man.dnssec-keyfromlabel.html revision bd9a66d553962387bf36ada994e3658fa16f5639
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - Copyright (C) 2000-2003 Internet Software Consortium.
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - Permission to use, copy, modify, and/or distribute this software for any
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - purpose with or without fee is hereby granted, provided that the above
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - copyright notice and this permission notice appear in all copies.
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff - PERFORMANCE OF THIS SOFTWARE.
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
64828244e04e86dfa40f0a4f0c05f27923da499dMichael Graff<table width="100%" summary="Navigation header">
64828244e04e86dfa40f0a4f0c05f27923da499dMichael Graff<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
e51511aa3281f8dc384eb1283115c7f8d5c402aeMichael Graff<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
f181f94ec8da8b1dbcc6353e8be965ea4a5ea282Michael Graff<th width="60%" align="center">Manual pages</th>
31fab17bcdbe302592a6c0dc5374ef56333ee879Michael Graff<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
29f28fe573d4b3b318b3b026d567c1eb86738015Michael Graff<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
11efdeb076d65fa9f0c5fc067dc040e7c99dfba6Michael Graff<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff generates a key pair of files that referencing a key object stored
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff in a cryptographic hardware service module (HSM). The private key
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff file can be used for DNSSEC signing of zone data as if it were a
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff but the key material is stored within the HSM, and the actual signing
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff takes place there.
31fab17bcdbe302592a6c0dc5374ef56333ee879Michael Graff The <code class="option">name</code> of the key is specified on the command
31fab17bcdbe302592a6c0dc5374ef56333ee879Michael Graff line. This must match the name of the zone for which the key is
31fab17bcdbe302592a6c0dc5374ef56333ee879Michael Graff being generated.
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff Selects the cryptographic algorithm. The value of
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
f00d96a15cdd11e764437f9359e67328631caaeaMichael Graff ECDSAP256SHA256 or ECDSAP384SHA384.
f00d96a15cdd11e764437f9359e67328631caaeaMichael Graff These values are case insensitive.
3ac63b472022ff92691d1fe69ac715a729671965Michael Graff If no algorithm is specified, then RSASHA1 will be used by
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff default, unless the <code class="option">-3</code> option is specified,
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff in which case NSEC3RSASHA1 will be used instead. (If
213973a334f92d4aef4ef62b4538fc2e4d0e8082Michael Graff <code class="option">-3</code> is used and an algorithm is specified,
64828244e04e86dfa40f0a4f0c05f27923da499dMichael Graff that algorithm will be checked for compatibility with NSEC3.)
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff algorithm, and DSA is recommended.
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff Note 2: DH automatically sets the -k flag.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Use an NSEC3-capable algorithm to generate a DNSSEC key.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff If this option is used and no algorithm is explicitly
439c0011e642fb1d26011116144af698125262dbMichael Graff set on the command line, NSEC3RSASHA1 will be used by
11efdeb076d65fa9f0c5fc067dc040e7c99dfba6Michael Graff<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Specifies the cryptographic hardware to use.
e51511aa3281f8dc384eb1283115c7f8d5c402aeMichael Graff When BIND is built with OpenSSL PKCS#11 support, this defaults
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff to the string "pkcs11", which identifies an OpenSSL engine
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff that can drive a cryptographic accelerator or hardware service
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff module. When BIND is built with native PKCS#11 cryptography
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff (--enable-native-pkcs11), it defaults to the path of the PKCS#11
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff provider library specified via "--with-pkcs11".
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
f181f94ec8da8b1dbcc6353e8be965ea4a5ea282Michael Graff Specifies the label for a key pair in the crypto hardware.
213973a334f92d4aef4ef62b4538fc2e4d0e8082Michael Graff When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
213973a334f92d4aef4ef62b4538fc2e4d0e8082Michael Graff PKCS#11 support, the label is an arbitrary string that
213973a334f92d4aef4ef62b4538fc2e4d0e8082Michael Graff identifies a particular key. It may be preceded by an
30251e07d1705d1a85b0e1d5a969496e1aed612eMichael Graff optional OpenSSL engine name, followed by a colon, as in
30251e07d1705d1a85b0e1d5a969496e1aed612eMichael Graff "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
213973a334f92d4aef4ef62b4538fc2e4d0e8082Michael Graff When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
213973a334f92d4aef4ef62b4538fc2e4d0e8082Michael Graff support, the label is a PKCS#11 URI string in the format
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff Keywords include "token", which identifies the HSM; "object", which
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff identifies the key; and "pin-source", which identifies a file from
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff which the HSM's PIN code can be obtained. The label will be
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff stored in the on-disk "private" file.
