man.dnssec-keyfromlabel.html revision aa444144ad14bdd909fe5b70e1f7730b46ec6072
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - Copyright (C) 2000-2003 Internet Software Consortium.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - Permission to use, copy, modify, and/or distribute this software for any
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - purpose with or without fee is hereby granted, provided that the above
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - copyright notice and this permission notice appear in all copies.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster - PERFORMANCE OF THIS SOFTWARE.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<!-- $Id$ -->
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<table width="100%" summary="Navigation header">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<th width="60%" align="center">Manual pages</th>
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster gets keys with the given label from a crypto hardware and builds
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster key files for DNSSEC (Secure DNS), as defined in RFC 2535
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster and RFC 4034.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The <code class="option">name</code> of the key is specified on the command
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster line. This must match the name of the zone for which the key is
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster being generated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Selects the cryptographic algorithm. The value of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper ECDSAP256SHA256 or ECDSAP384SHA384.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster These values are case insensitive.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If no algorithm is specified, then RSASHA1 will be used by
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper default, unless the <code class="option">-3</code> option is specified,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in which case NSEC3RSASHA1 will be used instead. (If
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">-3</code> is used and an algorithm is specified,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster that algorithm will be checked for compatibility with NSEC3.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster algorithm, and DSA is recommended.
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper Note 2: DH automatically sets the -k flag.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Use an NSEC3-capable algorithm to generate a DNSSEC key.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If this option is used and no algorithm is explicitly
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster set on the command line, NSEC3RSASHA1 will be used by
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Specifies the name of the crypto hardware (OpenSSL engine).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster When compiled with PKCS#11 support it defaults to "pkcs11".
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Specifies the label of the key pair in the crypto hardware.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The label may be preceded by an optional OpenSSL engine name,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster separated by a colon, as in "pkcs11:keylabel".
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Specifies the owner type of the key. The value of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="option">nametype</code> must either be ZONE (for a DNSSEC
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster a host (KEY)),
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster These values are case insensitive.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Compatibility mode: generates an old-style key, without
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster will include the key's creation date in the metadata stored
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster with the private key, and other dates may be set there as well
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper (publication date, activation date, etc). Keys that include
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster this data may be incompatible with older versions of BIND; the
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper <code class="option">-C</code> option suppresses them.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Indicates that the DNS record containing the key should have
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper the specified class. If not specified, class IN is used.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Set the specified flag in the flag field of the KEY/DNSKEY record.
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper The only recognized flags are KSK (Key Signing Key) and REVOKE.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Generate a key, but do not publish it or sign with it. This
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster option is incompatible with -P and -A.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Prints a short summary of the options and arguments to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span><strong class="command">dnssec-keyfromlabel</strong></span>.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the directory in which the key files are to be written.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Generate KEY records rather than DNSKEY records.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the default TTL to use for this key when it is converted
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster into a DNSKEY RR. If the key is imported into a zone,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster this is the TTL that will be used for it, unless there was
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper already a DNSKEY RRset in place, in which case the existing TTL
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster would take precedence. Setting the default TTL to
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="literal">0</code> or <code class="literal">none</code> removes it.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the protocol value for the key. The protocol
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper is a number between 0 and 255. The default is 3 (DNSSEC).
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Other possible values for this argument are listed in
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster RFC 2535 and its successors.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Indicates the use of the key. <code class="option">type</code> must be
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is AUTHCONF. AUTH refers to the ability to authenticate
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper data, and CONF the ability to encrypt data.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the debugging level.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Allows DNSSEC key files to be generated even if the key ID
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster would collide with that of an existing key, in the event of
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster either key being revoked. (This is only safe to use if you
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster are sure you won't be using RFC 5011 trust anchor maintenance
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster with either of the keys involved.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster If the argument begins with a '+' or '-', it is interpreted as
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster an offset from the present time. For convenience, if such an offset
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper then the offset is computed in years (defined as 365 24-hour days,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster ignoring leap years), months (defined as 30 24-hour days), weeks,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster days, hours, or minutes, respectively. Without a suffix, the offset
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster is computed in seconds.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the date on which a key is to be published to the zone.
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper After that date, the key will be included in the zone but will
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster not be used to sign it. If not set, and if the -G option has
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster not been used, the default is "now".
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the date on which the key is to be activated. After that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster date, the key will be included in the zone and used to sign
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper it. If not set, and if the -G option has not been used, the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster default is "now".
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the date on which the key is to be revoked. After that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster date, the key will be flagged as revoked. It will be included
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster in the zone and will be used to sign it.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper Sets the date on which the key is to be retired. After that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster date, the key will still be included in the zone, but it
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper will not be used to sign it.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster Sets the date on which the key is to be deleted. After that
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster date, the key will no longer be included in the zone. (It
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster may remain in the key repository, however.)
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a name="id2616786"></a><h2>GENERATED KEY FILES</h2>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster successfully,
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper to the standard output. This is an identification string for
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster the key files it has generated.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<li><p><code class="filename">nnnn</code> is the key name.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<li><p><code class="filename">aaa</code> is the numeric representation
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster of the algorithm.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<li><p><code class="filename">iiiii</code> is the key identifier (or
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster creates two files, with names based
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster contains the public key, and
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster private key.
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper The <code class="filename">.key</code> file contains a DNS KEY record
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster can be inserted into a zone file (directly or with a $INCLUDE
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster The <code class="filename">.private</code> file contains
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster algorithm-specific
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster fields. For obvious security reasons, this file does not have
7f51416a939bd30ed31da090c2232423128eae9bMark de Reeper general read permission.
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<p><span class="corpauthor">Internet Systems Consortium</span>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<table width="100%" summary="Navigation footer">
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<span class="application">dnssec-dsfromkey</span>�</td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
8af80418ba1ec431c8027fa9668e5678658d3611Allan Foster<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>