man.dnssec-keyfromlabel.html revision db6353c9b89628e16f6e729ce57baabad3460c49
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<!--
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson - copyright notice and this permission notice appear in all copies.
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User -
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
83a28ca274521e15086fc39febde507bcc4e145eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt-->
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<!-- $Id: man.dnssec-keyfromlabel.html,v 1.118 2011/04/30 01:14:41 tbox Exp $ -->
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<html>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<head>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<title>dnssec-keyfromlabel</title>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="prev" href="man.dnssec-dsfromkey.html" title="dnssec-dsfromkey">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
194e2dfffa6a167b8eef0ad11864026b423a1c30Mark Andrews</head>
194e2dfffa6a167b8eef0ad11864026b423a1c30Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="navheader">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<table width="100%" summary="Navigation header">
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
938440694b33cd752e9e4b71a526368b4811c177Tinderbox User<tr>
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User<td width="20%" align="left">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<th width="60%" align="center">Manual pages</th>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</td>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson</tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</table>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<hr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refentry" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refnamediv">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<h2>Name</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="application">dnssec-keyfromlabel</span> &#8212; DNSSEC key generation tool</p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsynopsisdiv">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<h2>Synopsis</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2612824"></a><h2>DESCRIPTION</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein gets keys with the given label from a crypto hardware and builds
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein key files for DNSSEC (Secure DNS), as defined in RFC 2535
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein and RFC 4034.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <code class="option">name</code> of the key is specified on the command
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein line. This must match the name of the zone for which the key is
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson being generated.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson</div>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<div class="refsect1" lang="en">
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<a name="id2612844"></a><h2>OPTIONS</h2>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<div class="variablelist"><dl>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Selects the cryptographic algorithm. The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein These values are case insensitive.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If no algorithm is specified, then RSASHA1 will be used by
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson default, unless the <code class="option">-3</code> option is specified,
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson in which case NSEC3RSASHA1 will be used instead. (If
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">-3</code> is used and an algorithm is specified,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that algorithm will be checked for compatibility with NSEC3.)
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson algorithm, and DSA is recommended.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Note 2: DH automatically sets the -k flag.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson</dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-3</span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Use an NSEC3-capable algorithm to generate a DNSSEC key.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If this option is used and no algorithm is explicitly
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein set on the command line, NSEC3RSASHA1 will be used by
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein default.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Specifies the name of the crypto hardware (OpenSSL engine).
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson When compiled with PKCS#11 support it defaults to "pkcs11".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Specifies the label of the key pair in the crypto hardware.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The label may be preceded by an optional OpenSSL engine name,
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson separated by a colon, as in "pkcs11:keylabel".
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Specifies the owner type of the key. The value of
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson <code class="option">nametype</code> must either be ZONE (for a DNSSEC
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson a host (KEY)),
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein These values are case insensitive.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-C</span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Compatibility mode: generates an old-style key, without
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson will include the key's creation date in the metadata stored
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson with the private key, and other dates may be set there as well
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein (publication date, activation date, etc). Keys that include
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein this data may be incompatible with older versions of BIND; the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">-C</code> option suppresses them.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Indicates that the DNS record containing the key should have
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson the specified class. If not specified, class IN is used.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Set the specified flag in the flag field of the KEY/DNSKEY record.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The only recognized flags are KSK (Key Signing Key) and REVOKE.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dt><span class="term">-G</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Generate a key, but do not publish it or sign with it. This
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein option is incompatible with -P and -A.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dt><span class="term">-h</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Prints a short summary of the options and arguments to
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson <span><strong class="command">dnssec-keyfromlabel</strong></span>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Sets the directory in which the key files are to be written.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dt><span class="term">-k</span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Generate KEY records rather than DNSKEY records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Sets the default TTL to use for this key when it is converted
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein into a DNSKEY RR. If the key is imported into a zone,
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson this is the TTL that will be used for it, unless there was
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson already a DNSKEY RRset in place, in which case the existing TTL
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein would take precedence. Setting the default TTL to
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="literal">0</code> or <code class="literal">none</code> removes it.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Sets the protocol value for the key. The protocol
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson is a number between 0 and 255. The default is 3 (DNSSEC).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Other possible values for this argument are listed in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RFC 2535 and its successors.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Indicates the use of the key. <code class="option">type</code> must be
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson is AUTHCONF. AUTH refers to the ability to authenticate
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein data, and CONF the ability to encrypt data.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Sets the debugging level.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-y</span></dt>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<dd><p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson Allows DNSSEC key files to be generated even if the key ID
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein would collide with that of an existing key, in the event of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein either key being revoked. (This is only safe to use if you
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein are sure you won't be using RFC 5011 trust anchor maintenance
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein with either of the keys involved.)
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></dd>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson</dl></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<div class="refsect1" lang="en">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2615083"></a><h2>TIMING OPTIONS</h2>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<p>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If the argument begins with a '+' or '-', it is interpreted as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein an offset from the present time. For convenience, if such an offset
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein then the offset is computed in years (defined as 365 24-hour days,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ignoring leap years), months (defined as 30 24-hour days), weeks,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein days, hours, or minutes, respectively. Without a suffix, the offset
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein is computed in seconds.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the date on which a key is to be published to the zone.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein After that date, the key will be included in the zone but will
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein not be used to sign it. If not set, and if the -G option has
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein not been used, the default is "now".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the date on which the key is to be activated. After that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein date, the key will be included in the zone and used to sign
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein it. If not set, and if the -G option has not been used, the
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein default is "now".
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the date on which the key is to be revoked. After that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein date, the key will be flagged as revoked. It will be included
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in the zone and will be used to sign it.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the date on which the key is to be retired. After that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein date, the key will still be included in the zone, but it
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein will not be used to sign it.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the date on which the key is to be deleted. After that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein date, the key will no longer be included in the zone. (It
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein may remain in the key repository, however.)
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</dl></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2615386"></a><h2>GENERATED KEY FILES</h2>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<p>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson successfully,
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson to the standard output. This is an identification string for
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson the key files it has generated.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="itemizedlist"><ul type="disc">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<li><p><code class="filename">nnnn</code> is the key name.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></li>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<li><p><code class="filename">aaa</code> is the numeric representation
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson of the algorithm.
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson </p></li>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<li><p><code class="filename">iiiii</code> is the key identifier (or
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein footprint).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p></li>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</ul></div>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson creates two files, with names based
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson contains the public key, and
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
9ffbbce6a624b6051b3d001edcbad1e02c69bd45Andreas Gustafsson private key.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <code class="filename">.key</code> file contains a DNS KEY record
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein that
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein can be inserted into a zone file (directly or with a $INCLUDE
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein statement).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The <code class="filename">.private</code> file contains
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein algorithm-specific
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein fields. For obvious security reasons, this file does not have
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein general read permission.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2615480"></a><h2>SEE ALSO</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <em class="citetitle">RFC 4034</em>.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsect1" lang="en">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="id2666508"></a><h2>AUTHOR</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="corpauthor">Internet Systems Consortium</span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="navfooter">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<hr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<table width="100%" summary="Navigation footer">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="left">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a accesskey="p" href="man.dnssec-dsfromkey.html">Prev</a>�</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<tr>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="left" valign="top">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<span class="application">dnssec-dsfromkey</span>�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</td>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</tr>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</table>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</body>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt</html>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein