1DNSSEC-KEYFROMLABEL(8) BIND9 DNSSEC-KEYFROMLABEL(8)
2
6 dnssec-keyfromlabel - DNSSEC key generation tool
7
9 dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset]
10 [-c class] [-D date/offset] [-D sync date/offset]
11 [-E engine] [-f flag] [-G] [-I date/offset]
12 [-i interval] [-k] [-K directory] [-L ttl]
13 [-n nametype] [-P date/offset]
14 [-P sync date/offset] [-p protocol]
15 [-R date/offset] [-S key] [-t type] [-v level] [-V]
16 [-y] {name}
17
19 dnssec-keyfromlabel generates a key pair of files that referencing a
20 key object stored in a cryptographic hardware service module (HSM). The
21 private key file can be used for DNSSEC signing of zone data as if it
22 were a conventional signing key created by dnssec-keygen, but the key
23 material is stored within the HSM, and the actual signing takes place
24 there.
25 The name of the key is specified on the command line. This must match
27 the name of the zone for which the key is being generated.
28
30 -a algorithm
31 Selects the cryptographic algorithm. The value of algorithm must be
32 one of RSAMD5, RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256,
33 RSASHA512, ECCGOST, ECDSAP256SHA256, ECDSAP384SHA384, ED25519 or
34 ED448. These values are case insensitive.
35 If no algorithm is specified, then RSASHA1 will be used by default,
37 unless the -3 option is specified, in which case NSEC3RSASHA1 will
38 be used instead. (If -3 is used and an algorithm is specified, that
39 algorithm will be checked for compatibility with NSEC3.)
40 Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
42 algorithm, and DSA is recommended.
43 Note 2: DH automatically sets the -k flag.
45 -3
47 Use an NSEC3-capable algorithm to generate a DNSSEC key. If this
48 option is used and no algorithm is explicitly set on the command
49 line, NSEC3RSASHA1 will be used by default.
50 -E engine
52 Specifies the cryptographic hardware to use.
53 When BIND is built with OpenSSL PKCS#11 support, this defaults to
55 the string "pkcs11", which identifies an OpenSSL engine that can
56 drive a cryptographic accelerator or hardware service module. When
57 BIND is built with native PKCS#11 cryptography
58 (--enable-native-pkcs11), it defaults to the path of the PKCS#11
59 provider library specified via "--with-pkcs11".
60 -l label
62 Specifies the label for a key pair in the crypto hardware.
63 When BIND 9 is built with OpenSSL-based PKCS#11 support, the label
65 is an arbitrary string that identifies a particular key. It may be
66 preceded by an optional OpenSSL engine name, followed by a colon,
67 as in "pkcs11:keylabel".
68 When BIND 9 is built with native PKCS#11 support, the label is a
70 PKCS#11 URI string in the format
71 "pkcs11:keyword=value[;keyword=value;...]" Keywords include
72 "token", which identifies the HSM; "object", which identifies the
73 key; and "pin-source", which identifies a file from which the HSM's
74 PIN code can be obtained. The label will be stored in the on-disk
75 "private" file.
76 If the label contains a pin-source field, tools using the generated
78 key files will be able to use the HSM for signing and other
79 operations without any need for an operator to manually enter a
80 PIN. Note: Making the HSM's PIN accessible in this manner may
81 reduce the security advantage of using an HSM; be sure this is what
82 you want to do before making use of this feature.
83 -n nametype
85 Specifies the owner type of the key. The value of nametype must
86 either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
87 (for a key associated with a host (KEY)), USER (for a key
88 associated with a user(KEY)) or OTHER (DNSKEY). These values are
89 case insensitive.
90 -C
92 Compatibility mode: generates an old-style key, without any
93 metadata. By default, dnssec-keyfromlabel will include the key's
94 creation date in the metadata stored with the private key, and
95 other dates may be set there as well (publication date, activation
96 date, etc). Keys that include this data may be incompatible with
97 older versions of BIND; the -C option suppresses them.
98 -c class
100 Indicates that the DNS record containing the key should have the
101 specified class. If not specified, class IN is used.
102 -f flag
104 Set the specified flag in the flag field of the KEY/DNSKEY record.
105 The only recognized flags are KSK (Key Signing Key) and REVOKE.
106 -G
108 Generate a key, but do not publish it or sign with it. This option
109 is incompatible with -P and -A.
110 -h
112 Prints a short summary of the options and arguments to
113 dnssec-keyfromlabel.
114 -K directory
116 Sets the directory in which the key files are to be written.
117 -k
119 Generate KEY records rather than DNSKEY records.
120 -L ttl
122 Sets the default TTL to use for this key when it is converted into
123 a DNSKEY RR. If the key is imported into a zone, this is the TTL
124 that will be used for it, unless there was already a DNSKEY RRset
125 in place, in which case the existing TTL would take precedence.
