man.dnssec-keyfromlabel.html revision f39512a917cdd06c611d366603374f6ef570c80e
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - Copyright (C) 2000-2003 Internet Software Consortium.
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - Permission to use, copy, modify, and/or distribute this software for any
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - purpose with or without fee is hereby granted, provided that the above
0fe15dc8ddddeb39a5cad1f4f4afa25fa074a5d1Evgeny Vereshchagin - copyright notice and this permission notice appear in all copies.
0d6e798a784ef0ba6b95512e4453067b2f84a91aHarald Hoyer - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
898720b7e9cf3bdf7a93e435cbed5dd6942ecf9bHarald Hoyer - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3486cb6cfa3d32a95c0daf02c7510fdf372507bfMartin Pitt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
3486cb6cfa3d32a95c0daf02c7510fdf372507bfMartin Pitt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
3486cb6cfa3d32a95c0daf02c7510fdf372507bfMartin Pitt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
3486cb6cfa3d32a95c0daf02c7510fdf372507bfMartin Pitt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
3486cb6cfa3d32a95c0daf02c7510fdf372507bfMartin Pitt - PERFORMANCE OF THIS SOFTWARE.
c50a4525aa8151b180d5a325e88c5f3812e66c36Martin Pitt<!-- $Id$ -->
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<table width="100%" summary="Navigation header">
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<th width="60%" align="center">Manual pages</th>
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
b6f0c419e38a960873fe68bf8f89bbb0268eed02Harald Hoyer<p><span class="application">dnssec-keyfromlabel</span> — DNSSEC key generation tool</p>
b6f0c419e38a960873fe68bf8f89bbb0268eed02Harald Hoyer<div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-y</code>] {name}</p></div>
61fea35e14d84144e6e2122f5cd247f9c7e6245eEvgeny Vereshchagin<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
61fea35e14d84144e6e2122f5cd247f9c7e6245eEvgeny Vereshchagin generates a key pair of files that referencing a key object stored
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier in a cryptographic hardware service module (HSM). The private key
61fea35e14d84144e6e2122f5cd247f9c7e6245eEvgeny Vereshchagin file can be used for DNSSEC signing of zone data as if it were a
61fea35e14d84144e6e2122f5cd247f9c7e6245eEvgeny Vereshchagin conventional signing key created by <span><strong class="command">dnssec-keygen</strong></span>,
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier but the key material is stored within the HSM, and the actual signing
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier takes place there.
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier The <code class="option">name</code> of the key is specified on the command
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier line. This must match the name of the zone for which the key is
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier being generated.
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
dbf43a42b8bb66d53c7cbab05f104c28097f811eDaniel Mack Selects the cryptographic algorithm. The value of
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier ECDSAP256SHA256 or ECDSAP384SHA384.
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier These values are case insensitive.
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier If no algorithm is specified, then RSASHA1 will be used by
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier default, unless the <code class="option">-3</code> option is specified,
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier in which case NSEC3RSASHA1 will be used instead. (If
c6a77179a4097df355f0f04b8f3260c76b5e515cRonny Chevalier <code class="option">-3</code> is used and an algorithm is specified,
dbf43a42b8bb66d53c7cbab05f104c28097f811eDaniel Mack that algorithm will be checked for compatibility with NSEC3.)
dbf43a42b8bb66d53c7cbab05f104c28097f811eDaniel Mack Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
8a8332f77e61d41f3bb28b8f929ed41e0ffaf721Zbigniew Jędrzejewski-Szmek algorithm, and DSA is recommended.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Note 2: DH automatically sets the -k flag.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Use an NSEC3-capable algorithm to generate a DNSSEC key.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier If this option is used and no algorithm is explicitly
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier set on the command line, NSEC3RSASHA1 will be used by
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Specifies the cryptographic hardware to use.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier When BIND is built with OpenSSL PKCS#11 support, this defaults
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier to the string "pkcs11", which identifies an OpenSSL engine
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier that can drive a cryptographic accelerator or hardware service
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier module. When BIND is built with native PKCS#11 cryptography
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier (--enable-native-pkcs11), it defaults to the path of the PKCS#11
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier provider library specified via "--with-pkcs11".
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Specifies the label for a key pair in the crypto hardware.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin PKCS#11 support, the label is an arbitrary string that
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin identifies a particular key. It may be preceded by an
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin optional OpenSSL engine name, followed by a colon, as in
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin support, the label is a PKCS#11 URI string in the format
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin Keywords include "token", which identifies the HSM; "object", which
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin identifies the key; and "pin-source", which identifies a file from
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin which the HSM's PIN code can be obtained. The label will be
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin stored in the on-disk "private" file.
