man.dnssec-keygen.html revision d893c6248414d34d434a63216eaa5bd1fbec4ca4
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - Copyright (C) 2000-2003 Internet Software Consortium.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - Permission to use, copy, modify, and/or distribute this software for any
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - purpose with or without fee is hereby granted, provided that the above
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - copyright notice and this permission notice appear in all copies.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen - PERFORMANCE OF THIS SOFTWARE.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<!-- $Id: man.dnssec-keygen.html,v 1.169 2010/12/09 01:14:10 tbox Exp $ -->
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<table width="100%" summary="Navigation header">
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<th width="60%" align="center">Manual pages</th>
bf1bc6701574f5e935fafc3163659372abdcde63Thomas Hindoe Paaboel Andersen<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-e</code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
f048a16b464295a4e0a4f4c1210f06343ad31231Tom Gundersen<p><span><strong class="command">dnssec-keygen</strong></span>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen and RFC 4034. It can also generate keys for use with
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen (Transaction Key) as defined in RFC 2930.
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersen The <code class="option">name</code> of the key is specified on the command
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersen line. For DNSSEC keys, this must match the name of the zone for
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersen which the key is being generated.
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersen<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
5be4d38e31281727b6f45ae869136bb01a1f7790Tom Gundersen Selects the cryptographic algorithm. For DNSSEC keys, the value
1346b1f0388f4100bb3c2a2bb23bc881769c020cTom Gundersen of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
039ebe6aebaebcaa18375b33caf1db5fe2551621Tom Gundersen DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
5be4d38e31281727b6f45ae869136bb01a1f7790Tom Gundersen be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen case insensitive.
449f75549247b3b7b073a788f0f099ce6b7c5378Tom Gundersen If no algorithm is specified, then RSASHA1 will be used by
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen default, unless the <code class="option">-3</code> option is specified,
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen in which case NSEC3RSASHA1 will be used instead. (If
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen <code class="option">-3</code> is used and an algorithm is specified,
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen that algorithm will be checked for compatibility with NSEC3.)
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen automatically set the -T KEY option.
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
b3070dc0258831c7e2b13624f75fa3dbd80d9833Tom Gundersen Specifies the number of bits in the key. The choice of key
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen size depends on the algorithm used. RSA keys must be
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen between 512 and 2048 bits. Diffie Hellman keys must be between
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen 128 and 4096 bits. DSA keys must be between 512 and 1024
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen bits and an exact multiple of 64. HMAC keys must be
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen between 1 and 512 bits.
477e73b5312094f2d34de8e40ccbe61e6d4d81e9Zbigniew Jędrzejewski-Szmek The key size does not need to be specified if using a default
477e73b5312094f2d34de8e40ccbe61e6d4d81e9Zbigniew Jędrzejewski-Szmek algorithm. The default key size is 1024 bits for zone signing
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen keys (ZSK's) and 2048 bits for key signing keys (KSK's,
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen generated with <code class="option">-f KSK</code>). However, if an
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen algorithm is explicitly specified with the <code class="option">-a</code>,
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen then there is no default key size, and the <code class="option">-b</code>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen must be used.
2ad8416dd057e7e3185169609ca3006e7649f576Zbigniew Jędrzejewski-Szmek<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
449f75549247b3b7b073a788f0f099ce6b7c5378Tom Gundersen Specifies the owner type of the key. The value of
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen <code class="option">nametype</code> must either be ZONE (for a DNSSEC
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen a host (KEY)),
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen These values are case insensitive. Defaults to ZONE for DNSKEY
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Use an NSEC3-capable algorithm to generate a DNSSEC key.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen If this option is used and no algorithm is explicitly
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen set on the command line, NSEC3RSASHA1 will be used by
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen default. Note that RSASHA256 and RSASHA512 algorithms
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen are NSEC3-capable.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Compatibility mode: generates an old-style key, without
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen will include the key's creation date in the metadata stored
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen with the private key, and other dates may be set there as well
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen (publication date, activation date, etc). Keys that include
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen this data may be incompatible with older versions of BIND; the
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen <code class="option">-C</code> option suppresses them.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Indicates that the DNS record containing the key should have
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen the specified class. If not specified, class IN is used.
3bef724f7e7f7eaca69881548b06e221b77d7031Tom Gundersen<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen Uses a crypto hardware (OpenSSL engine) for random number
f048a16b464295a4e0a4f4c1210f06343ad31231Tom Gundersen and, when supported, key generation. When compiled with PKCS#11
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen support it defaults to pkcs11; the empty name resets it to
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersen If generating an RSAMD5/RSASHA1 key, use a large exponent.
6ae115c1fe95611b39d2f20cfcea3d385429f59eTom Gundersen<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
7384fa923e1ba403454903133b33f559b735fe75Zbigniew Jędrzejewski-Szmek Set the specified flag in the flag field of the KEY/DNSKEY record.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen The only recognized flags are KSK (Key Signing Key) and REVOKE.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Generate a key, but do not publish it or sign with it. This
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen option is incompatible with -P and -A.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen If generating a Diffie Hellman key, use this generator.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Allowed values are 2 and 5. If no generator
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen is specified, a known prime from RFC 2539 will be used
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen if possible; otherwise the default is 2.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Prints a short summary of the options and arguments to
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen <span><strong class="command">dnssec-keygen</strong></span>.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
449f75549247b3b7b073a788f0f099ce6b7c5378Tom Gundersen Sets the directory in which the key files are to be written.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Deprecated in favor of -T KEY.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Sets the protocol value for the generated key. The protocol
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen is a number between 0 and 255. The default is 3 (DNSSEC).
