1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC")
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <!-- $Id: dnssec-keyfromlabel.docbook,v 1.6.14.2 2010/01/15 23:47:31 tbox Exp $ -->
21 <refentry id="man.dnssec-keyfromlabel">
23 <date>February 8, 2008</date>
27 <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
28 <manvolnum>8</manvolnum>
29 <refmiscinfo>BIND9</refmiscinfo>
33 <refname><application>dnssec-keyfromlabel</application></refname>
34 <refpurpose>DNSSEC key generation tool</refpurpose>
41 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
47 <command>dnssec-keyfromlabel</command>
48 <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
49 <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
50 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
51 <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
52 <arg><option>-k</option></arg>
53 <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
54 <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
55 <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
56 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
57 <arg choice="req">name</arg>
62 <title>DESCRIPTION</title>
63 <para><command>dnssec-keyfromlabel</command>
64 gets keys with the given label from a crypto hardware and builds
65 key files for DNSSEC (Secure DNS), as defined in RFC 2535
71 <title>OPTIONS</title>
75 <term>-a <replaceable class="parameter">algorithm</replaceable></term>
78 Selects the cryptographic algorithm. The value of
79 <option>algorithm</option> must be one of RSAMD5,
80 RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
81 RSASHA512 or DH (Diffie Hellman).
82 These values are case insensitive.
85 If no algorithm is specified, then RSASHA1 will be used by
86 default, unless the <option>-3</option> option is specified,
87 in which case NSEC3RSASHA1 will be used instead. (If
88 <option>-3</option> is used and an algorithm is specified,
89 that algorithm will be checked for compatibility with NSEC3.)
92 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
93 algorithm, and DSA is recommended.
96 Note 2: DH automatically sets the -k flag.
102 <term>-l <replaceable class="parameter">label</replaceable></term>
105 Specifies the label of keys in the crypto hardware
112 <term>-n <replaceable class="parameter">nametype</replaceable></term>
115 Specifies the owner type of the key. The value of
116 <option>nametype</option> must either be ZONE (for a DNSSEC
117 zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
119 USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
127 <term>-c <replaceable class="parameter">class</replaceable></term>
130 Indicates that the DNS record containing the key should have
131 the specified class. If not specified, class IN is used.
137 <term>-f <replaceable class="parameter">flag</replaceable></term>
140 Set the specified flag in the flag field of the KEY/DNSKEY record.
141 The only recognized flag is KSK (Key Signing Key) DNSKEY.
150 Prints a short summary of the options and arguments to
151 <command>dnssec-keygen</command>.
160 Generate KEY records rather than DNSKEY records.
166 <term>-p <replaceable class="parameter">protocol</replaceable></term>
169 Sets the protocol value for the generated key. The protocol
170 is a number between 0 and 255. The default is 3 (DNSSEC).
171 Other possible values for this argument are listed in
172 RFC 2535 and its successors.
178 <term>-t <replaceable class="parameter">type</replaceable></term>
181 Indicates the use of the key. <option>type</option> must be
182 one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
183 is AUTHCONF. AUTH refers to the ability to authenticate
184 data, and CONF the ability to encrypt data.
190 <term>-v <replaceable class="parameter">level</replaceable></term>
193 Sets the debugging level.
202 <title>GENERATED KEY FILES</title>
204 When <command>dnssec-keyfromlabel</command> completes
206 it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
207 to the standard output. This is an identification string for
208 the key files it has generated.
212 <para><filename>nnnn</filename> is the key name.
216 <para><filename>aaa</filename> is the numeric representation
222 <para><filename>iiiii</filename> is the key identifier (or
227 <para><command>dnssec-keyfromlabel</command>
228 creates two files, with names based
229 on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
230 contains the public key, and
231 <filename>Knnnn.+aaa+iiiii.private</filename> contains the
236 The <filename>.key</filename> file contains a DNS KEY record
238 can be inserted into a zone file (directly or with a $INCLUDE
242 The <filename>.private</filename> file contains algorithm
244 fields. For obvious security reasons, this file does not have
245 general read permission.
250 <title>SEE ALSO</title>
252 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
255 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
257 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
258 <citetitle>RFC 4034</citetitle>.
263 <title>AUTHOR</title>
264 <para><corpauthor>Internet Systems Consortium</corpauthor>