Skip to content
GitLab
Menu
Projects
Groups
Snippets
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
ISC Open Source Projects
BIND
Commits
2a31bd53
Commit
2a31bd53
authored
Mar 31, 2008
by
Francis Dupont
Browse files
add EVP and PKCS11
parent
4a253e12
Changes
39
Expand all
Hide whitespace changes
Inline
Side-by-side
CHANGES
View file @
2a31bd53
2348. [func] Use the EVP interface to OpenSSL. Add PKCS#11 support.
Documentation is in the new README.pkcs11 file.
[RT #16844]
2347. [bug] Delete now traverses the RB tree in the canonical
order. [RT #17451]
...
...
README.pkcs11
0 → 100644
View file @
2a31bd53
BIND-9 PKCS#11 support
Prerequisite
The PKCS#11 support needs a PKCS#11 OpenSSL engine based on the Solaris one,
released the 2007-11-21 for OpenSSL 0.9.8g, with a bug fix (call to free)
and some improvements, including user friendly PIN management.
Compilation
"configure --with-pkcs11 ..."
PKCS#11 Libraries
Tested with Solaris one with a SCA board and with openCryptoki with the
software token.
OpenSSL Engines
With PKCS#11 support the PKCS#11 engine is statically loaded but at its
initialization it dynamically loads the PKCS#11 objects.
Even the pre commands are therefore unused they are defined with:
SO_PATH:
define: PKCS11_SO_PATH
default: /usr/local/lib/engines/engine_pkcs11.so
MODULE_PATH:
define: PKCS11_MODULE_PATH
default: /usr/lib/libpkcs11.so
Without PKCS#11 support, a specific OpenSSL engine can be still used
by defining ENGINE_ID at compile time.
PKCS#11 tools
The contrib/pkcs11-keygen directory contains a set of experimental tools
to handle keys stored in a Hardware Security Module at the benefit of BIND.
The patch for OpenSSL 0.9.8g is in this directory. Read its README.pkcs11
for the way to use it (these are the original notes so with the original
path, etc. Define OPENCRYPTOKI to use it with openCryptoki.)
PIN management
With the just fixed PKCS#11 OpenSSL engine, the PIN should be entered
each time it is required. With the improved engine, the PIN should be
entered the first time it is required or can be configured in the
OpenSSL configuration file (aka. openssl.cnf) by adding in it:
- at the beginning:
openssl_conf = openssl_def
- at any place these sections:
[ openssl_def ]
engines = engine_section
[ engine_section ]
pkcs11 = pkcs11_section
[ pkcs11_section ]
PIN = put__your__pin__value__here
Note
Some names here are registered trademarks, at least Solaris is a trademark
of Sun Microsystems Inc...
bin/dnssec/Makefile.in
View file @
2a31bd53
...
...
@@ -13,7 +13,7 @@
# OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
# PERFORMANCE OF THIS SOFTWARE.
# $Id: Makefile.in,v 1.3
2
200
7
/0
6/19 23
:4
6
:5
9 tbox
Exp $
# $Id: Makefile.in,v 1.3
3
200
8
/0
3/31 14
:4
2
:5
0 fdupont
Exp $
srcdir
=
@srcdir@
VPATH
=
@srcdir@
...
...
