1203e462650f035b0df2304075d60b9a99e36715Stef Walter<html>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<head>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<title>dnssec-keyfromlabel</title>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</head>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<div class="navheader">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<table width="100%" summary="Navigation header">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<tr>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<td width="20%" align="left">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<th width="60%" align="center">Manual pages</th>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</td>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</tr>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</table>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<hr>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter</div>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<div class="refentry" lang="en">

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<div class="refnamediv">

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<h2>Name</h2>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter</div>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<div class="refsynopsisdiv">

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<h2>Synopsis</h2>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">-y</code>] {name}</p></div>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter</div>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<div class="refsect1" lang="en">

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<a name="id2622684"></a><h2>DESCRIPTION</h2>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<p><span><strong class="command">dnssec-keyfromlabel</strong></span>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter generates a key pair of files that referencing a key object stored

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter in a cryptographic hardware service module (HSM). The private key

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter file can be used for DNSSEC signing of zone data as if it were a

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter but the key material is stored within the HSM, and the actual signing

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter takes place there.

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter The <code class="option">name</code> of the key is specified on the command

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter line. This must match the name of the zone for which the key is

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter being generated.

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter</div>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<div class="refsect1" lang="en">

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<a name="id2622710"></a><h2>OPTIONS</h2>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<div class="variablelist"><dl>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<dd>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Selects the cryptographic algorithm. The value of

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter ECDSAP256SHA256 or ECDSAP384SHA384.

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter These values are case insensitive.

fcd8093c58638dc7c4f9cddfc97f273b94ce2eadStef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<p>

fcd8093c58638dc7c4f9cddfc97f273b94ce2eadStef Walter If no algorithm is specified, then RSASHA1 will be used by

fcd8093c58638dc7c4f9cddfc97f273b94ce2eadStef Walter default, unless the <code class="option">-3</code> option is specified,

fcd8093c58638dc7c4f9cddfc97f273b94ce2eadStef Walter in which case NSEC3RSASHA1 will be used instead. (If

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter <code class="option">-3</code> is used and an algorithm is specified,

fcd8093c58638dc7c4f9cddfc97f273b94ce2eadStef Walter that algorithm will be checked for compatibility with NSEC3.)

fcd8093c58638dc7c4f9cddfc97f273b94ce2eadStef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter algorithm, and DSA is recommended.

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter Note 2: DH automatically sets the -k flag.

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter</dd>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-3</span></dt>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dd><p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Use an NSEC3-capable algorithm to generate a DNSSEC key.

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter If this option is used and no algorithm is explicitly

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter set on the command line, NSEC3RSASHA1 will be used by

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter default.

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter </p></dd>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dd>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Specifies the cryptographic hardware to use.

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter </p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter When BIND is built with OpenSSL PKCS#11 support, this defaults

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter to the string "pkcs11", which identifies an OpenSSL engine

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter that can drive a cryptographic accelerator or hardware service

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter module. When BIND is built with native PKCS#11 cryptography

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter (--enable-native-pkcs11), it defaults to the path of the PKCS#11

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter provider library specified via "--with-pkcs11".

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter </p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter</dd>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dd>

1319e71fd1680ca4864afe0b1aca2b8c8e4a1ee4Stef Walter<p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Specifies the label for a key pair in the crypto hardware.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek PKCS#11 support, the label is an arbitrary string that

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter identifies a particular key. It may be preceded by an

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter optional OpenSSL engine name, followed by a colon, as in

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter "pkcs11:<em class="replaceable"><code>keylabel</code></em>".

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter </p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter support, the label is a PKCS#11 URI string in the format

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter Keywords include "token", which identifies the HSM; "object", which

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter identifies the key; and "pin-source", which identifies a file from

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter which the HSM's PIN code can be obtained. The label will be

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter stored in the on-disk "private" file.

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter If the label contains a

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter <code class="option">pin-source</code> field, tools using the generated

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter key files will be able to use the HSM for signing and other

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter operations without any need for an operator to manually enter

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter a PIN. Note: Making the HSM's PIN accessible in this manner

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter may reduce the security advantage of using an HSM; be sure

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter this is what you want to do before making use of this feature.

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter</dd>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<dd><p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter Specifies the owner type of the key. The value of

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter <code class="option">nametype</code> must either be ZONE (for a DNSSEC

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter a host (KEY)),

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter These values are case insensitive.

