man.dnssec-keyfromlabel.html revision ccc383f3a74bdf3559650c630bbca24b11d8f8ae
ec79b29695b183f794264bbb578c51e93d1f9b1emartin - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
1a5f954324f2584984fc9cee7a7a8ebe8ef39aeajim - Copyright (C) 2000-2003 Internet Software Consortium.
a72ba68ecbbc61e4b513e50d6000245c33f753dcwrowe - Permission to use, copy, modify, and distribute this software for any
a72ba68ecbbc61e4b513e50d6000245c33f753dcwrowe - purpose with or without fee is hereby granted, provided that the above
a72ba68ecbbc61e4b513e50d6000245c33f753dcwrowe - copyright notice and this permission notice appear in all copies.
a72ba68ecbbc61e4b513e50d6000245c33f753dcwrowe - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
62c53a0dab4c85bfc6a5ab9abfb1b269d9f7458dniq - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
62c53a0dab4c85bfc6a5ab9abfb1b269d9f7458dniq - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
62c53a0dab4c85bfc6a5ab9abfb1b269d9f7458dniq - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
62c53a0dab4c85bfc6a5ab9abfb1b269d9f7458dniq - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
62c53a0dab4c85bfc6a5ab9abfb1b269d9f7458dniq - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
62c53a0dab4c85bfc6a5ab9abfb1b269d9f7458dniq - PERFORMANCE OF THIS SOFTWARE.
c6f2d0c33368d0ff719e176c3bef9c2ea5177d43niq<!-- $Id: man.dnssec-keyfromlabel.html,v 1.27 2008/10/28 01:11:26 tbox Exp $ -->
c6f2d0c33368d0ff719e176c3bef9c2ea5177d43niq<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f09bf2676d29e43c211b663f5c9423815d83395fniq<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f09bf2676d29e43c211b663f5c9423815d83395fniq<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f09bf2676d29e43c211b663f5c9423815d83395fniq<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
26b3536faba2adf259e19db7af8d9b63adaa5503niq<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
c43cc3be552d386b6063f05478d21ed4bd61b4c7niq<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a403dbf53e544291022bcc166ac8823d60fb1ee5niq<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
11a0edf478ca9c59d80bf73491d89cf019259feeniq<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
b65a184929c97d0b0e4d3bad42648e0e9ce1b8ferpluem<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
5ff68527ed4cfc34ba93eb201b79fc3363ee66e4niq<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
9c97e6302f7624855e1909b35d448a5a2d5a4378minfrin<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-a <em class="replaceable"><code>algorithm</code></em>} {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-k</code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
ecc1538af1c08282fc2773d2eb3f1a54251862f9minfrin<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
ecc1538af1c08282fc2773d2eb3f1a54251862f9minfrin gets keys with the given label from a crypto hardware and builds
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj key files for DNSSEC (Secure DNS), as defined in RFC 2535
3f5585f7f4a7d74f2f94ec729ea8c1879d419e35rederpj and RFC 4034.
135402675e89e6df0e17735e48f428a1e1d8eb16pquerna<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
e4b96ba15dc8b2b27d251d53e29b86da32cd5066pquerna Selects the cryptographic algorithm. The value of
49f39a4568dab427b2c4ae070d0f831d1ac9ebf8jim <code class="option">algorithm</code> must be one of RSAMD5 (RSA)
49f39a4568dab427b2c4ae070d0f831d1ac9ebf8jim or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
49f39a4568dab427b2c4ae070d0f831d1ac9ebf8jim These values are case insensitive.
470d223738c1dfc4e07c7fae5d186e9dfadd9643jorton Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
470d223738c1dfc4e07c7fae5d186e9dfadd9643jorton algorithm, and DSA is recommended.
81bd9331da3bd0f53255d52b1475480ff3a4b395trawick Note 2: DH automatically sets the -k flag.
cd3bbd6d2df78d6c75e5d159a81ef8bdd5f70df9trawick<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
c7c8dd19c90c5ee7205ccdf443585d14da3daecechrisd Specifies the label of keys in the crypto hardware
c7c8dd19c90c5ee7205ccdf443585d14da3daecechrisd (PKCS#11 device).
c7c8dd19c90c5ee7205ccdf443585d14da3daecechrisd<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
c7c8dd19c90c5ee7205ccdf443585d14da3daecechrisd Specifies the owner type of the key. The value of
421e0a5d1c49de76406f61e9abef271af2336c31rpluem <code class="option">nametype</code> must either be ZONE (for a DNSSEC
421e0a5d1c49de76406f61e9abef271af2336c31rpluem zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
421e0a5d1c49de76406f61e9abef271af2336c31rpluem a host (KEY)),
108ebbb87b2a46f4416ec507824471a483c39fe1sctemme USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
108ebbb87b2a46f4416ec507824471a483c39fe1sctemme These values are
108ebbb87b2a46f4416ec507824471a483c39fe1sctemme case insensitive.
