1DNSSEC-KEYFROMLABEL(8)              BIND 9              DNSSEC-KEYFROMLABEL(8)
2
3
4

NAME

6       dnssec-keyfromlabel - DNSSEC key generation tool
7

SYNOPSIS

9       dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c
10       class] [-D date/offset] [-D sync date/offset]  [-E  engine]  [-f  flag]
11       [-G]  [-I  date/offset]  [-i interval] [-k] [-K directory] [-L ttl] [-n
12       nametype] [-P date/offset] [-P  sync  date/offset]  [-p  protocol]  [-R
13       date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}
14

DESCRIPTION

16       dnssec-keyfromlabel  generates a pair of key files that reference a key
17       object stored in a cryptographic hardware  service  module  (HSM).  The
18       private  key  file can be used for DNSSEC signing of zone data as if it
19       were a conventional signing key created by dnssec-keygen, but  the  key
20       material  is  stored  within the HSM and the actual signing takes place
21       there.
22
23       The name of the key is specified on the command line. This  must  match
24       the name of the zone for which the key is being generated.
25

OPTIONS

27       -a algorithm
28              This  option  selects  the cryptographic algorithm. The value of
29              algorithm must  be  one  of  RSASHA1,  NSEC3RSASHA1,  RSASHA256,
30              RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
31
32              If  no algorithm is specified, RSASHA1 is used by default unless
33              the -3 option is specified, in which case NSEC3RSASHA1  is  used
34              instead.  (If -3 is used and an algorithm is specified, that al‐
35              gorithm is checked for compatibility with NSEC3.)
36
37              These values are case-insensitive. In some cases,  abbreviations
38              are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384
39              for ECDSAP384SHA384. If RSASHA1 is specified along with  the  -3
40              option, then NSEC3RSASHA1 is used instead.
41
42              Since  BIND  9.12.0,  this option is mandatory except when using
43              the -S option, which copies the algorithm from the  predecessory
44              key.   Previously,  the  default  for  newly  generated keys was
45              RSASHA1.
46
47       -3     This option uses an NSEC3-capable algorithm to generate a DNSSEC
48              key. If this option is used with an algorithm that has both NSEC
49              and NSEC3 versions, then the NSEC3 version is used; for example,
50              dnssec-keygen -3a RSASHA1 specifies the NSEC3RSASHA1 algorithm.
51
52       -E engine
53              This option specifies the cryptographic hardware to use.
54
55              When  BIND  9 is built with OpenSSL, this needs to be set to the
56              OpenSSL engine identifier that drives the cryptographic acceler‐
57              ator  or  hardware service module (usually pkcs11). When BIND is
58              built with native PKCS#11 cryptography (--enable-native-pkcs11),
59              it  defaults  to the path of the PKCS#11 provider library speci‐
60              fied via --with-pkcs11.
61
62       -l label
63              This option specifies the label for a key  pair  in  the  crypto
64              hardware.
65
66              When BIND 9 is built with OpenSSL-based PKCS#11 support, the la‐
67              bel is an arbitrary string that identifies a particular key.  It
68              may  be preceded by an optional OpenSSL engine name, followed by
69              a colon, as in pkcs11:keylabel.
70
71              When BIND 9 is built with native PKCS#11 support, the label is a
72              PKCS#11  URI string in the format pkcs11:keyword\ =value[;\ key‐
73              word\ =value;...]. Keywords include token, which identifies  the
74              HSM;  object,  which  identifies  the key; and pin-source, which
75              identifies a file from which the HSM's PIN code can be obtained.
76              The label is stored in the on-disk private file.
77
78              If the label contains a pin-source field, tools using the gener‐
79              ated key files are able to use the HSM for signing and other op‐
80              erations  without  any  need for an operator to manually enter a
81              PIN.  Note: Making the HSM's PIN accessible in this  manner  may
82              reduce  the security advantage of using an HSM; use caution with
83              this feature.
84
85       -n nametype
86              This option specifies the owner type of the key.  The  value  of
87              nametype   must   either   be   ZONE  (for  a  DNSSEC  zone  key
88              (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a  host
89              (KEY)),  USER (for a key associated with a user (KEY)), or OTHER
90              (DNSKEY). These values are case-insensitive.
91
92       -C     This option  enables  compatibility  mode,  which  generates  an
93              old-style    key,    without    any   metadata.    By   default,
94              dnssec-keyfromlabel includes the  key's  creation  date  in  the
95              metadata  stored  with  the  private key; other dates may be set
96              there as well, including publication date, activation date, etc.
97              Keys  that include this data may be incompatible with older ver‐
98              sions of BIND; the -C option suppresses them.
99
100       -c class
101              This option indicates that the DNS  record  containing  the  key
102              should  have  the specified class. If not specified, class IN is
103              used.
104
105       -f flag
106              This option sets the specified flag in the  flag  field  of  the
107              KEY/DNSKEY record.  The only recognized flags are KSK (Key-Sign‐
108              ing Key) and REVOKE.
109
110       -G     This option generates a key, but does not  publish  it  or  sign
111              with it. This option is incompatible with -P and -A.
112
113       -h     This  option prints a short summary of the options and arguments
114              to dnssec-keyfromlabel.
115
116       -K directory
117              This option sets the directory in which the key files are to  be
118              written.
119
120       -k     This option generates KEY records rather than DNSKEY records.
121
122       -L ttl This  option sets the default TTL to use for this key when it is
123              converted into a DNSKEY RR. This is the TTL used when the key is
124              imported into a zone, unless there was already a DNSKEY RRset in
125              place, in which case the existing  TTL  would  take  precedence.
126              Setting the default TTL to 0 or none removes it.
127
128       -p protocol
129              This option sets the protocol value for the key. The protocol is
130              a number between 0 and 255. The default  is  3  (DNSSEC).  Other
131              possible values for this argument are listed in RFC 2535 and its
132              successors.
133
134       -S key This option generates a key as an explicit successor to  an  ex‐
135              isting  key.  The name, algorithm, size, and type of the key are
136              set to match the predecessor. The activation date of the new key
137              is  set to the inactivation date of the existing one. The publi‐
138              cation date is set to the activation date minus the  prepublica‐
139              tion interval, which defaults to 30 days.
140
141       -t type
142              This  option  indicates the type of the key. type must be one of
143              AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The  default  is  AUTH‐
144              CONF.  AUTH refers to the ability to authenticate data, and CONF
145              to the ability to encrypt data.
146
147       -v level
148              This option sets the debugging level.
149
150       -V     This option prints version information.
151
152       -y     This option allows DNSSEC key files to be generated even if  the
153              key  ID would collide with that of an existing key, in the event
154              of either key being revoked. (This is only safe to enable if RFC
155              5011  trust  anchor  maintenance  is not used with either of the
156              keys involved.)
157