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-C</span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Compatibility mode: generates an old-style key, without

1203e462650f035b0df2304075d60b9a99e36715Stef Walter any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter will include the key's creation date in the metadata stored

1203e462650f035b0df2304075d60b9a99e36715Stef Walter with the private key, and other dates may be set there as well

1203e462650f035b0df2304075d60b9a99e36715Stef Walter (publication date, activation date, etc). Keys that include

1203e462650f035b0df2304075d60b9a99e36715Stef Walter this data may be incompatible with older versions of BIND; the

1203e462650f035b0df2304075d60b9a99e36715Stef Walter <code class="option">-C</code> option suppresses them.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Indicates that the DNS record containing the key should have

1203e462650f035b0df2304075d60b9a99e36715Stef Walter the specified class. If not specified, class IN is used.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Set the specified flag in the flag field of the KEY/DNSKEY record.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter The only recognized flags are KSK (Key Signing Key) and REVOKE.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-G</span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Generate a key, but do not publish it or sign with it. This

1203e462650f035b0df2304075d60b9a99e36715Stef Walter option is incompatible with -P and -A.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-h</span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Prints a short summary of the options and arguments to

1203e462650f035b0df2304075d60b9a99e36715Stef Walter <span><strong class="command">dnssec-keyfromlabel</strong></span>.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Sets the directory in which the key files are to be written.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-k</span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Generate KEY records rather than DNSKEY records.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Sets the default TTL to use for this key when it is converted

1203e462650f035b0df2304075d60b9a99e36715Stef Walter into a DNSKEY RR. If the key is imported into a zone,

1203e462650f035b0df2304075d60b9a99e36715Stef Walter this is the TTL that will be used for it, unless there was

1203e462650f035b0df2304075d60b9a99e36715Stef Walter already a DNSKEY RRset in place, in which case the existing TTL

1203e462650f035b0df2304075d60b9a99e36715Stef Walter would take precedence. Setting the default TTL to

1203e462650f035b0df2304075d60b9a99e36715Stef Walter <code class="literal">0</code> or <code class="literal">none</code> removes it.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Sets the protocol value for the key. The protocol

1203e462650f035b0df2304075d60b9a99e36715Stef Walter is a number between 0 and 255. The default is 3 (DNSSEC).

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Other possible values for this argument are listed in

1203e462650f035b0df2304075d60b9a99e36715Stef Walter RFC 2535 and its successors.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Generate a key as an explicit successor to an existing key.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter The name, algorithm, size, and type of the key will be set

1203e462650f035b0df2304075d60b9a99e36715Stef Walter to match the predecessor. The activation date of the new

1203e462650f035b0df2304075d60b9a99e36715Stef Walter key will be set to the inactivation date of the existing

1203e462650f035b0df2304075d60b9a99e36715Stef Walter one. The publication date will be set to the activation

1203e462650f035b0df2304075d60b9a99e36715Stef Walter date minus the prepublication interval, which defaults to

1203e462650f035b0df2304075d60b9a99e36715Stef Walter 30 days.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Indicates the use of the key. <code class="option">type</code> must be

1203e462650f035b0df2304075d60b9a99e36715Stef Walter one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default

1203e462650f035b0df2304075d60b9a99e36715Stef Walter is AUTHCONF. AUTH refers to the ability to authenticate

1203e462650f035b0df2304075d60b9a99e36715Stef Walter data, and CONF the ability to encrypt data.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Sets the debugging level.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-V</span></dt>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dd><p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Prints version information.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter </p></dd>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<dt><span class="term">-y</span></dt>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter<dd><p>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter Allows DNSSEC key files to be generated even if the key ID

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter would collide with that of an existing key, in the event of

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter either key being revoked. (This is only safe to use if you

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter are sure you won't be using RFC 5011 trust anchor maintenance

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter with either of the keys involved.)

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter </p></dd>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter</dl></div>

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter</div>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<div class="refsect1" lang="en">

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<a name="id2673627"></a><h2>TIMING OPTIONS</h2>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter<p>

1203e462650f035b0df2304075d60b9a99e36715Stef Walter Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

1203e462650f035b0df2304075d60b9a99e36715Stef Walter If the argument begins with a '+' or '-', it is interpreted as

1203e462650f035b0df2304075d60b9a99e36715Stef Walter an offset from the present time. For convenience, if such an offset

1203e462650f035b0df2304075d60b9a99e36715Stef Walter is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter then the offset is computed in years (defined as 365 24-hour days,

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter ignoring leap years), months (defined as 30 24-hour days), weeks,

dff909d473f43a6bd0f0286fa2d279c0ebe945c6Stef Walter days, hours, or minutes, respectively. Without a suffix, the offset

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter is computed in seconds. To explicitly prevent a date from being

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter set, use 'none' or 'never'.

