man.dnssec-keyfromlabel.html revision bd9a66d553962387bf36ada994e3658fa16f5639
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>dnssec-keyfromlabel</title>
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="navheader">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="left">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<th width="60%" align="center">Manual pages</th>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</table>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<hr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refentry" lang="en">
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<div class="refnamediv">
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<h2>Name</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsynopsisdiv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Synopsis</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2623664"></a><h2>DESCRIPTION</h2>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater generates a key pair of files that referencing a key object stored
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater in a cryptographic hardware service module (HSM). The private key
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater file can be used for DNSSEC signing of zone data as if it were a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater but the key material is stored within the HSM, and the actual signing
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater takes place there.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater </p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater The <code class="option">name</code> of the key is specified on the command
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater line. This must match the name of the zone for which the key is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein being generated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<a name="id2623689"></a><h2>OPTIONS</h2>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<div class="variablelist"><dl>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dd>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Selects the cryptographic algorithm. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ECDSAP256SHA256 or ECDSAP384SHA384.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These values are case insensitive.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater </p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no algorithm is specified, then RSASHA1 will be used by
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater default, unless the <code class="option">-3</code> option is specified,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater in which case NSEC3RSASHA1 will be used instead. (If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-3</code> is used and an algorithm is specified,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater that algorithm will be checked for compatibility with NSEC3.)
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein algorithm, and DSA is recommended.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 2: DH automatically sets the -k flag.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dd>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-3</span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use an NSEC3-capable algorithm to generate a DNSSEC key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If this option is used and no algorithm is explicitly
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater set on the command line, NSEC3RSASHA1 will be used by
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater default.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater </p></dd>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the cryptographic hardware to use.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater </p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When BIND is built with OpenSSL PKCS#11 support, this defaults
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the string "pkcs11", which identifies an OpenSSL engine
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater that can drive a cryptographic accelerator or hardware service
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater module. When BIND is built with native PKCS#11 cryptography
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater (--enable-native-pkcs11), it defaults to the path of the PKCS#11
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein provider library specified via "--with-pkcs11".
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dd>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the label for a key pair in the crypto hardware.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein PKCS#11 support, the label is an arbitrary string that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein identifies a particular key. It may be preceded by an
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews optional OpenSSL engine name, followed by a colon, as in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater support, the label is a PKCS#11 URI string in the format
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Keywords include "token", which identifies the HSM; "object", which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein identifies the key; and "pin-source", which identifies a file from
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater which the HSM's PIN code can be obtained. The label will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein stored in the on-disk "private" file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If the label contains a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">pin-source</code> field, tools using the generated
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater key files will be able to use the HSM for signing and other
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater operations without any need for an operator to manually enter
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a PIN. Note: Making the HSM's PIN accessible in this manner
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater may reduce the security advantage of using an HSM; be sure
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater this is what you want to do before making use of this feature.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater </p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater</dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd><p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater Specifies the owner type of the key. The value of
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater <code class="option">nametype</code> must either be ZONE (for a DNSSEC
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a host (KEY)),
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These values are case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-C</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Compatibility mode: generates an old-style key, without
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater will include the key's creation date in the metadata stored
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater with the private key, and other dates may be set there as well
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater (publication date, activation date, etc). Keys that include
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater this data may be incompatible with older versions of BIND; the
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">-C</code> option suppresses them.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater </p></dd>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Indicates that the DNS record containing the key should have
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater the specified class. If not specified, class IN is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Set the specified flag in the flag field of the KEY/DNSKEY record.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-G</span></dt>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a key, but do not publish it or sign with it. This
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater option is incompatible with -P and -A.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater </p></dd>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dt><span class="term">-h</span></dt>
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints a short summary of the options and arguments to
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater <span><strong class="command">dnssec-keyfromlabel</strong></span>.