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Other possible values for this argument are listed in
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen RFC 2535 and its successors.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen Quiet mode: Suppresses unnecessary output, including
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen progress indication. Without this option, when
f882c247ad59776c3a7753bb963c1f8e2386cb79Tom Gundersen <span><strong class="command">dnssec-keygen</strong></span> is run interactively
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen to generate an RSA or DSA key pair, it will print a string
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen of symbols to <code class="filename">stderr</code> indicating the
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen progress of the key generation. A '.' indicates that a
3bef724f7e7f7eaca69881548b06e221b77d7031Tom Gundersen random number has been found which passed an initial
3bef724f7e7f7eaca69881548b06e221b77d7031Tom Gundersen sieve test; '+' means a number has passed a single
3bef724f7e7f7eaca69881548b06e221b77d7031Tom Gundersen round of the Miller-Rabin primality test; a space
3bef724f7e7f7eaca69881548b06e221b77d7031Tom Gundersen means that the number has passed all the tests and is
3bef724f7e7f7eaca69881548b06e221b77d7031Tom Gundersen a satisfactory key.
f579559b3a14c1f1ef96c372e7626c4733e6ef7dTom Gundersen<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen Specifies the source of randomness. If the operating
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen system does not provide a <code class="filename">/dev/random</code>
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen or equivalent device, the default source of randomness
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen is keyboard input. <code class="filename">randomdev</code>
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen the name of a character device or file containing random
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen data to be used instead of the default. The special value
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen <code class="filename">keyboard</code> indicates that keyboard
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen input should be used.
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
1a436809498faf6486815baa0338fb6b8e5def07Tom Gundersen Create a new key which is an explicit successor to an
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen existing key. The name, algorithm, size, and type of the
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen key will be set to match the existing key. The activation
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen date of the new key will be set to the inactivation date of
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen the existing one. The publication date will be set to the
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen activation date minus the prepublication interval, which
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen defaults to 30 days.
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen Specifies the strength value of the key. The strength is
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen a number between 0 and 15, and currently has no defined
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen purpose in DNSSEC.
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
1a436809498faf6486815baa0338fb6b8e5def07Tom Gundersen Specifies the resource record type to use for the key.
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen <code class="option">rrtype</code> must be either DNSKEY or KEY. The
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen default is DNSKEY when using a DNSSEC algorithm, but it can be
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen overridden to KEY for use with SIG(0).
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen Using any TSIG algorithm (HMAC-* or DH) forces this option
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen Indicates the use of the key. <code class="option">type</code> must be
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen is AUTHCONF. AUTH refers to the ability to authenticate
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen data, and CONF the ability to encrypt data.
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen Sets the debugging level.
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen<a name="id2664404"></a><h2>TIMING OPTIONS</h2>
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen If the argument begins with a '+' or '-', it is interpreted as
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen an offset from the present time. For convenience, if such an offset
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen then the offset is computed in years (defined as 365 24-hour days,
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen ignoring leap years), months (defined as 30 24-hour days), weeks,
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen days, hours, or minutes, respectively. Without a suffix, the offset
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen is computed in seconds.
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen Sets the date on which a key is to be published to the zone.
52433f6b65eccd1c54606dde999610640f3458acTom Gundersen After that date, the key will be included in the zone but will
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen not be used to sign it. If not set, and if the -G option has
02b59d57e0c08231645120077f651151f5bb2babTom Gundersen not been used, the default is "now".
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen Sets the date on which the key is to be activated. After that
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen date, the key will be included in the zone and used to sign
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen it. If not set, and if the -G option has not been used, the
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen default is "now".
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen Sets the date on which the key is to be revoked. After that
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen date, the key will be flagged as revoked. It will be included
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen in the zone and will be used to sign it.
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen Sets the date on which the key is to be retired. After that
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen date, the key will still be included in the zone, but it
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen will not be used to sign it.
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen Sets the date on which the key is to be deleted. After that
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen date, the key will no longer be included in the zone. (It
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen may remain in the key repository, however.)
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen Sets the prepublication interval for a key. If set, then
1a436809498faf6486815baa0338fb6b8e5def07Tom Gundersen the publication and activation dates must be separated by at least
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen this much time. If the activation date is specified but the
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen publication date isn't, then the publication date will default
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen to this much time before the activation date; conversely, if
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen the publication date is specified but activation date isn't,
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen then activation will be set to this much time after publication.
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen If the key is being created as an explicit successor to another
672682a6b9d6fb6a3722c3fea1a93b4831747b54Tom Gundersen key, then the default prepublication interval is 30 days;
54abf461d6b10dc270c4bb2aeac65f240ff1c5cdTom Gundersen otherwise it is zero.