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter </p>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<div class="variablelist"><dl>

1319e71fd1680ca4864afe0b1aca2b8c8e4a1ee4Stef Walter<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>

b699c4d7f85a5404be1d1ee9450331aea869b886Stef Walter<dd><p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek Sets the date on which a key is to be published to the zone.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek After that date, the key will be included in the zone but will

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek not be used to sign it. If not set, and if the -G option has

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek not been used, the default is "now".

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></dd>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dd><p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek Sets the date on which the key is to be activated. After that

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek date, the key will be included in the zone and used to sign

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek it. If not set, and if the -G option has not been used, the

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek default is "now".

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></dd>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dd><p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek Sets the date on which the key is to be revoked. After that

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek date, the key will be flagged as revoked. It will be included

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek in the zone and will be used to sign it.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></dd>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dd><p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek Sets the date on which the key is to be retired. After that

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek date, the key will still be included in the zone, but it

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek will not be used to sign it.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></dd>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dd><p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek Sets the date on which the key is to be deleted. After that

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek date, the key will no longer be included in the zone. (It

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek may remain in the key repository, however.)

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></dd>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<dd>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek Sets the prepublication interval for a key. If set, then

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek the publication and activation dates must be separated by at least

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek this much time. If the activation date is specified but the

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek publication date isn't, then the publication date will default

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek to this much time before the activation date; conversely, if

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek the publication date is specified but activation date isn't,

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek then activation will be set to this much time after publication.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek If the key is being created as an explicit successor to another

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek key, then the default prepublication interval is 30 days;

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek otherwise it is zero.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek As with date offsets, if the argument is followed by one of

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek interval is measured in years, months, weeks, days, hours,

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek or minutes, respectively. Without a suffix, the interval is

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek measured in seconds.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</dd>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</dl></div>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</div>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<div class="refsect1" lang="en">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<a name="id2673885"></a><h2>GENERATED KEY FILES</h2>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek successfully,

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek to the standard output. This is an identification string for

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek the key files it has generated.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<div class="itemizedlist"><ul type="disc">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<li><p><code class="filename">nnnn</code> is the key name.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></li>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<li><p><code class="filename">aaa</code> is the numeric representation

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek of the algorithm.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></li>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<li><p><code class="filename">iiiii</code> is the key identifier (or

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek footprint).

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p></li>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</ul></div>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p><span><strong class="command">dnssec-keyfromlabel</strong></span>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek creates two files, with names based

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek contains the public key, and

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek private key.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek The <code class="filename">.key</code> file contains a DNS KEY record

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek that

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek can be inserted into a zone file (directly or with a $INCLUDE

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek statement).

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek The <code class="filename">.private</code> file contains

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek algorithm-specific

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek fields. For obvious security reasons, this file does not have

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek general read permission.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</div>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<div class="refsect1" lang="en">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<a name="id2673979"></a><h2>SEE ALSO</h2>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek <em class="citetitle">BIND 9 Administrator Reference Manual</em>,

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek <em class="citetitle">RFC 4034</em>,

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek </p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</div>

58229439447d5617913a5a2e173b78105c694842Pavel Březina<div class="refsect1" lang="en">

58229439447d5617913a5a2e173b78105c694842Pavel Březina<a name="id2674017"></a><h2>AUTHOR</h2>

58229439447d5617913a5a2e173b78105c694842Pavel Březina<p><span class="corpauthor">Internet Systems Consortium</span>

58229439447d5617913a5a2e173b78105c694842Pavel Březina </p>

58229439447d5617913a5a2e173b78105c694842Pavel Březina</div>

58229439447d5617913a5a2e173b78105c694842Pavel Březina</div>

58229439447d5617913a5a2e173b78105c694842Pavel Březina<div class="navfooter">

58229439447d5617913a5a2e173b78105c694842Pavel Březina<hr>

58229439447d5617913a5a2e173b78105c694842Pavel Březina<table width="100%" summary="Navigation footer">

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek<tr>

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek<td width="40%" align="left">

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek</td>

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek</tr>

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek<tr>

5de968e80ade1c02d1907834dcff95e9fc9ad10aJakub Hrozek<td width="40%" align="left" valign="top">

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<span class="application">dnssec-importkey</span>�</td>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</td>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</tr>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</table>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</div>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek<p style="text-align: center;">BIND 9.11.0pre-alpha</p>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</body>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek</html>

90e04eae7e54ec892a6f239783df94dab5d1ed9aJakub Hrozek