@@ -39,20 +39,27 @@ DEPLIBS = ${DNSDEPLIBS} ${ISCDEPLIBS}
LIBS
=
${DNSLIBS}
${ISCLIBS}
@LIBS@
# Alphabetically
TARGETS
=
dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@
TARGETS
=
dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@
\
dnssec-keyfromlabel@EXEEXT@
OBJS
=
dnssectool.@O@
SRCS
=
dnssec-keygen.c dnssec-signzone.c dnssectool.c
SRCS
=
dnssec-keyfromlabel.c dnssec-keygen.c dnssec-signzone.c
\
dnssectool.c
MANPAGES
=
dnssec-keygen.8 dnssec-signzone.8
MANPAGES
=
dnssec-keyfromlabel.8
dnssec-keygen.8 dnssec-signzone.8
HTMLPAGES
=
dnssec-keygen.html dnssec-signzone.html
HTMLPAGES
=
dnssec-keyfromlabel.html dnssec-keygen.html
\
dnssec-signzone.html
MANOBJS
=
${MANPAGES}
${HTMLPAGES}
@BIND9_MAKE_RULES@
dnssec-keyfromlabel@EXEEXT@
:
dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK}
${PURIFY}
${CC}
${CFLAGS}
${LDFLAGS}
-o
$@
\
dnssec-keyfromlabel.@O@
${OBJS}
${LIBS}
dnssec-keygen@EXEEXT@
:
dnssec-keygen.@O@ ${OBJS} ${DEPLIBS}
${LIBTOOL_MODE_LINK}
${PURIFY}
${CC}
${CFLAGS}
${LDFLAGS}
-o
$@
\
dnssec-keygen.@O@
${OBJS}
${LIBS}
...
...
bin/dnssec/dnssec-keyfromlabel.c
0 → 100644
View file @
2a31bd53
/*
* Portions Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
* Portions Copyright (C) 1999-2003 Internet Software Consortium.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*
* Portions Copyright (C) 1995-2000 by Network Associates, Inc.
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
* ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
* WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE
* FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.2 2008/03/31 14:42:50 fdupont Exp $ */
/*! \file */
#include <config.h>
#include <stdlib.h>
#include <isc/buffer.h>
#include <isc/commandline.h>
#include <isc/entropy.h>
#include <isc/mem.h>
#include <isc/region.h>
#include <isc/string.h>
#include <isc/util.h>
#include <dns/fixedname.h>
#include <dns/keyvalues.h>
#include <dns/log.h>
#include <dns/name.h>
#include <dns/rdataclass.h>
#include <dns/result.h>
#include <dns/secalg.h>
#include <dst/dst.h>
#include "dnssectool.h"
#define MAX_RSA 4096
/* should be long enough... */
const
char
*
program
=
"dnssec-keyfromlabel"
;
int
verbose
;
static
const
char
*
algs
=
"RSA | RSAMD5 | DH | DSA | RSASHA1"
;
static
void
usage
(
void
)
{
fprintf
(
stderr
,
"Usage:
\n
"
);
fprintf
(
stderr
,
" %s -a alg -l label [options] name
\n\n
"
,
program
);
fprintf
(
stderr
,
"Version: %s
\n
"
,
VERSION
);
fprintf
(
stderr
,
"Required options:
\n
"
);
fprintf
(
stderr
,
" -a algorithm: %s
\n
"
,
algs
);
fprintf
(
stderr
,
" -l label: label of the key
\n
"
);
fprintf
(
stderr
,
" name: owner of the key
\n
"
);
fprintf
(
stderr
,
"Other options:
\n
"
);
fprintf
(
stderr
,
" -n nametype: ZONE | HOST | ENTITY | USER | OTHER
\n
"
);
fprintf
(
stderr
,
" (DNSKEY generation defaults to ZONE
\n
"
);
fprintf
(
stderr
,
" -c <class> (default: IN)
\n
"
);
fprintf
(
stderr
,
" -f keyflag: KSK
\n
"
);
fprintf
(
stderr
,
" -t <type>: "
