be included
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn in the zone and will be used to sign it.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the date on which the key is to be retired. After that
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn date, the key will still be included in the zone, but it
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn will not be used to sign it.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the date on which the key is to be deleted. After that
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn date, the key will no longer be included in the zone. (It
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn may remain in the key repository, however.)
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn Sets the prepublication interval for a key. If set, then
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn the publication and activation dates must be separated by at least
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn this much time. If the activation date is specified but the
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn publication date isn't, then the publication date will default
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn to this much time before the activation date; conversely, if
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn the publication date is specified but activation date isn't,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn then activation will be set to this much time after publication.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn If the key is being created as an explicit successor to another
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn key, then the default prepublication interval is 30 days;
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn otherwise it is zero.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn As with date offsets, if the argument is followed by one of
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn interval is measured in years, months, weeks, days, hours,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn or minutes, respectively. Without a suffix, the interval is
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn measured in seconds.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<a name="id2675734"></a><h2>GENERATED KEY FILES</h2>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn successfully,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn to the standard output. This is an identification string for
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn the key files it has generated.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<li><p><code class="filename">nnnn</code> is the key name.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<li><p><code class="filename">aaa</code> is the numeric representation
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn of the algorithm.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<li><p><code class="filename">iiiii</code> is the key identifier (or
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn creates two files, with names based
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn contains the public key, and
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn private key.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn The <code class="filename">.key</code> file contains a DNS KEY record
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn can be inserted into a zone file (directly or with a $INCLUDE
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn The <code class="filename">.private</code> file contains
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn algorithm-specific
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn fields. For obvious security reasons, this file does not have
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn general read permission.
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
a7c27357b33d726a326a11e1e72f68e1546b994aSerge Hallyn <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,