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin If the label contains a
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin <code class="option">pin-source</code> field, tools using the generated
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin key files will be able to use the HSM for signing and other
a2fbff31c9c319da51528f85ae97d019f1e61a86Evgeny Vereshchagin operations without any need for an operator to manually enter
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin a PIN. Note: Making the HSM's PIN accessible in this manner
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin may reduce the security advantage of using an HSM; be sure
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin this is what you want to do before making use of this feature.
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin Specifies the owner type of the key. The value of
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin <code class="option">nametype</code> must either be ZONE (for a DNSSEC
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
cb2f9d3f296bc80b55f09880d61dfdf47fc98212Evgeny Vereshchagin a host (KEY)),
9974ff63b182e67bf3d3d9262e2bfa84f0a1378bEvgeny Vereshchagin USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
9974ff63b182e67bf3d3d9262e2bfa84f0a1378bEvgeny Vereshchagin These values are case insensitive.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Compatibility mode: generates an old-style key, without
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier any metadata. By default, <span><strong class="command">dnssec-keyfromlabel</strong></span>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier will include the key's creation date in the metadata stored
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier with the private key, and other dates may be set there as well
ac289ce3f5eb3f13806f7c631c6b23cee18b26daEvgeny Vereshchagin (publication date, activation date, etc). Keys that include
ac289ce3f5eb3f13806f7c631c6b23cee18b26daEvgeny Vereshchagin this data may be incompatible with older versions of BIND; the
ac289ce3f5eb3f13806f7c631c6b23cee18b26daEvgeny Vereshchagin <code class="option">-C</code> option suppresses them.
ac289ce3f5eb3f13806f7c631c6b23cee18b26daEvgeny Vereshchagin<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
ac289ce3f5eb3f13806f7c631c6b23cee18b26daEvgeny Vereshchagin Indicates that the DNS record containing the key should have
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier the specified class. If not specified, class IN is used.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
8a8332f77e61d41f3bb28b8f929ed41e0ffaf721Zbigniew Jędrzejewski-Szmek Set the specified flag in the flag field of the KEY/DNSKEY record.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier The only recognized flags are KSK (Key Signing Key) and REVOKE.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Generate a key, but do not publish it or sign with it. This
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier option is incompatible with -P and -A.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Prints a short summary of the options and arguments to
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier <span><strong class="command">dnssec-keyfromlabel</strong></span>.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the directory in which the key files are to be written.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Generate KEY records rather than DNSKEY records.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
1b1eae69ce52ef6c89a1200e8d3758549b291991Daniel Mack Sets the default TTL to use for this key when it is converted
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier into a DNSKEY RR. If the key is imported into a zone,
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier this is the TTL that will be used for it, unless there was
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier already a DNSKEY RRset in place, in which case the existing TTL
739d81ddd005fae2bb82edce5b8a6173c7c48b34Zbigniew Jędrzejewski-Szmek would take precedence. Setting the default TTL to
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier <code class="literal">0</code> or <code class="literal">none</code> removes it.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the protocol value for the key. The protocol
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier is a number between 0 and 255. The default is 3 (DNSSEC).
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Other possible values for this argument are listed in
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier RFC 2535 and its successors.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Generate a key as an explicit successor to an existing key.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier The name, algorithm, size, and type of the key will be set
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier to match the predecessor. The activation date of the new
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier key will be set to the inactivation date of the existing
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier one. The publication date will be set to the activation
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier date minus the prepublication interval, which defaults to
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Indicates the use of the key. <code class="option">type</code> must be
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier is AUTHCONF. AUTH refers to the ability to authenticate
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier data, and CONF the ability to encrypt data.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
c7eda0133b6bf13a182337cbe8a61bf2faf9b32eEvgeny Vereshchagin Sets the debugging level.
c7eda0133b6bf13a182337cbe8a61bf2faf9b32eEvgeny Vereshchagin Allows DNSSEC key files to be generated even if the key ID
c7eda0133b6bf13a182337cbe8a61bf2faf9b32eEvgeny Vereshchagin would collide with that of an existing key, in the event of
c7eda0133b6bf13a182337cbe8a61bf2faf9b32eEvgeny Vereshchagin either key being revoked. (This is only safe to use if you
c7eda0133b6bf13a182337cbe8a61bf2faf9b32eEvgeny Vereshchagin are sure you won't be using RFC 5011 trust anchor maintenance
c7eda0133b6bf13a182337cbe8a61bf2faf9b32eEvgeny Vereshchagin with either of the keys involved.)