"AUTHCONF | NOAUTHCONF | NOAUTH | NOCONF "
"(default: AUTHCONF)
\n
"
);
fprintf
(
stderr
,
" -p <protocol>: "
"default: 3 [dnssec]
\n
"
);
fprintf
(
stderr
,
" -v <verbose level>
\n
"
);
fprintf
(
stderr
,
" -k : generate a TYPE=KEY key
\n
"
);
fprintf
(
stderr
,
"Output:
\n
"
);
fprintf
(
stderr
,
" K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private
\n
"
);
exit
(
-
1
);
}
int
main
(
int
argc
,
char
**
argv
)
{
char
*
algname
=
NULL
,
*
nametype
=
NULL
,
*
type
=
NULL
;
char
*
classname
=
NULL
;
char
*
endp
;
dst_key_t
*
key
=
NULL
,
*
oldkey
;
dns_fixedname_t
fname
;
dns_name_t
*
name
;
isc_uint16_t
flags
=
0
,
ksk
=
0
;
dns_secalg_t
alg
;
isc_boolean_t
null_key
=
ISC_FALSE
;
isc_mem_t
*
mctx
=
NULL
;
int
ch
;
int
protocol
=
-
1
,
signatory
=
0
;
isc_result_t
ret
;
isc_textregion_t
r
;
char
filename
[
255
];
isc_buffer_t
buf
;
isc_log_t
*
log
=
NULL
;
isc_entropy_t
*
ectx
=
NULL
;
dns_rdataclass_t
rdclass
;
int
options
=
DST_TYPE_PRIVATE
|
DST_TYPE_PUBLIC
;
char
*
label
=
NULL
;
if
(
argc
==
1
)
usage
();
RUNTIME_CHECK
(
isc_mem_create
(
0
,
0
,
&
mctx
)
==
ISC_R_SUCCESS
);
dns_result_register
();
isc_commandline_errprint
=
ISC_FALSE
;
while
((
ch
=
isc_commandline_parse
(
argc
,
argv
,
"a:c:f:kl:n:p:t:v:h"
))
!=
-
1
)
{
switch
(
ch
)
{
case
'a'
:
algname
=
isc_commandline_argument
;
break
;
case
'c'
:
classname
=
isc_commandline_argument
;
break
;
case
'f'
:
if
(
strcasecmp
(
isc_commandline_argument
,
"KSK"
)
==
0
)
ksk
=
DNS_KEYFLAG_KSK
;
else
fatal
(
"unknown flag '%s'"
,
isc_commandline_argument
);
break
;
case
'k'
:
options
|=
DST_TYPE_KEY
;
break
;
case
'l'
:
label
=
isc_commandline_argument
;
break
;
case
'n'
:
nametype
=
isc_commandline_argument
;
break
;
case
'p'
:
protocol
=
strtol
(
isc_commandline_argument
,
&
endp
,
10
);
if
(
*
endp
!=
'\0'
||
protocol
<
0
||
protocol
>
255
)
fatal
(
"-p must be followed by a number "
"[0..255]"
);
break
;
case
't'
:
type
=
isc_commandline_argument
;
break
;
case
'v'
:
verbose
=
strtol
(
isc_commandline_argument
,
&
endp
,
0
);
if
(
*
endp
!=
'\0'
)
fatal
(
"-v must be followed by a number"
);
break
;
case
'?'
:
if
(
isc_commandline_option
!=
'?'
)
fprintf
(
stderr
,
"%s: invalid argument -%c
\n
"
,
program
,
isc_commandline_option
);
case
'h'
:
usage
();
default:
fprintf
(
stderr
,
"%s: unhandled option -%c
\n
"
,
program
,
isc_commandline_option
);
exit
(
1
);
}
}
if
(
ectx
==
NULL
)
setup_entropy
(
mctx
,
NULL
,
&
ectx
);
ret
=
dst_lib_init
(
mctx
,
ectx
,
ISC_ENTROPY_BLOCKING
|
ISC_ENTROPY_GOODONLY
);
if
(
ret
!=
ISC_R_SUCCESS
)
fatal
(
"could not initialize dst"
);
setup_logging
(
verbose
,
mctx
,
&
log
);
if
(
label
==
NULL
)
fatal
(
"the key label was not specified"
);
if
(
argc
<
isc_commandline_index
+
1
)
fatal
(
"the key name was not specified"
);
if
(
argc
>
isc_commandline_index
+
1
)
fatal
(
"extraneous arguments"
);
if
(
algname
==
NULL
)
fatal
(
"no algorithm was specified"
);
if
(
strcasecmp
(
algname
,
"RSA"
)
==
0
)
{
fprintf
(
stderr
,
"The use of RSA (RSAMD5) is not recommended.
