man.dnssec-keyfromlabel.html revision bd9a66d553962387bf36ada994e3658fa16f5639
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater generates a key pair of files that referencing a key object stored
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater in a cryptographic hardware service module (HSM). The private key
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater file can be used for DNSSEC signing of zone data as if it were a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater but the key material is stored within the HSM, and the actual signing
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater takes place there.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater The <code class="option">name</code> of the key is specified on the command
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater line. This must match the name of the zone for which the key is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein being generated.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Selects the cryptographic algorithm. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ECDSAP256SHA256 or ECDSAP384SHA384.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These values are case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If no algorithm is specified, then RSASHA1 will be used by
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater default, unless the <code class="option">-3</code> option is specified,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater in which case NSEC3RSASHA1 will be used instead. (If
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-3</code> is used and an algorithm is specified,
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater that algorithm will be checked for compatibility with NSEC3.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein algorithm, and DSA is recommended.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note 2: DH automatically sets the -k flag.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use an NSEC3-capable algorithm to generate a DNSSEC key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If this option is used and no algorithm is explicitly
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater set on the command line, NSEC3RSASHA1 will be used by
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the cryptographic hardware to use.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When BIND is built with OpenSSL PKCS#11 support, this defaults
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to the string "pkcs11", which identifies an OpenSSL engine
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater that can drive a cryptographic accelerator or hardware service
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater module. When BIND is built with native PKCS#11 cryptography
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater (--enable-native-pkcs11), it defaults to the path of the PKCS#11
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein provider library specified via "--with-pkcs11".
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Specifies the label for a key pair in the crypto hardware.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein PKCS#11 support, the label is an arbitrary string that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein identifies a particular key. It may be preceded by an
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews optional OpenSSL engine name, followed by a colon, as in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater support, the label is a PKCS#11 URI string in the format
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Keywords include "token", which identifies the HSM; "object", which
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein identifies the key; and "pin-source", which identifies a file from
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater which the HSM's PIN code can be obtained. The label will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein stored in the on-disk "private" file.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If the label contains a
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">pin-source</code> field, tools using the generated
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater key files will be able to use the HSM for signing and other
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater operations without any need for an operator to manually enter
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a PIN. Note: Making the HSM's PIN accessible in this manner
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater may reduce the security advantage of using an HSM; be sure
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater this is what you want to do before making use of this feature.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater Specifies the owner type of the key. The value of
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater <code class="option">nametype</code> must either be ZONE (for a DNSSEC
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a host (KEY)),
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein These values are case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Compatibility mode: generates an old-style key, without
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater will include the key's creation date in the metadata stored
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater with the private key, and other dates may be set there as well
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater (publication date, activation date, etc). Keys that include
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater this data may be incompatible with older versions of BIND; the
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">-C</code> option suppresses them.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Indicates that the DNS record containing the key should have
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater the specified class. If not specified, class IN is used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Set the specified flag in the flag field of the KEY/DNSKEY record.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater The only recognized flags are KSK (Key Signing Key) and REVOKE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a key, but do not publish it or sign with it. This
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater option is incompatible with -P and -A.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints a short summary of the options and arguments to
507151045be68c671ffd4e2f37e17cdfa0376fc4Automatic Updater <span><strong class="command">dnssec-keyfromlabel</strong></span>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the directory in which the key files are to be written.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater Generate KEY records rather than DNSKEY records.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the default TTL to use for this key when it is converted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein into a DNSKEY RR. If the key is imported into a zone,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this is the TTL that will be used for it, unless there was
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater already a DNSKEY RRset in place, in which case the existing TTL
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater would take precedence. Setting the default TTL to
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater <code class="literal">0</code> or <code class="literal">none</code> removes it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the protocol value for the key. The protocol
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater is a number between 0 and 255. The default is 3 (DNSSEC).
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Other possible values for this argument are listed in
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater RFC 2535 and its successors.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a key as an explicit successor to an existing key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The name, algorithm, size, and type of the key will be set
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater to match the predecessor. The activation date of the new
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein key will be set to the inactivation date of the existing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein one. The publication date will be set to the activation
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date minus the prepublication interval, which defaults to
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Indicates the use of the key. <code class="option">type</code> must be
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is AUTHCONF. AUTH refers to the ability to authenticate
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews data, and CONF the ability to encrypt data.
922312472e2e05ebc64993d465999c5351b83036Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
28b3569d6248168e6c00caab951521cc8141a49dAutomatic Updater Sets the debugging level.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints version information.
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater Allows DNSSEC key files to be generated even if the key ID
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater would collide with that of an existing key, in the event of
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater either key being revoked. (This is only safe to use if you
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater are sure you won't be using RFC 5011 trust anchor maintenance
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews with either of the keys involved.)
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews an offset from the present time. For convenience, if such an offset
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater is computed in seconds. To explicitly prevent a date from being
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater set, use 'none' or 'never'.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which a key is to be published to the zone.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews After that date, the key will be included in the zone but will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not be used to sign it. If not set, and if the -G option has
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater not been used, the default is "now".
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater Sets the date on which the key is to be activated. After that
9b469e3c59015b1a4899c9d8395168126fe094fdAutomatic Updater date, the key will be included in the zone and used to sign
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater it. If not set, and if the -G option has not been used, the
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater default is "now".
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater Sets the date on which the key is to be revoked. After that
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater date, the key will be flagged as revoked. It will be included
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater in the zone and will be used to sign it.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be retired. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will still be included in the zone, but it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will not be used to sign it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be deleted. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will no longer be included in the zone. (It
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may remain in the key repository, however.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the prepublication interval for a key. If set, then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the publication and activation dates must be separated by at least
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this much time. If the activation date is specified but the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein publication date isn't, then the publication date will default
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to this much time before the activation date; conversely, if
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the publication date is specified but activation date isn't,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein then activation will be set to this much time after publication.