| blob | 4c8bc74f773a789ebecf814a2d09fb76d974f479 |
1 <!--
2 - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
3 - Copyright (C) 2000-2003 Internet Software Consortium.
4 -
5 - Permission to use, copy, modify, and/or distribute this software for any
6 - purpose with or without fee is hereby granted, provided that the above
7 - copyright notice and this permission notice appear in all copies.
8 -
9 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15 - PERFORMANCE OF THIS SOFTWARE.
16 -->
17 <!-- Id: man.dnssec-keyfromlabel.html,v 1.83 2009/12/04 22:22:25 tbox Exp -->
18 <html>
19 <head>
27 </head>
31 <tr><th colspan="3" align="center"><span class="application">dnssec-keyfromlabel</span></th></tr>
32 <tr>
37 </td>
38 </tr>
39 </table>
40 <hr>
41 </div>
47 </div>
50 <div class="cmdsynopsis"><p><code class="command">dnssec-keyfromlabel</code> {-l <em class="replaceable"><code>label</code></em>} [<code class="option">-3</code>] [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-k</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {name}</p></div>
51 </div>
55 gets keys with the given label from a crypto hardware and builds
56 key files for DNSSEC (Secure DNS), as defined in RFC 2535
57 and RFC 4034.
58 </p>
59 <p>
61 line. This must match the name of the zone for which the key is
62 being generated.
63 </p>
64 </div>
69 <dd>
70 <p>
71 Selects the cryptographic algorithm. The value of
73 DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256 or RSASHA512.
74 These values are case insensitive.
75 </p>
76 <p>
77 If no algorithm is specified, then RSASHA1 will be used by
79 in which case NSEC3RSASHA1 will be used instead. (If
81 that algorithm will be checked for compatibility with NSEC3.)
82 </p>
83 <p>
84 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
85 algorithm, and DSA is recommended.
86 </p>
87 <p>
88 Note 2: DH automatically sets the -k flag.
89 </p>
90 </dd>
92 <dd><p>
93 Use an NSEC3-capable algorithm to generate a DNSSEC key.
94 If this option is used and no algorithm is explicitly
95 set on the command line, NSEC3RSASHA1 will be used by
96 default.
97 </p></dd>
99 <dd><p>
100 Specifies the name of the crypto hardware (OpenSSL engine).
102 </p></dd>
104 <dd><p>
105 Specifies the label of the key pair in the crypto hardware.
106 The label may be preceded by an optional OpenSSL engine name,
107 separated by a colon, as in "pkcs11:keylabel".
108 </p></dd>
110 <dd><p>
111 Specifies the owner type of the key. The value of
113 zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
114 a host (KEY)),
115 USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
116 These values are case insensitive.
117 </p></dd>
119 <dd><p>
120 Compatibility mode: generates an old-style key, without
122 will include the key's creation date in the metadata stored
123 with the private key, and other dates may be set there as well
124 (publication date, activation date, etc). Keys that include
125 this data may be incompatible with older versions of BIND; the
127 </p></dd>
129 <dd><p>
130 Indicates that the DNS record containing the key should have
131 the specified class. If not specified, class IN is used.
132 </p></dd>
134 <dd><p>
135 Set the specified flag in the flag field of the KEY/DNSKEY record.
136 The only recognized flags are KSK (Key Signing Key) and REVOKE.
137 </p></dd>
139 <dd><p>
140 Generate a key, but do not publish it or sign with it. This
141 option is incompatible with -P and -A.
142 </p></dd>
144 <dd><p>
145 Prints a short summary of the options and arguments to
147 </p></dd>
149 <dd><p>
150 Sets the directory in which the key files are to be written.
151 </p></dd>
153 <dd><p>
154 Generate KEY records rather than DNSKEY records.
155 </p></dd>
157 <dd><p>
158 Sets the protocol value for the key. The protocol
160 Other possible values for this argument are listed in
161 RFC 2535 and its successors.
162 </p></dd>
164 <dd><p>
166 one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
167 is AUTHCONF. AUTH refers to the ability to authenticate
168 data, and CONF the ability to encrypt data.
169 </p></dd>
171 <dd><p>
172 Sets the debugging level.
173 </p></dd>
174 </dl></div>
175 </div>
178 <p>
179 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
180 If the argument begins with a '+' or '-', it is interpreted as
181 an offset from the present time. For convenience, if such an offset
182 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
183 then the offset is computed in years (defined as 365 24-hour days,
184 ignoring leap years), months (defined as 30 24-hour days), weeks,
185 days, hours, or minutes, respectively. Without a suffix, the offset
186 is computed in seconds.
187 </p>
190 <dd><p>
191 Sets the date on which a key is to be published to the zone.
192 After that date, the key will be included in the zone but will
193 not be used to sign it. If not set, and if the -G option has
194 not been used, the default is "now".
195 </p></dd>
197 <dd><p>
198 Sets the date on which the key is to be activated. After that
199 date, the key will be included in the zone and used to sign
200 it. If not set, and if the -G option has not been used, the
201 default is "now".
202 </p></dd>
204 <dd><p>
205 Sets the date on which the key is to be revoked. After that
206 date, the key will be flagged as revoked. It will be included
207 in the zone and will be used to sign it.
208 </p></dd>
210 <dd><p>
211 Sets the date on which the key is to be retired. After that
212 date, the key will still be included in the zone, but it
213 will not be used to sign it.
214 </p></dd>
216 <dd><p>
217 Sets the date on which the key is to be deleted. After that
218 date, the key will no longer be included in the zone. (It
219 may remain in the key repository, however.)
220 </p></dd>
221 </dl></div>
222 </div>
225 <p>
227 successfully,
229 to the standard output. This is an identification string for
230 the key files it has generated.
231 </p>
234 </p></li>
236 of the algorithm.
237 </p></li>
239 footprint).
240 </p></li>
241 </ul></div>
243 creates two files, with names based
245 contains the public key, and
247 private key.
248 </p>
249 <p>
251 that
252 can be inserted into a zone file (directly or with a $INCLUDE
253 statement).
254 </p>
255 <p>
257 algorithm-specific
258 fields. For obvious security reasons, this file does not have
259 general read permission.
260 </p>
261 </div>
268 </p>
269 </div>
273 </p>
274 </div>
275 </div>
277 <hr>
279 <tr>
284 </td>
285 </tr>
286 <tr>
291 </td>
292 </tr>
293 </table>
294 </div>
295 </body>
296 </html>