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff If the label contains a
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff <code class="option">pin-source</code> field, tools using the generated
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff key files will be able to use the HSM for signing and other
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff operations without any need for an operator to manually enter
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff a PIN. Note: Making the HSM's PIN accessible in this manner
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff may reduce the security advantage of using an HSM; be sure
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff this is what you want to do before making use of this feature.
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff Specifies the owner type of the key. The value of
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff <code class="option">nametype</code> must either be ZONE (for a DNSSEC
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff a host (KEY)),
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff These values are case insensitive.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Compatibility mode: generates an old-style key, without
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff will include the key's creation date in the metadata stored
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff with the private key, and other dates may be set there as well
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff (publication date, activation date, etc). Keys that include
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff this data may be incompatible with older versions of BIND; the
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff <code class="option">-C</code> option suppresses them.
bb143613cf26e0f27dfd9caf1a7336065d064b26Michael Graff<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Indicates that the DNS record containing the key should have
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff the specified class. If not specified, class IN is used.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Set the specified flag in the flag field of the KEY/DNSKEY record.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff The only recognized flags are KSK (Key Signing Key) and REVOKE.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Generate a key, but do not publish it or sign with it. This
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff option is incompatible with -P and -A.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Prints a short summary of the options and arguments to
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff <span><strong class="command">dnssec-keyfromlabel</strong></span>.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Sets the directory in which the key files are to be written.
d8590892d10fc9528b0dde7e2781935e7b8d7a87Michael Graff Generate KEY records rather than DNSKEY records.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Sets the default TTL to use for this key when it is converted
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff into a DNSKEY RR. If the key is imported into a zone,
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff this is the TTL that will be used for it, unless there was
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff already a DNSKEY RRset in place, in which case the existing TTL
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff would take precedence. Setting the default TTL to
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff <code class="literal">0</code> or <code class="literal">none</code> removes it.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
439c0011e642fb1d26011116144af698125262dbMichael Graff Sets the protocol value for the key. The protocol
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff is a number between 0 and 255. The default is 3 (DNSSEC).
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Other possible values for this argument are listed in
f181f94ec8da8b1dbcc6353e8be965ea4a5ea282Michael Graff RFC 2535 and its successors.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff Generate a key as an explicit successor to an existing key.
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff The name, algorithm, size, and type of the key will be set
ad3a5c4b7e21af04d1b872f933c2e19e5c0a135bMichael Graff to match the predecessor. The activation date of the new
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff key will be set to the inactivation date of the existing
66bd3b3c6b171271c705b897823dcdcf29464698Michael Graff one. The publication date will be set to the activation
11fcc67616fac1bc6a28b3d4fed24641137888e7Michael Graff date minus the prepublication interval, which defaults to
d8590892d10fc9528b0dde7e2781935e7b8d7a87Michael Graff<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
439c0011e642fb1d26011116144af698125262dbMichael Graff Indicates the use of the key. <code class="option">type</code> must be
439c0011e642fb1d26011116144af698125262dbMichael Graff one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
439c0011e642fb1d26011116144af698125262dbMichael Graff is AUTHCONF. AUTH refers to the ability to authenticate
f36a81c88493985ee2d1c53cc6fe88f4b00dbbc8Michael Graff data, and CONF the ability to encrypt data.
439c0011e642fb1d26011116144af698125262dbMichael Graff<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
439c0011e642fb1d26011116144af698125262dbMichael Graff Sets the debugging level.
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff Prints version information.
439c0011e642fb1d26011116144af698125262dbMichael Graff Allows DNSSEC key files to be generated even if the key ID
439c0011e642fb1d26011116144af698125262dbMichael Graff would collide with that of an existing key, in the event of
439c0011e642fb1d26011116144af698125262dbMichael Graff either key being revoked. (This is only safe to use if you
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff are sure you won't be using RFC 5011 trust anchor maintenance
439c0011e642fb1d26011116144af698125262dbMichael Graff with either of the keys involved.)
