man.dnssec-keyfromlabel.html 19.4 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1 2
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
4 5 6 7 8 9 10 11 12
 - 
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-keyfromlabel</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Tinderbox User's avatar
Tinderbox User committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
15
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
Tinderbox User's avatar
Tinderbox User committed
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
<link rel="prev" href="man.dnssec-importkey.html" title="dnssec-importkey">
<link rel="next" href="man.dnssec-keygen.html" title="dnssec-keygen">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.dnssec-importkey.html">Prev</a></td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"><a accesskey="n" href="man.dnssec-keygen.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry">
<a name="man.dnssec-keyfromlabel"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35 36 37 38 39 40
  
  

  

  <div class="refnamediv">
Tinderbox User's avatar
Tinderbox User committed
41
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
42 43 44 45
<p>
    <span class="application">dnssec-keyfromlabel</span>
     &#8212; DNSSEC key generation tool
  </p>
Tinderbox User's avatar
Tinderbox User committed
46
</div>
Tinderbox User's avatar
Tinderbox User committed
47 48 49 50

  

  <div class="refsynopsisdiv">
Tinderbox User's avatar
Tinderbox User committed
51
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83
    <div class="cmdsynopsis"><p>
      <code class="command">dnssec-keyfromlabel</code> 
       {-l <em class="replaceable"><code>label</code></em>}
       [<code class="option">-3</code>]
       [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>]
       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
       [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>]
       [<code class="option">-G</code>]
       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
       [<code class="option">-k</code>]
       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
       [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>]
       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>]
       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
       [<code class="option">-t <em class="replaceable"><code>type</code></em></code>]
       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
       [<code class="option">-V</code>]
       [<code class="option">-y</code>]
       {name}
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
84
<a name="id-1.13.11.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
85 86

    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
Tinderbox User's avatar
Tinderbox User committed
87 88 89 90 91 92 93
      generates a key pair of files that referencing a key object stored
      in a cryptographic hardware service module (HSM).  The private key
      file can be used for DNSSEC signing of zone data as if it were a
      conventional signing key created by <span class="command"><strong>dnssec-keygen</strong></span>,
      but the key material is stored within the HSM, and the actual signing
      takes place there.
    </p>
Tinderbox User's avatar
Tinderbox User committed
94
    <p>
Tinderbox User's avatar
Tinderbox User committed
95 96 97 98
      The <code class="option">name</code> of the key is specified on the command
      line.  This must match the name of the zone for which the key is
      being generated.
    </p>
Tinderbox User's avatar
Tinderbox User committed
99 100 101
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
102
<a name="id-1.13.11.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
103 104 105