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the directory in which the key files are to be written.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dt><span class="term">-k</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater Generate KEY records rather than DNSKEY records.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the default TTL to use for this key when it is converted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein into a DNSKEY RR. If the key is imported into a zone,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this is the TTL that will be used for it, unless there was
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater already a DNSKEY RRset in place, in which case the existing TTL
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater would take precedence. Setting the default TTL to
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater <code class="literal">0</code> or <code class="literal">none</code> removes it.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the protocol value for the key. The protocol
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater is a number between 0 and 255. The default is 3 (DNSSEC).
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Other possible values for this argument are listed in
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater RFC 2535 and its successors.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a key as an explicit successor to an existing key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The name, algorithm, size, and type of the key will be set
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater to match the predecessor. The activation date of the new
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key will be set to the inactivation date of the existing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein one. The publication date will be set to the activation
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date minus the prepublication interval, which defaults to
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 30 days.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Indicates the use of the key. <code class="option">type</code> must be
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews data, and CONF the ability to encrypt data.
922312472e2e05ebc64993d465999c5351b83036Automatic Updater </p></dd>
922312472e2e05ebc64993d465999c5351b83036Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
922312472e2e05ebc64993d465999c5351b83036Automatic Updater<dd><p>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater Sets the debugging level.
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater </p></dd>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater<dt><span class="term">-V</span></dt>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dd><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints version information.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater<dt><span class="term">-y</span></dt>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater<dd><p>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater Allows DNSSEC key files to be generated even if the key ID
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater would collide with that of an existing key, in the event of
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater either key being revoked. (This is only safe to use if you
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater are sure you won't be using RFC 5011 trust anchor maintenance
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews with either of the keys involved.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</dl></div>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsect1" lang="en">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2675767"></a><h2>TIMING OPTIONS</h2>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews an offset from the present time. For convenience, if such an offset
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater is computed in seconds. To explicitly prevent a date from being
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater set, use 'none' or 'never'.
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater </p>
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<div class="variablelist"><dl>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which a key is to be published to the zone.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews After that date, the key will be included in the zone but will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not be used to sign it. If not set, and if the -G option has
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater not been used, the default is "now".
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater </p></dd>
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater<dd><p>
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater Sets the date on which the key is to be activated. After that
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater date, the key will be included in the zone and used to sign
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater it. If not set, and if the -G option has not been used, the
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater default is "now".
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater </p></dd>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dd><p>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater Sets the date on which the key is to be revoked. After that
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater date, the key will be flagged as revoked. It will be included
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater in the zone and will be used to sign it.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater </p></dd>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be retired. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will still be included in the zone, but it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will not be used to sign it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be deleted. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will no longer be included in the zone. (It
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may remain in the key repository, however.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the prepublication interval for a key. If set, then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the publication and activation dates must be separated by at least
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this much time. If the activation date is specified but the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein publication date isn't, then the publication date will default
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to this much time before the activation date; conversely, if
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the publication date is specified but activation date isn't,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein then activation will be set to this much time after publication.
</p>
<p>
If the key is being created as an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2675957"></a><h2>GENERATED KEY FILES</h2>
<p>
When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
successfully,
it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
to the standard output. This is an identification string for
the key files it has generated.
</p>
<div class="itemizedlist"><ul type="disc">
<li><p><code class="filename">nnnn</code> is the key name.
</p></li>
<li><p><code class="filename">aaa</code> is the numeric representation
of the algorithm.
</p></li>
<li><p><code class="filename">iiiii</code> is the key identifier (or
footprint).
</p></li>
</ul></div>
<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
creates two files, with names based
on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
contains the public key, and
<code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
private key.
</p>
<p>
The <code class="filename">.key</code> file contains a DNS KEY record
that
can be inserted into a zone file (directly or with a $INCLUDE
statement).
</p>
<p>
The <code class="filename">.private</code> file contains
algorithm-specific
fields. For obvious security reasons, this file does not have
general read permission.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2676119"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 4034</em>,
<em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2676156"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-importkey</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND 9.11.0pre-alpha</p>
</body>
</html>