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff<a name="id2675767"></a><h2>TIMING OPTIONS</h2>
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
439c0011e642fb1d26011116144af698125262dbMichael Graff If the argument begins with a '+' or '-', it is interpreted as
439c0011e642fb1d26011116144af698125262dbMichael Graff an offset from the present time. For convenience, if such an offset
439c0011e642fb1d26011116144af698125262dbMichael Graff is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
439c0011e642fb1d26011116144af698125262dbMichael Graff then the offset is computed in years (defined as 365 24-hour days,
d8590892d10fc9528b0dde7e2781935e7b8d7a87Michael Graff ignoring leap years), months (defined as 30 24-hour days), weeks,
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff days, hours, or minutes, respectively. Without a suffix, the offset
30251e07d1705d1a85b0e1d5a969496e1aed612eMichael Graff is computed in seconds. To explicitly prevent a date from being
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff set, use 'none' or 'never'.
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff Sets the date on which a key is to be published to the zone.
3ac63b472022ff92691d1fe69ac715a729671965Michael Graff After that date, the key will be included in the zone but will
651228967966ba4fb2e52f92d1207c790af4b130Michael Graff not be used to sign it. If not set, and if the -G option has
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff not been used, the default is "now".
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff Sets the date on which the key is to be activated. After that
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff date, the key will be included in the zone and used to sign
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff it. If not set, and if the -G option has not been used, the
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff default is "now".
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff Sets the date on which the key is to be revoked. After that
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff date, the key will be flagged as revoked. It will be included
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff in the zone and will be used to sign it.
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff Sets the date on which the key is to be retired. After that
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff date, the key will still be included in the zone, but it
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff will not be used to sign it.
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff Sets the date on which the key is to be deleted. After that
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff date, the key will no longer be included in the zone. (It
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff may remain in the key repository, however.)
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff Sets the prepublication interval for a key. If set, then
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff the publication and activation dates must be separated by at least
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff this much time. If the activation date is specified but the
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff publication date isn't, then the publication date will default
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff to this much time before the activation date; conversely, if
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff the publication date is specified but activation date isn't,
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff then activation will be set to this much time after publication.
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff If the key is being created as an explicit successor to another
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff key, then the default prepublication interval is 30 days;
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff otherwise it is zero.
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff As with date offsets, if the argument is followed by one of
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff interval is measured in years, months, weeks, days, hours,
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff or minutes, respectively. Without a suffix, the interval is
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff measured in seconds.
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff<a name="id2675957"></a><h2>GENERATED KEY FILES</h2>
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff successfully,
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff to the standard output. This is an identification string for
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff the key files it has generated.
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff<li><p><code class="filename">nnnn</code> is the key name.
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff<li><p><code class="filename">aaa</code> is the numeric representation
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff of the algorithm.
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff<li><p><code class="filename">iiiii</code> is the key identifier (or
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff creates two files, with names based
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff contains the public key, and
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff The <code class="filename">.key</code> file contains a DNS KEY record
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff can be inserted into a zone file (directly or with a $INCLUDE
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff The <code class="filename">.private</code> file contains
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff algorithm-specific
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff fields. For obvious security reasons, this file does not have
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff general read permission.
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2bcb48cfcae36398454c98e40c563e2cde748e07Michael Graff <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff<p><span class="corpauthor">Internet Systems Consortium</span>
ff9bb3fc5453bbf310b67c560fbf04a5c0fb60daMichael Graff<table width="100%" summary="Navigation footer">
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
a253e35c2451818fb39f9b808c7641adb5275fb3Michael Graff<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
1c3bc66ada38236cc81c41b7174a9f0a872c9ab6Michael Graff<span class="application">dnssec-importkey</span>�</td>
7ec42e4be45c0486ce80461293f377fb4b904dc0Michael Graff<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
7ec42e4be45c0486ce80461293f377fb4b904dc0Michael Graff<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>
7ec42e4be45c0486ce80461293f377fb4b904dc0Michael Graff<p style="text-align: center;">BIND 9.11.0pre-alpha</p>