    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
106 107
<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
108
	  <p>
Tinderbox User's avatar
Tinderbox User committed
109
	    Selects the cryptographic algorithm.  The value of
Tinderbox User's avatar
Tinderbox User committed
110
	    <code class="option">algorithm</code> must be one of RSASHA1,
Tinderbox User's avatar
Tinderbox User committed
111
	    NSEC3RSASHA1, RSASHA256, RSASHA512,
Tinderbox User's avatar
Tinderbox User committed
112 113
	    ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or ED448.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
114
	  <p>
Tinderbox User's avatar
Tinderbox User committed
115 116 117 118 119 120
	    If no algorithm is specified, then RSASHA1 will be used by
	    default, unless the <code class="option">-3</code> option is specified,
	    in which case NSEC3RSASHA1 will be used instead.  (If
	    <code class="option">-3</code> is used and an algorithm is specified,
	    that algorithm will be checked for compatibility with NSEC3.)
	  </p>
Tinderbox User's avatar
Tinderbox User committed
121
	  <p>
Tinderbox User's avatar
Tinderbox User committed
122 123
	    These values are case insensitive. In some cases, abbreviations
	    are supported, such as ECDSA256 for ECDSAP256SHA256 and
Tinderbox User's avatar
Tinderbox User committed
124
	    ECDSA384 for ECDSAP384SHA384. If RSASHA1 is specified
Tinderbox User's avatar
Tinderbox User committed
125
	    along with the <code class="option">-3</code> option, then NSEC3RSASHA1
Tinderbox User's avatar
Tinderbox User committed
126
	    will be used instead.
Tinderbox User's avatar
Tinderbox User committed
127
	  </p>
Tinderbox User's avatar
Tinderbox User committed
128
	  <p>
Tinderbox User's avatar
Tinderbox User committed
129 130 131 132 133
	    As of BIND 9.12.0, this option is mandatory except when using
	    the <code class="option">-S</code> option (which copies the algorithm from
	    the predecessory key). Previously, the default for newly
	    generated keys was RSASHA1.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
134
	</dd>
Tinderbox User's avatar
Tinderbox User committed
135
<dt><span class="term">-3</span></dt>
Tinderbox User's avatar
Tinderbox User committed
136 137
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
138 139 140 141 142
	    Use an NSEC3-capable algorithm to generate a DNSSEC key.
	    If this option is used with an algorithm that has both
	    NSEC and NSEC3 versions, then the NSEC3 version will be
	    used; for example, <span class="command"><strong>dnssec-keygen -3a RSASHA1</strong></span>
	    specifies the NSEC3RSASHA1 algorithm.
Tinderbox User's avatar
Tinderbox User committed
143 144
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
145 146
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
147
	  <p>
Tinderbox User's avatar
Tinderbox User committed
148 149
	    Specifies the cryptographic hardware to use.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
150
	  <p>
Tinderbox User's avatar
Tinderbox User committed
151 152 153 154 155 156 157
	    When BIND is built with OpenSSL PKCS#11 support, this defaults
	    to the string "pkcs11", which identifies an OpenSSL engine
	    that can drive a cryptographic accelerator or hardware service
	    module.  When BIND is built with native PKCS#11 cryptography
	    (--enable-native-pkcs11), it defaults to the path of the PKCS#11
	    provider library specified via "--with-pkcs11".
	  </p>
Tinderbox User's avatar
Tinderbox User committed
158
	</dd>
Tinderbox User's avatar
Tinderbox User committed
159 160
<dt><span class="term">-l <em class="replaceable"><code>label</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
161
	  <p>
Tinderbox User's avatar
Tinderbox User committed
162 163
	    Specifies the label for a key pair in the crypto hardware.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
164
	  <p>
Tinderbox User's avatar
Tinderbox User committed
165 166 167 168 169 170
	    When <acronym class="acronym">BIND</acronym> 9 is built with OpenSSL-based
	    PKCS#11 support, the label is an arbitrary string that
	    identifies a particular key.  It may be preceded by an
	    optional OpenSSL engine name, followed by a colon, as in
	    "pkcs11:<em class="replaceable"><code>keylabel</code></em>".
	  </p>
Tinderbox User's avatar
Tinderbox User committed
171
	  <p>
Tinderbox User's avatar
Tinderbox User committed
172 173 174 175 176 177 178 179
	    When <acronym class="acronym">BIND</acronym> 9 is built with native PKCS#11
	    support, the label is a PKCS#11 URI string in the format
	    "pkcs11:<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>[<span class="optional">;<code class="option">keyword</code>=<em class="replaceable"><code>value</code></em>;...</span>]"
	    Keywords include "token", which identifies the HSM; "object", which
	    identifies the key; and "pin-source", which identifies a file from
	    which the HSM's PIN code can be obtained.  The label will be
	    stored in the on-disk "private" file.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
180
	  <p>
Tinderbox User's avatar
Tinderbox User committed
181 182 183 184 185 186 187 188
	    If the label contains a
	    <code class="option">pin-source</code> field, tools using the generated
	    key files will be able to use the HSM for signing and other
	    operations without any need for an operator to manually enter
	    a PIN.  Note: Making the HSM's PIN accessible in this manner
	    may reduce the security advantage of using an HSM; be sure
	    this is what you want to do before making use of this feature.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
189
	</dd>
Tinderbox User's avatar
Tinderbox User committed
190
<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
191 192
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
193 194 195 196 197 198
	    Specifies the owner type of the key.  The value of
	    <code class="option">nametype</code> must either be ZONE (for a DNSSEC
	    zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
	    a host (KEY)),
	    USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
	    These values are case insensitive.
Tinderbox User's avatar
Tinderbox User committed
199 200
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
201
<dt><span class="term">-C</span></dt>
Tinderbox User's avatar
Tinderbox User committed