7abe34dd5a20fc8fde09dca9116b88e6ddfd55ddjorton<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
7abe34dd5a20fc8fde09dca9116b88e6ddfd55ddjorton Indicates that the DNS record containing the key should have
10d486b9267800c5e376c22f6c0d45dc2ae86f67chrisd the specified class. If not specified, class IN is used.
10d486b9267800c5e376c22f6c0d45dc2ae86f67chrisd<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd Set the specified flag in the flag field of the KEY/DNSKEY record.
3e155218733389e7b1ea3a9ffd0aea533fd929cechrisd The only recognized flag is KSK (Key Signing Key) DNSKEY.
dd6199828976e6c7850ca6abd7a1ceba99e9ed16chrisd Prints a short summary of the options and arguments to
dd6199828976e6c7850ca6abd7a1ceba99e9ed16chrisd <span><strong class="command">dnssec-keygen</strong></span>.
ab43b4a17b2ac31ccb1cf280be8c42a8a314cecbjorton Generate KEY records rather than DNSKEY records.
f3a5934ca0fb0f0f813bd9d9d06af8937e3f401fjim<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim Sets the protocol value for the generated key. The protocol
67139e2d50d1e11558d87f7042f61cb04bb0d1d2jim is a number between 0 and 255. The default is 3 (DNSSEC).
a4ab95921be8ce5de50913cd6505d41b672eb375minfrin Other possible values for this argument are listed in
a4ab95921be8ce5de50913cd6505d41b672eb375minfrin RFC 2535 and its successors.
a4ab95921be8ce5de50913cd6505d41b672eb375minfrin<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
e605dd6afa940f799c873ffeaa5e25fa4ea9a2c8minfrin Indicates the use of the key. <code class="option">type</code> must be
e605dd6afa940f799c873ffeaa5e25fa4ea9a2c8minfrin one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
e605dd6afa940f799c873ffeaa5e25fa4ea9a2c8minfrin is AUTHCONF. AUTH refers to the ability to authenticate
e605dd6afa940f799c873ffeaa5e25fa4ea9a2c8minfrin data, and CONF the ability to encrypt data.
50c06405bc48121db2913925549407fd3e79bcedmturk<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
dec02391360e503cd3437d16bed765dc653b9de5minfrin Sets the debugging level.
686ce4eade942e515b1725d0c9751da36b759a6ctrawick When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
686ce4eade942e515b1725d0c9751da36b759a6ctrawick successfully,
1ce78cf71b5baaf2c1ab48e818cb1f2397df5010trawick it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
4bd465052c4a0c8d41e573ee7a90c312d980355fchrisd to the standard output. This is an identification string for
4bd465052c4a0c8d41e573ee7a90c312d980355fchrisd the key files it has generated.
4bd465052c4a0c8d41e573ee7a90c312d980355fchrisd<li><p><code class="filename">nnnn</code> is the key name.
4bd465052c4a0c8d41e573ee7a90c312d980355fchrisd<li><p><code class="filename">aaa</code> is the numeric representation
27b38d4191d5f638165e2a77ec6e6f567bd7784dniq algorithm.
a87e2a23083aa62229307482afbb3b802a0c2105mturk<li><p><code class="filename">iiiii</code> is the key identifier (or
a87e2a23083aa62229307482afbb3b802a0c2105mturk footprint).
a87e2a23083aa62229307482afbb3b802a0c2105mturk<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
a87e2a23083aa62229307482afbb3b802a0c2105mturk creates two files, with names based
8fd638698262130d00458b2c95548f6f94875847rpluem on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
534611d341a1a48b93c7a1fd5e333dbd261527d3rpluem contains the public key, and
534611d341a1a48b93c7a1fd5e333dbd261527d3rpluem <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
127aef4ce9f7b6b32a95c5ed9a93b796d18755e6rpluem The <code class="filename">.key</code> file contains a DNS KEY record
127aef4ce9f7b6b32a95c5ed9a93b796d18755e6rpluem can be inserted into a zone file (directly or with a $INCLUDE
127aef4ce9f7b6b32a95c5ed9a93b796d18755e6rpluem statement).
79d4b708d021714647aab8b138ae671ed24765cewrowe The <code class="filename">.private</code> file contains algorithm
79d4b708d021714647aab8b138ae671ed24765cewrowe fields. For obvious security reasons, this file does not have
88d0e50f16b21d4d0af0a48da7ad28fb5991834crpluem general read permission.
15264721069299ec26493e21d56bf8ff7faf6f0drpluem<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
15264721069299ec26493e21d56bf8ff7faf6f0drpluem <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
3ec4328f079d8867cc323155e59678ad9437914frooneg<p><span class="corpauthor">Internet Systems Consortium</span>
db78659055df54243bca678c35bd2ce7e31a9237rooneg<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
edf6757df85878dc8ce11fb3840ee4cde6de5b2frooneg<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
63689d77e084e36b8194fb6df5adfc0344965e01trawick<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
63689d77e084e36b8194fb6df5adfc0344965e01trawick<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>