TIMING OPTIONS

159       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
160       argument  begins with a + or -, it is interpreted as an offset from the
161       present time. For convenience, if such an offset is followed by one  of
162       the  suffixes  y,  mo,  w,  d, h, or mi, then the offset is computed in
163       years (defined as 365 24-hour days, ignoring leap years),  months  (de‐
164       fined  as  30  24-hour  days),  weeks, days, hours, or minutes, respec‐
165       tively. Without a suffix, the offset is computed in seconds. To explic‐
166       itly prevent a date from being set, use none or never.
167
168       -P date/offset
169              This  option  sets the date on which a key is to be published to
170              the zone. After that date, the key is included in the  zone  but
171              is not used to sign it. If not set, and if the -G option has not
172              been used, the default is the current date.
173
174       -P sync date/offset
175              This option sets the date on which CDS and CDNSKEY records  that
176              match this key are to be published to the zone.
177
178       -A date/offset
179              This  option  sets the date on which the key is to be activated.
180              After that date, the key is included in the  zone  and  used  to
181              sign it. If not set, and if the -G option has not been used, the
182              default is the current date.
183
184       -R date/offset
185              This option sets the date on which the key is to be revoked. Af‐
186              ter  that date, the key is flagged as revoked. It is included in
187              the zone and is used to sign it.
188
189       -I date/offset
190              This option sets the date on which the key is to be retired. Af‐
191              ter  that date, the key is still included in the zone, but it is
192              not used to sign it.
193
194       -D date/offset
195              This option sets the date on which the key is to be deleted. Af‐
196              ter  that date, the key is no longer included in the zone. (How‐
197              ever, it may remain in the key repository.)
198
199       -D sync date/offset
200              This option sets the date on which the CDS and  CDNSKEY  records
201              that match this key are to be deleted.
202
203       -i interval
204              This  option sets the prepublication interval for a key. If set,
205              then the publication and activation dates must be  separated  by
206              at least this much time. If the activation date is specified but
207              the publication date is not, the publication  date  defaults  to
208              this  much  time  before the activation date; conversely, if the
209              publication date is specified but not the activation date, acti‐
210              vation is set to this much time after publication.
211
212              If  the key is being created as an explicit successor to another
213              key, then the default prepublication interval is 30 days; other‐
214              wise it is zero.
215
216              As  with date offsets, if the argument is followed by one of the
217              suffixes y, mo, w, d, h, or mi,  the  interval  is  measured  in
218              years,  months,  weeks,  days,  hours, or minutes, respectively.
219              Without a suffix, the interval is measured in seconds.
220

GENERATED KEY FILES

222       When dnssec-keyfromlabel completes successfully, it prints a string  of
223       the  form Knnnn.+aaa+iiiii to the standard output. This is an identifi‐
224       cation string for the key files it has generated.
225
226nnnn is the key name.
227
228aaa is the numeric representation of the algorithm.
229
230iiiii is the key identifier (or footprint).
231
232       dnssec-keyfromlabel creates two files, with names based on the  printed
233       string.    Knnnn.+aaa+iiiii.key    contains   the   public   key,   and
234       Knnnn.+aaa+iiiii.private contains the private key.
235
236       The .key file contains a DNS KEY record that can  be  inserted  into  a
237       zone file (directly or with an $INCLUDE statement).
238
239       The .private file contains algorithm-specific fields. For obvious secu‐
240       rity reasons, this file does not have general read permission.
241

SEE ALSO

243       dnssec-keygen(8), dnssec-signzone(8), BIND  9  Administrator  Reference
244       Manual, RFC 4034, RFC 7512.
245

AUTHOR

247       Internet Systems Consortium
248
250       2021, Internet Systems Consortium
251
252
253
254
2559.16.23-RH                                              DNSSEC-KEYFROMLABEL(8)
Impressum