\n
"
"If you still wish to use RSA (RSAMD5) please "
"specify
\"
-a RSAMD5
\"\n
"
);
return
(
1
);
}
else
{
r
.
base
=
algname
;
r
.
length
=
strlen
(
algname
);
ret
=
dns_secalg_fromtext
(
&
alg
,
&
r
);
if
(
ret
!=
ISC_R_SUCCESS
)
fatal
(
"unknown algorithm %s"
,
algname
);
if
(
alg
==
DST_ALG_DH
)
options
|=
DST_TYPE_KEY
;
}
if
(
type
!=
NULL
&&
(
options
&
DST_TYPE_KEY
)
!=
0
)
{
if
(
strcasecmp
(
type
,
"NOAUTH"
)
==
0
)
flags
|=
DNS_KEYTYPE_NOAUTH
;
else
if
(
strcasecmp
(
type
,
"NOCONF"
)
==
0
)
flags
|=
DNS_KEYTYPE_NOCONF
;
else
if
(
strcasecmp
(
type
,
"NOAUTHCONF"
)
==
0
)
{
flags
|=
(
DNS_KEYTYPE_NOAUTH
|
DNS_KEYTYPE_NOCONF
);
}
else
if
(
strcasecmp
(
type
,
"AUTHCONF"
)
==
0
)
/* nothing */
;
else
fatal
(
"invalid type %s"
,
type
);
}
if
(
nametype
==
NULL
)
{
if
((
options
&
DST_TYPE_KEY
)
!=
0
)
/* KEY */
fatal
(
"no nametype specified"
);
flags
|=
DNS_KEYOWNER_ZONE
;
/* DNSKEY */
}
else
if
(
strcasecmp
(
nametype
,
"zone"
)
==
0
)
flags
|=
DNS_KEYOWNER_ZONE
;
else
if
((
options
&
DST_TYPE_KEY
)
!=
0
)
{
/* KEY */
if
(
strcasecmp
(
nametype
,
"host"
)
==
0
||
strcasecmp
(
nametype
,
"entity"
)
==
0
)
flags
|=
DNS_KEYOWNER_ENTITY
;
else
if
(
strcasecmp
(
nametype
,
"user"
)
==
0
)
flags
|=
DNS_KEYOWNER_USER
;
else
fatal
(
"invalid KEY nametype %s"
,
nametype
);
}
else
if
(
strcasecmp
(
nametype
,
"other"
)
!=
0
)
/* DNSKEY */
fatal
(
"invalid DNSKEY nametype %s"
,
nametype
);
rdclass
=
strtoclass
(
classname
);
if
((
options
&
DST_TYPE_KEY
)
!=
0
)
/* KEY */
flags
|=
signatory
;
else
if
((
flags
&
DNS_KEYOWNER_ZONE
)
!=
0
)
/* DNSKEY */
flags
|=
ksk
;
if
(
protocol
==
-
1
)
protocol
=
DNS_KEYPROTO_DNSSEC
;
else
if
((
options
&
DST_TYPE_KEY
)
==
0
&&
protocol
!=
DNS_KEYPROTO_DNSSEC
)
fatal
(
"invalid DNSKEY protocol: %d"
,
protocol
);
if
((
flags
&
DNS_KEYFLAG_TYPEMASK
)
==
DNS_KEYTYPE_NOKEY
)
{
if
((
flags
&
DNS_KEYFLAG_SIGNATORYMASK
)
!=
0
)
fatal
(
"specified null key with signing authority"
);
}
if
((
flags
&
DNS_KEYFLAG_OWNERMASK
)
==
DNS_KEYOWNER_ZONE
&&
alg
==
DNS_KEYALG_DH
)
fatal
(
"a key with algorithm '%s' cannot be a zone key"
,
algname
);
dns_fixedname_init
(
&
fname
);
name
=
dns_fixedname_name
(
&
fname
);
isc_buffer_init
(
&
buf
,
argv
[
isc_commandline_index
],
strlen
(
argv
[
isc_commandline_index
]));
isc_buffer_add
(
&
buf
,
strlen
(
argv
[
isc_commandline_index
]));
ret
=
dns_name_fromtext
(
name
,
&
buf
,
dns_rootname
,