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<a name="id2671813"></a><h2>TIMING OPTIONS</h2>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier If the argument begins with a '+' or '-', it is interpreted as
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier an offset from the present time. For convenience, if such an offset
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier then the offset is computed in years (defined as 365 24-hour days,
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier ignoring leap years), months (defined as 30 24-hour days), weeks,
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier days, hours, or minutes, respectively. Without a suffix, the offset
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier is computed in seconds. To explicitly prevent a date from being
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier set, use 'none' or 'never'.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the date on which a key is to be published to the zone.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier After that date, the key will be included in the zone but will
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier not be used to sign it. If not set, and if the -G option has
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier not been used, the default is "now".
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the date on which the key is to be activated. After that
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier date, the key will be included in the zone and used to sign
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier it. If not set, and if the -G option has not been used, the
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier default is "now".
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the date on which the key is to be revoked. After that
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier date, the key will be flagged as revoked. It will be included
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier in the zone and will be used to sign it.
bf3a947cb44f31359bba313e0252cbcc0dc95b03Evgeny Vereshchagin<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the date on which the key is to be retired. After that
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier date, the key will still be included in the zone, but it
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier will not be used to sign it.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the date on which the key is to be deleted. After that
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier date, the key will no longer be included in the zone. (It
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier may remain in the key repository, however.)
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier Sets the prepublication interval for a key. If set, then
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier the publication and activation dates must be separated by at least
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier this much time. If the activation date is specified but the
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier publication date isn't, then the publication date will default
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier to this much time before the activation date; conversely, if
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier the publication date is specified but activation date isn't,
4be4833ece2856e0cacc09f8f8b2c02b320751faMartin Pitt then activation will be set to this much time after publication.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier If the key is being created as an explicit successor to another
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier key, then the default prepublication interval is 30 days;
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier otherwise it is zero.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier As with date offsets, if the argument is followed by one of
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier interval is measured in years, months, weeks, days, hours,
cffae62bcb6912fbaf1b7b282d9d170c9d308897Martin Pitt or minutes, respectively. Without a suffix, the interval is
99877b7e3782a51b31bf191825f0335500f52fe5Harald Hoyer measured in seconds.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<a name="id2672003"></a><h2>GENERATED KEY FILES</h2>
e63b61be5350dbe92ea12e1eeb96dde251ed9292Evgeny Vereshchagin When <span><strong class="command">dnssec-keyfromlabel</strong></span> completes
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier successfully,
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier to the standard output. This is an identification string for
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier the key files it has generated.
0fe15dc8ddddeb39a5cad1f4f4afa25fa074a5d1Evgeny Vereshchagin<li><p><code class="filename">nnnn</code> is the key name.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<li><p><code class="filename">aaa</code> is the numeric representation
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier of the algorithm.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<li><p><code class="filename">iiiii</code> is the key identifier (or
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<p><span><strong class="command">dnssec-keyfromlabel</strong></span>
417491f122b346a31cf8dc406c4f9195a5900cecEvgeny Vereshchagin creates two files, with names based
417491f122b346a31cf8dc406c4f9195a5900cecEvgeny Vereshchagin on the printed string. <code class="filename">Knnnn.+aaa+iiiii.key</code>
417491f122b346a31cf8dc406c4f9195a5900cecEvgeny Vereshchagin contains the public key, and
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier The <code class="filename">.key</code> file contains a DNS KEY record
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier can be inserted into a zone file (directly or with a $INCLUDE
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier The <code class="filename">.private</code> file contains
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier algorithm-specific
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier fields. For obvious security reasons, this file does not have
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier general read permission.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<p><span class="corpauthor">Internet Systems Consortium</span>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<table width="100%" summary="Navigation footer">
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<a accesskey="p" href="man.dnssec-importkey.html">Prev</a>�</td>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keygen.html">Next</a>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<span class="application">dnssec-importkey</span>�</td>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
889a90422dd47284dffa32b9234a6e58991b000cRonny Chevalier<td width="40%" align="right" valign="top">�<span class="application">dnssec-keygen</span>