202 203
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
204 205 206 207 208 209 210
	    Compatibility mode:  generates an old-style key, without
	    any metadata.  By default, <span class="command"><strong>dnssec-keyfromlabel</strong></span>
	    will include the key's creation date in the metadata stored
	    with the private key, and other dates may be set there as well
	    (publication date, activation date, etc).  Keys that include
	    this data may be incompatible with older versions of BIND; the
	    <code class="option">-C</code> option suppresses them.
Tinderbox User's avatar
Tinderbox User committed
211 212
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
213
<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
214 215
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
216 217
	    Indicates that the DNS record containing the key should have
	    the specified class.  If not specified, class IN is used.
Tinderbox User's avatar
Tinderbox User committed
218 219
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
220
<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
221 222
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
223 224
	    Set the specified flag in the flag field of the KEY/DNSKEY record.
	    The only recognized flags are KSK (Key Signing Key) and REVOKE.
Tinderbox User's avatar
Tinderbox User committed
225 226
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
227
<dt><span class="term">-G</span></dt>
Tinderbox User's avatar
Tinderbox User committed
228 229
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
230 231
	    Generate a key, but do not publish it or sign with it.  This
	    option is incompatible with -P and -A.
Tinderbox User's avatar
Tinderbox User committed
232 233
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
234
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
235 236
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
237 238
	    Prints a short summary of the options and arguments to
	    <span class="command"><strong>dnssec-keyfromlabel</strong></span>.
Tinderbox User's avatar
Tinderbox User committed
239 240
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
241
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
242 243
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
244
	    Sets the directory in which the key files are to be written.
Tinderbox User's avatar
Tinderbox User committed
245 246
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
247
<dt><span class="term">-k</span></dt>
Tinderbox User's avatar
Tinderbox User committed
248 249
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
250
	    Generate KEY records rather than DNSKEY records.
Tinderbox User's avatar
Tinderbox User committed
251 252
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
253
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
254 255
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
256 257 258 259 260 261
	    Sets the default TTL to use for this key when it is converted
	    into a DNSKEY RR.  If the key is imported into a zone,
	    this is the TTL that will be used for it, unless there was
	    already a DNSKEY RRset in place, in which case the existing TTL
	    would take precedence.  Setting the default TTL to
	    <code class="literal">0</code> or <code class="literal">none</code> removes it.
Tinderbox User's avatar
Tinderbox User committed
262 263
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
264
<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
265 266
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
267 268 269 270
	    Sets the protocol value for the key.  The protocol
	    is a number between 0 and 255.  The default is 3 (DNSSEC).
	    Other possible values for this argument are listed in
	    RFC 2535 and its successors.
Tinderbox User's avatar
Tinderbox User committed
271 272
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
273
<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
274 275
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
276 277 278 279 280 281 282
	    Generate a key as an explicit successor to an existing key.
	    The name, algorithm, size, and type of the key will be set
	    to match the predecessor. The activation date of the new
	    key will be set to the inactivation date of the existing
	    one. The publication date will be set to the activation
	    date minus the prepublication interval, which defaults to
	    30 days.
Tinderbox User's avatar
Tinderbox User committed
283 284
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
285
<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
286 287
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
288 289 290 291
	    Indicates the use of the key.  <code class="option">type</code> must be
	    one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF.  The default
	    is AUTHCONF.  AUTH refers to the ability to authenticate
	    data, and CONF the ability to encrypt data.
Tinderbox User's avatar
Tinderbox User committed
292 293
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
294
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
295 296
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
297
	    Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
298 299
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
300
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
301 302
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
303
	    Prints version information.
Tinderbox User's avatar
Tinderbox User committed
304 305
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
306
<dt><span class="term">-y</span></dt>
Tinderbox User's avatar
Tinderbox User committed
307 308
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
309 310 311 312 313
	    Allows DNSSEC key files to be generated even if the key ID
	    would collide with that of an existing key, in the event of
	    either key being revoked.  (This is only safe to use if you
	    are sure you won't be using RFC 5011 trust anchor maintenance
	    with either of the keys involved.)
Tinderbox User's avatar
Tinderbox User committed
314 315
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
316
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
317 318 319
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
320
<a name="id-1.13.11.9"></a><h2>TIMING OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
321 322 323