ISC_FALSE
,
NULL
);
if
(
ret
!=
ISC_R_SUCCESS
)
fatal
(
"invalid key name %s: %s"
,
argv
[
isc_commandline_index
],
isc_result_totext
(
ret
));
if
((
flags
&
DNS_KEYFLAG_TYPEMASK
)
==
DNS_KEYTYPE_NOKEY
)
null_key
=
ISC_TRUE
;
isc_buffer_init
(
&
buf
,
filename
,
sizeof
(
filename
)
-
1
);
/* associate the key */
ret
=
dst_key_fromlabel
(
name
,
alg
,
flags
,
protocol
,
rdclass
,
""
,
label
,
NULL
,
mctx
,
&
key
);
isc_entropy_stopcallbacksources
(
ectx
);
if
(
ret
!=
ISC_R_SUCCESS
)
{
char
namestr
[
DNS_NAME_FORMATSIZE
];
char
algstr
[
ALG_FORMATSIZE
];
dns_name_format
(
name
,
namestr
,
sizeof
(
namestr
));
alg_format
(
alg
,
algstr
,
sizeof
(
algstr
));
fatal
(
"failed to generate key %s/%s: %s
\n
"
,
namestr
,
algstr
,
isc_result_totext
(
ret
));
exit
(
-
1
);
}
/*
* Try to read a key with the same name, alg and id from disk.
* If there is one we must continue generating a new one
* unless we were asked to generate a null key, in which
* case we return failure.
*/
ret
=
dst_key_fromfile
(
name
,
dst_key_id
(
key
),
alg
,
DST_TYPE_PRIVATE
,
NULL
,
mctx
,
&
oldkey
);
/* do not overwrite an existing key */
if
(
ret
==
ISC_R_SUCCESS
)
{
isc_buffer_clear
(
&
buf
);
ret
=
dst_key_buildfilename
(
key
,
0
,
NULL
,
&
buf
);
fprintf
(
stderr
,
"%s: %s already exists
\n
"
,
program
,
filename
);
dst_key_free
(
&
key
);
exit
(
1
);
}
ret
=
dst_key_tofile
(
key
,
options
,
NULL
);
if
(
ret
!=
ISC_R_SUCCESS
)
{
char
keystr
[
KEY_FORMATSIZE
];
key_format
(
key
,
keystr
,
sizeof
(
keystr
));
fatal
(
"failed to write key %s: %s
\n
"
,
keystr
,
isc_result_totext
(
ret
));
}
isc_buffer_clear
(
&
buf
);
ret
=
dst_key_buildfilename
(
key
,
0
,
NULL
,
&
buf
);
printf
(
"%s
\n
"
,
filename
);
dst_key_free
(
&
key
);
cleanup_logging
(
&
log
);
cleanup_entropy
(
&
ectx
);
dst_lib_destroy
();
dns_name_destroy
();
if
(
verbose
>
10
)
isc_mem_stats
(
mctx
,
stdout
);
isc_mem_destroy
(
&
mctx
);
return
(
0
);
}
bin/dnssec/dnssec-keyfromlabel.docbook
0 → 100644
View file @
2a31bd53
<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
[<!ENTITY mdash "—">
]>
<!--
- Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
- Copyright (C) 2000-2003 Internet Software Consortium.
-
- Permission to use, copy, modify, and distribute this software for any
- purpose with or without fee is hereby granted, provided that the above
- copyright notice and this permission notice appear in all copies.
