1DNSSEC-KEYFROMLABEL(1)              BIND 9              DNSSEC-KEYFROMLABEL(1)
2
3
4

NAME

6       dnssec-keyfromlabel - DNSSEC key generation tool
7

SYNOPSIS

9       dnssec-keyfromlabel {-l label} [-3] [-a algorithm] [-A date/offset] [-c
10       class] [-D date/offset] [-D sync date/offset]  [-E  engine]  [-f  flag]
11       [-G]  [-I  date/offset]  [-i interval] [-k] [-K directory] [-L ttl] [-n
12       nametype] [-P date/offset] [-P  sync  date/offset]  [-p  protocol]  [-R
13       date/offset] [-S key] [-t type] [-v level] [-V] [-y] {name}
14

DESCRIPTION

16       dnssec-keyfromlabel  generates a pair of key files that reference a key
17       object stored in a cryptographic hardware  service  module  (HSM).  The
18       private  key  file can be used for DNSSEC signing of zone data as if it
19       were a conventional signing key created by dnssec-keygen, but  the  key
20       material  is  stored  within the HSM and the actual signing takes place
21       there.
22
23       The name of the key is specified on the command line. This  must  match
24       the name of the zone for which the key is being generated.
25

OPTIONS

27       -a algorithm
28              This  option  selects  the cryptographic algorithm. The value of
29              algorithm must  be  one  of  RSASHA1,  NSEC3RSASHA1,  RSASHA256,
30              RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
31
32              These  values are case-insensitive. In some cases, abbreviations
33              are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384
34              for  ECDSAP384SHA384.  If RSASHA1 is specified along with the -3
35              option, then NSEC3RSASHA1 is used instead.
36
37              This option is mandatory except when using the -S option,  which
38              copies the algorithm from the predecessory key.
39
40              Changed  in  version 9.12.0: The default value RSASHA1 for newly
41              generated keys was removed.
42
43
44       -3     This option uses an NSEC3-capable algorithm to generate a DNSSEC
45              key. If this option is used with an algorithm that has both NSEC
46              and NSEC3 versions, then the NSEC3 version is used; for example,
47              dnssec-keygen -3a RSASHA1 specifies the NSEC3RSASHA1 algorithm.
48
49       -E engine
50              This option specifies the cryptographic hardware to use.
51
52              When  BIND  9 is built with OpenSSL, this needs to be set to the
53              OpenSSL engine identifier that drives the cryptographic acceler‐
54              ator or hardware service module (usually pkcs11).
55
56       -l label
57              This  option  specifies  the  label for a key pair in the crypto
58              hardware.
59
60              When BIND 9 is built with OpenSSL-based PKCS#11 support, the la‐
61              bel  is an arbitrary string that identifies a particular key. It
62              may be preceded by an optional OpenSSL engine name, followed  by
63              a colon, as in pkcs11:keylabel.
64
65       -n nametype
66              This  option  specifies  the owner type of the key. The value of
67              nametype  must  either  be  ZONE  (for   a   DNSSEC   zone   key
68              (KEY/DNSKEY)),  HOST or ENTITY (for a key associated with a host
69              (KEY)), USER (for a key associated with a user (KEY)), or  OTHER
70              (DNSKEY). These values are case-insensitive.
71
72       -C     This  option  enables  compatibility  mode,  which  generates an
73              old-style   key,   without   any    metadata.     By    default,
74              dnssec-keyfromlabel  includes  the  key's  creation  date in the
75              metadata stored with the private key; other  dates  may  be  set
76              there as well, including publication date, activation date, etc.
77              Keys that include this data may be incompatible with older  ver‐
78              sions of BIND; the -C option suppresses them.
79
80       -c class
81              This  option  indicates  that  the DNS record containing the key
82              should have the specified class. If not specified, class  IN  is
83              used.
84
85       -f flag
86              This  option  sets  the  specified flag in the flag field of the
87              KEY/DNSKEY record.  The only recognized flags are KSK (Key-Sign‐
88              ing Key) and REVOKE.
89
90       -G     This  option  generates  a  key, but does not publish it or sign
91              with it. This option is incompatible with -P and -A.
92
93       -h     This option prints a short summary of the options and  arguments
94              to dnssec-keyfromlabel.
95
96       -K directory
97              This  option sets the directory in which the key files are to be
98              written.
99
100       -k     This option generates KEY records rather than DNSKEY records.
101
102       -L ttl This option sets the default TTL to use for this key when it  is
103              converted into a DNSKEY RR. This is the TTL used when the key is
104              imported into a zone, unless there was already a DNSKEY RRset in
105              place,  in  which  case  the existing TTL would take precedence.
106              Setting the default TTL to 0 or none removes it.
107
108       -p protocol
109              This option sets the protocol value for the key. The protocol is
110              a  number  between  0  and 255. The default is 3 (DNSSEC). Other
111              possible values for this argument are listed in RFC 2535 and its
112              successors.
113
114       -S key This  option  generates a key as an explicit successor to an ex‐
115              isting key. The name, algorithm, size, and type of the  key  are
116              set to match the predecessor. The activation date of the new key
117              is set to the inactivation date of the existing one. The  publi‐
118              cation  date is set to the activation date minus the prepublica‐
119              tion interval, which defaults to 30 days.
120
121       -t type
122              This option indicates the type of the key. type must be  one  of
123              AUTHCONF,  NOAUTHCONF,  NOAUTH,  or NOCONF. The default is AUTH‐
124              CONF. AUTH refers to the ability to authenticate data, and  CONF
125              to the ability to encrypt data.
126
127       -v level
128              This option sets the debugging level.
129
130       -V     This option prints version information.
131
132       -y     This  option allows DNSSEC key files to be generated even if the
133              key ID would collide with that of an existing key, in the  event
134              of either key being revoked. (This is only safe to enable if RFC
135              5011 trust anchor maintenance is not used  with  either  of  the
136              keys involved.)
137