    <p>
Tinderbox User's avatar
Tinderbox User committed
324 325 326 327 328 329 330 331 332 333
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
      an offset from the present time.  For convenience, if such an offset
      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
      then the offset is computed in years (defined as 365 24-hour days,
      ignoring leap years), months (defined as 30 24-hour days), weeks,
      days, hours, or minutes, respectively.  Without a suffix, the offset
      is computed in seconds.  To explicitly prevent a date from being
      set, use 'none' or 'never'.
    </p>
Tinderbox User's avatar
Tinderbox User committed
334 335

    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
336
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
337 338
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
339 340 341 342
	    Sets the date on which a key is to be published to the zone.
	    After that date, the key will be included in the zone but will
	    not be used to sign it.  If not set, and if the -G option has
	    not been used, the default is "now".
Tinderbox User's avatar
Tinderbox User committed
343 344
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
345
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
346 347
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
348 349
	    Sets the date on which the CDS and CDNSKEY records which match
	    this key are to be published to the zone.
Tinderbox User's avatar
Tinderbox User committed
350 351
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
352
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
353 354
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
355 356 357 358
	    Sets the date on which the key is to be activated.  After that
	    date, the key will be included in the zone and used to sign
	    it.  If not set, and if the -G option has not been used, the
	    default is "now".
Tinderbox User's avatar
Tinderbox User committed
359 360
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
361
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
362 363
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
364 365 366
	    Sets the date on which the key is to be revoked.  After that
	    date, the key will be flagged as revoked.  It will be included
	    in the zone and will be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
367 368
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
369
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
370 371
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
372 373 374
	    Sets the date on which the key is to be retired.  After that
	    date, the key will still be included in the zone, but it
	    will not be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
375 376
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
377
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
378 379
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
380 381 382
	    Sets the date on which the key is to be deleted.  After that
	    date, the key will no longer be included in the zone.  (It
	    may remain in the key repository, however.)
Tinderbox User's avatar
Tinderbox User committed
383 384
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
385
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
386 387
<dd>
	  <p>
Tinderbox User's avatar
Tinderbox User committed
388 389
	    Sets the date on which the CDS and CDNSKEY records which match
	    this key are to be deleted.
Tinderbox User's avatar
Tinderbox User committed
390 391
	  </p>
	</dd>
Tinderbox User's avatar
Tinderbox User committed
392 393
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
394
	  <p>
Tinderbox User's avatar
Tinderbox User committed
395 396 397 398 399 400 401 402
	    Sets the prepublication interval for a key.  If set, then
	    the publication and activation dates must be separated by at least
	    this much time.  If the activation date is specified but the
	    publication date isn't, then the publication date will default
	    to this much time before the activation date; conversely, if
	    the publication date is specified but activation date isn't,
	    then activation will be set to this much time after publication.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
403
	  <p>
Tinderbox User's avatar
Tinderbox User committed
404 405 406 407
	    If the key is being created as an explicit successor to another
	    key, then the default prepublication interval is 30 days;
	    otherwise it is zero.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
408
	  <p>
Tinderbox User's avatar
Tinderbox User committed
409 410 411 412 413 414
	    As with date offsets, if the argument is followed by one of
	    the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
	    interval is measured in years, months, weeks, days, hours,
	    or minutes, respectively.  Without a suffix, the interval is
	    measured in seconds.
	  </p>
Tinderbox User's avatar
Tinderbox User committed
415
	</dd>
Tinderbox User's avatar
Tinderbox User committed
416
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
417 418 419
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
420
<a name="id-1.13.11.10"></a><h2>GENERATED KEY FILES</h2>
Tinderbox User's avatar
Tinderbox User committed
421 422