-
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.2 2008/03/31 14:42:50 fdupont Exp $ -->
<refentry
id=
"man.dnssec-keyfromlabel"
>
<refentryinfo>
<date>
february 8, 2008
</date>
</refentryinfo>
<refmeta>
<refentrytitle><application>
dnssec-keyfromlabel
</application></refentrytitle>
<manvolnum>
8
</manvolnum>
<refmiscinfo>
BIND9
</refmiscinfo>
</refmeta>
<refnamediv>
<refname><application>
dnssec-keyfromlabel
</application></refname>
<refpurpose>
DNSSEC key generation tool
</refpurpose>
</refnamediv>
<docinfo>
<copyright>
<year>
2004
</year>
<year>
2005
</year>
<year>
2006
</year>
<year>
2007
</year>
<year>
2008
</year>
<holder>
Internet Systems Consortium, Inc. ("ISC")
</holder>
</copyright>
<copyright>
<year>
2000
</year>
<year>
2001
</year>
<year>
2002
</year>
<year>
2003
</year>
<holder>
Internet Software Consortium.
</holder>
</copyright>
</docinfo>
<refsynopsisdiv>
<cmdsynopsis>
<command>
dnssec-keyfromlabel
</command>
<arg
choice=
"req"
>
-a
<replaceable
class=
"parameter"
>
algorithm
</replaceable></arg>
<arg
choice=
"req"
>
-l
<replaceable
class=
"parameter"
>
label
</replaceable></arg>
<arg><option>
-c
<replaceable
class=
"parameter"
>
class
</replaceable></option></arg>
<arg><option>
-f
<replaceable
class=
"parameter"
>
flag
</replaceable></option></arg>
<arg><option>
-k
</option></arg>
<arg><option>
-n
<replaceable
class=
"parameter"
>
nametype
</replaceable></option></arg>
<arg><option>
-p
<replaceable
class=
"parameter"
>
protocol
</replaceable></option></arg>
<arg><option>
-t
<replaceable
class=
"parameter"
>
type
</replaceable></option></arg>
<arg><option>
-v
<replaceable
class=
"parameter"
>
level
</replaceable></option></arg>
<arg
choice=
"req"
>
name
</arg>
</cmdsynopsis>
</refsynopsisdiv>
<refsect1>
<title>
DESCRIPTION
</title>
<para><command>
dnssec-keyfromlabel
</command>
gets keys with the given label from a crypto hardware and builds
key files for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034.
</para>
</refsect1>
<refsect1>
<title>
OPTIONS
</title>
<variablelist>
<varlistentry>
<term>
-a
<replaceable
class=
"parameter"
>
algorithm
</replaceable></term>
<listitem>
<para>
Selects the cryptographic algorithm. The value of
<option>
algorithm
</option>
must be one of RSAMD5 (RSA)
or RSASHA1, DSA or DH (Diffie Hellman). These values
are case insensitive.
</para>
<para>
Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
algorithm, and DSA is recommended.
</para>
<para>
Note 2: DH automatically sets the -k flag.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-l
<replaceable
class=
"parameter"
>
label
</replaceable></term>
<listitem>
<para>
Specifies the label of keys in the crypto hardware
(PKCS#11 device).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-n
<replaceable
class=
"parameter"
>
nametype
</replaceable></term>
<listitem>
<para>
Specifies the owner type of the key. The value of
<option>
nametype
</option>
must either be ZONE (for a DNSSEC
zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
a host (KEY)),
USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
These values are
case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-c
<replaceable
class=
"parameter"
>
class
</replaceable></term>
<listitem>
<para>
Indicates that the DNS record containing the key should have
the specified class. If not specified, class IN is used.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-f
<replaceable
class=
"parameter"
>
flag
</replaceable></term>
<listitem>
<para>
Set the specified flag in the flag field of the KEY/DNSKEY record.
The only recognized flag is KSK (Key Signing Key) DNSKEY.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-h
</term>
<listitem>
<para>
Prints a short summary of the options and arguments to
<command>
dnssec-keygen
</command>
.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>
-k
</term>
<listitem>
<para>
Generate KEY records rather than DNSKEY records.
</para>
</listitem>
</varlistentry>