TIMING OPTIONS

139       Dates  can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS (which
140       is the format used inside key files), or 'Day Mon DD HH:MM:SS YYYY' (as
141       printed  by  dnssec-settime  -p),  or  UNIX  epoch  time (as printed by
142       dnssec-settime -up), or the literal now.
143
144       The argument can be followed by + or - and an  offset  from  the  given
145       time.  The  literal now can be omitted before an offset. The offset can
146       be followed by one of the suffixes y, mo, w, d, h, or mi, so that it is
147       computed  in  years (defined as 365 24-hour days, ignoring leap years),
148       months (defined as 30 24-hour days), weeks, days,  hours,  or  minutes,
149       respectively. Without a suffix, the offset is computed in seconds.
150
151       To explicitly prevent a date from being set, use none, never, or unset.
152
153       All these formats are case-insensitive.
154
155       -P date/offset
156              This  option  sets the date on which a key is to be published to
157              the zone. After that date, the key is included in the  zone  but
158              is not used to sign it. If not set, and if the -G option has not
159              been used, the default is the current date.
160
161              sync date/offset
162                     This option sets  the  date  on  which  CDS  and  CDNSKEY
163                     records  that  match  this key are to be published to the
164                     zone.
165
166       -A date/offset
167              This option sets the date on which the key is to  be  activated.
168              After  that  date,  the  key is included in the zone and used to
169              sign it. If not set, and if the -G option has not been used, the
170              default is the current date.
171
172       -R date/offset
173              This option sets the date on which the key is to be revoked. Af‐
174              ter that date, the key is flagged as revoked. It is included  in
175              the zone and is used to sign it.
176
177       -I date/offset
178              This option sets the date on which the key is to be retired. Af‐
179              ter that date, the key is still included in the zone, but it  is
180              not used to sign it.
181
182       -D date/offset
183              This option sets the date on which the key is to be deleted. Af‐
184              ter that date, the key is no longer included in the zone.  (How‐
185              ever, it may remain in the key repository.)
186
187              sync date/offset
188                     This  option  sets  the date on which the CDS and CDNSKEY
189                     records that match this key are to be deleted.
190
191       -i interval
192              This option sets the prepublication interval for a key. If  set,
193              then  the  publication and activation dates must be separated by
194              at least this much time. If the activation date is specified but
195              the  publication  date  is not, the publication date defaults to
196              this much time before the activation date;  conversely,  if  the
197              publication date is specified but not the activation date, acti‐
198              vation is set to this much time after publication.
199
200              If the key is being created as an explicit successor to  another
201              key, then the default prepublication interval is 30 days; other‐
202              wise it is zero.
203
204              As with date offsets, if the argument is followed by one of  the
205              suffixes  y,  mo,  w,  d,  h, or mi, the interval is measured in
206              years, months, weeks, days,  hours,  or  minutes,  respectively.
207              Without a suffix, the interval is measured in seconds.
208

GENERATED KEY FILES

210       When  dnssec-keyfromlabel completes successfully, it prints a string of
211       the form Knnnn.+aaa+iiiii to the standard output. This is an  identifi‐
212       cation string for the key files it has generated.
213
214nnnn is the key name.
215
216aaa is the numeric representation of the algorithm.
217
218iiiii is the key identifier (or footprint).
219
220       dnssec-keyfromlabel  creates two files, with names based on the printed
221       string.   Knnnn.+aaa+iiiii.key   contains   the   public    key,    and
222       Knnnn.+aaa+iiiii.private contains the private key.
223
224       The  .key  file  contains  a DNS KEY record that can be inserted into a
225       zone file (directly or with an $INCLUDE statement).
226
227       The .private file contains algorithm-specific fields. For obvious secu‐
228       rity reasons, this file does not have general read permission.
229

SEE ALSO

231       dnssec-keygen(8),  dnssec-signzone(8),  BIND  9 Administrator Reference
232       Manual, RFC 4034, RFC 7512.
233

AUTHOR

235       Internet Systems Consortium
236
238       2023, Internet Systems Consortium
239
240
241
242
2439.18.20                                                 DNSSEC-KEYFROMLABEL(1)
Impressum