1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <!-- $Id: dnssec-keyfromlabel.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
21 <refentry id="man.dnssec-keyfromlabel">
23 <date>February 8, 2008</date>
27 <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
28 <manvolnum>8</manvolnum>
29 <refmiscinfo>BIND9</refmiscinfo>
33 <refname><application>dnssec-keyfromlabel</application></refname>
34 <refpurpose>DNSSEC key generation tool</refpurpose>
40 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
46 <command>dnssec-keyfromlabel</command>
47 <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg>
48 <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
49 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
50 <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
51 <arg><option>-k</option></arg>
52 <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
53 <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
54 <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
55 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
56 <arg choice="req">name</arg>
61 <title>DESCRIPTION</title>
62 <para><command>dnssec-keyfromlabel</command>
63 gets keys with the given label from a crypto hardware and builds
64 key files for DNSSEC (Secure DNS), as defined in RFC 2535
70 <title>OPTIONS</title>
74 <term>-a <replaceable class="parameter">algorithm</replaceable></term>
77 Selects the cryptographic algorithm. The value of
78 <option>algorithm</option> must be one of RSAMD5 (RSA)
79 or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman).
80 These values are case insensitive.
83 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
84 algorithm, and DSA is recommended.
87 Note 2: DH automatically sets the -k flag.
93 <term>-l <replaceable class="parameter">label</replaceable></term>
96 Specifies the label of keys in the crypto hardware
103 <term>-n <replaceable class="parameter">nametype</replaceable></term>
106 Specifies the owner type of the key. The value of
107 <option>nametype</option> must either be ZONE (for a DNSSEC
108 zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
110 USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
118 <term>-c <replaceable class="parameter">class</replaceable></term>
121 Indicates that the DNS record containing the key should have
122 the specified class. If not specified, class IN is used.
128 <term>-f <replaceable class="parameter">flag</replaceable></term>
131 Set the specified flag in the flag field of the KEY/DNSKEY record.
132 The only recognized flag is KSK (Key Signing Key) DNSKEY.
141 Prints a short summary of the options and arguments to
142 <command>dnssec-keygen</command>.
151 Generate KEY records rather than DNSKEY records.
157 <term>-p <replaceable class="parameter">protocol</replaceable></term>
160 Sets the protocol value for the generated key. The protocol
161 is a number between 0 and 255. The default is 3 (DNSSEC).
162 Other possible values for this argument are listed in
163 RFC 2535 and its successors.
169 <term>-t <replaceable class="parameter">type</replaceable></term>
172 Indicates the use of the key. <option>type</option> must be
173 one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
174 is AUTHCONF. AUTH refers to the ability to authenticate
175 data, and CONF the ability to encrypt data.
181 <term>-v <replaceable class="parameter">level</replaceable></term>
184 Sets the debugging level.
193 <title>GENERATED KEY FILES</title>
195 When <command>dnssec-keyfromlabel</command> completes
197 it prints a string of the form <filename>Knnnn.+aaa+iiiii</filename>
198 to the standard output. This is an identification string for
199 the key files it has generated.
203 <para><filename>nnnn</filename> is the key name.
207 <para><filename>aaa</filename> is the numeric representation
213 <para><filename>iiiii</filename> is the key identifier (or
218 <para><command>dnssec-keyfromlabel</command>
219 creates two files, with names based
220 on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
221 contains the public key, and
222 <filename>Knnnn.+aaa+iiiii.private</filename> contains the
227 The <filename>.key</filename> file contains a DNS KEY record
229 can be inserted into a zone file (directly or with a $INCLUDE
233 The <filename>.private</filename> file contains algorithm
235 fields. For obvious security reasons, this file does not have
236 general read permission.
241 <title>SEE ALSO</title>
243 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
246 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
248 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
249 <citetitle>RFC 2539</citetitle>,
250 <citetitle>RFC 2845</citetitle>,
251 <citetitle>RFC 4033</citetitle>.
256 <title>AUTHOR</title>
257 <para><corpauthor>Internet Systems Consortium</corpauthor>