126 Setting the default TTL to 0 or none removes it.
127 -p protocol
129 Sets the protocol value for the key. The protocol is a number
130 between 0 and 255. The default is 3 (DNSSEC). Other possible values
131 for this argument are listed in RFC 2535 and its successors.
132 -S key
134 Generate a key as an explicit successor to an existing key. The
135 name, algorithm, size, and type of the key will be set to match the
136 predecessor. The activation date of the new key will be set to the
137 inactivation date of the existing one. The publication date will be
138 set to the activation date minus the prepublication interval, which
139 defaults to 30 days.
140 -t type
142 Indicates the use of the key. type must be one of AUTHCONF,
143 NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
144 to the ability to authenticate data, and CONF the ability to
145 encrypt data.
146 -v level
148 Sets the debugging level.
149 -V
151 Prints version information.
152 -y
154 Allows DNSSEC key files to be generated even if the key ID would
155 collide with that of an existing key, in the event of either key
156 being revoked. (This is only safe to use if you are sure you won't
157 be using RFC 5011 trust anchor maintenance with either of the keys
158 involved.)
159
161 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
162 argument begins with a '+' or '-', it is interpreted as an offset from
163 the present time. For convenience, if such an offset is followed by one
164 of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
165 computed in years (defined as 365 24-hour days, ignoring leap years),
166 months (defined as 30 24-hour days), weeks, days, hours, or minutes,
167 respectively. Without a suffix, the offset is computed in seconds. To
168 explicitly prevent a date from being set, use 'none' or 'never'.
169 -P date/offset
171 Sets the date on which a key is to be published to the zone. After
172 that date, the key will be included in the zone but will not be
173 used to sign it. If not set, and if the -G option has not been
174 used, the default is "now".
175 -P sync date/offset
177 Sets the date on which the CDS and CDNSKEY records which match this
178 key are to be published to the zone.
179 -A date/offset
181 Sets the date on which the key is to be activated. After that date,
182 the key will be included in the zone and used to sign it. If not
183 set, and if the -G option has not been used, the default is "now".
184 -R date/offset
186 Sets the date on which the key is to be revoked. After that date,
187 the key will be flagged as revoked. It will be included in the zone
188 and will be used to sign it.
189 -I date/offset
191 Sets the date on which the key is to be retired. After that date,
192 the key will still be included in the zone, but it will not be used
193 to sign it.
194 -D date/offset
196 Sets the date on which the key is to be deleted. After that date,
197 the key will no longer be included in the zone. (It may remain in
198 the key repository, however.)
199 -D sync date/offset
201 Sets the date on which the CDS and CDNSKEY records which match this
202 key are to be deleted.
203 -i interval
205 Sets the prepublication interval for a key. If set, then the
206 publication and activation dates must be separated by at least this
207 much time. If the activation date is specified but the publication
208 date isn't, then the publication date will default to this much
209 time before the activation date; conversely, if the publication
210 date is specified but activation date isn't, then activation will
211 be set to this much time after publication.
212 If the key is being created as an explicit successor to another
214 key, then the default prepublication interval is 30 days; otherwise
215 it is zero.
216 As with date offsets, if the argument is followed by one of the
218 suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is
219 measured in years, months, weeks, days, hours, or minutes,
220 respectively. Without a suffix, the interval is measured in
221 seconds.
222
224 When dnssec-keyfromlabel completes successfully, it prints a string of
225 the form Knnnn.+aaa+iiiii to the standard output. This is an
226 identification string for the key files it has generated.
227 · nnnn is the key name.
229 · aaa is the numeric representation of the algorithm.
231 · iiiii is the key identifier (or footprint).
233 dnssec-keyfromlabel creates two files, with names based on the printed
235 string. Knnnn.+aaa+iiiii.key contains the public key, and
236 Knnnn.+aaa+iiiii.private contains the private key.
237 The .key file contains a DNS KEY record that can be inserted into a
239 zone file (directly or with a $INCLUDE statement).
240 The .private file contains algorithm-specific fields. For obvious
242 security reasons, this file does not have general read permission.
243
245 dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
246 Manual, RFC 4034, The PKCS#11 URI Scheme (draft-pechanec-pkcs11uri-13).
247
249 Internet Systems Consortium, Inc.
250
252 Copyright © 2008-2012, 2014-2019 Internet Systems Consortium, Inc.
253 ("ISC")
254ISC August 27, 2015 DNSSEC-KEYFROMLABEL(8)