    <p>
Tinderbox User's avatar
Tinderbox User committed
423 424 425 426 427 428
      When <span class="command"><strong>dnssec-keyfromlabel</strong></span> completes
      successfully,
      it prints a string of the form <code class="filename">Knnnn.+aaa+iiiii</code>
      to the standard output.  This is an identification string for
      the key files it has generated.
    </p>
Tinderbox User's avatar
Tinderbox User committed
429 430 431 432 433 434 435
    <div class="itemizedlist"><ul class="itemizedlist" style="list-style-type: disc; ">
<li class="listitem">
	<p><code class="filename">nnnn</code> is the key name.
	</p>
      </li>
<li class="listitem">
	<p><code class="filename">aaa</code> is the numeric representation
Tinderbox User's avatar
Tinderbox User committed
436
	  of the algorithm.
Tinderbox User's avatar
Tinderbox User committed
437 438 439 440
	</p>
      </li>
<li class="listitem">
	<p><code class="filename">iiiii</code> is the key identifier (or
Tinderbox User's avatar
Tinderbox User committed
441
	  footprint).
Tinderbox User's avatar
Tinderbox User committed
442 443
	</p>
      </li>
Tinderbox User's avatar
Tinderbox User committed
444
</ul></div>
Tinderbox User's avatar
Tinderbox User committed
445
    <p><span class="command"><strong>dnssec-keyfromlabel</strong></span>
Tinderbox User's avatar
Tinderbox User committed
446 447 448 449 450 451
      creates two files, with names based
      on the printed string.  <code class="filename">Knnnn.+aaa+iiiii.key</code>
      contains the public key, and
      <code class="filename">Knnnn.+aaa+iiiii.private</code> contains the
      private key.
    </p>
Tinderbox User's avatar
Tinderbox User committed
452
    <p>
Tinderbox User's avatar
Tinderbox User committed
453 454 455 456 457
      The <code class="filename">.key</code> file contains a DNS KEY record
      that
      can be inserted into a zone file (directly or with a $INCLUDE
      statement).
    </p>
Tinderbox User's avatar
Tinderbox User committed
458
    <p>
Tinderbox User's avatar
Tinderbox User committed
459 460 461 462 463
      The <code class="filename">.private</code> file contains
      algorithm-specific
      fields.  For obvious security reasons, this file does not have
      general read permission.
    </p>
Tinderbox User's avatar
Tinderbox User committed
464 465 466
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
467
<a name="id-1.13.11.11"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
468 469 470 471 472 473 474

    <p><span class="citerefentry">
	<span class="refentrytitle">dnssec-keygen</span>(8)
      </span>,
      <span class="citerefentry">
	<span class="refentrytitle">dnssec-signzone</span>(8)
      </span>,
Tinderbox User's avatar
Tinderbox User committed
475 476 477 478
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 4034</em>,
      <em class="citetitle">The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13)</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
479 480
  </div>

Tinderbox User's avatar
Tinderbox User committed
481 482 483 484 485 486 487
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-importkey.html">Prev</a></td>
488
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
Tinderbox User's avatar
Tinderbox User committed
489 490 491 492 493 494 495 496 497 498 499 500
<td width="40%" align="right"><a accesskey="n" href="man.dnssec-keygen.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-importkey</span></td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"><span class="application">dnssec-keygen</span>
</td>
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
501
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.1 (Stable Release)</p>
Tinderbox User's avatar
Tinderbox User committed
502 503
</body>
</html>