1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 .. highlight: console 13 14 .. iscman:: dnssec-keyfromlabel 15 .. program:: dnssec-keyfromlabel 16 .. _man_dnssec-keyfromlabel: 17 18 dnssec-keyfromlabel - DNSSEC key generation tool 19 ------------------------------------------------ 20 21 Synopsis 22 ~~~~~~~~ 23 24 :program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-M** tag_min:tag_max] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name} 25 26 Description 27 ~~~~~~~~~~~ 28 29 :program:`dnssec-keyfromlabel` generates a pair of key files that reference a 30 key object stored in a cryptographic hardware service module (HSM). The 31 private key file can be used for DNSSEC signing of zone data as if it 32 were a conventional signing key created by :iscman:`dnssec-keygen`, but the 33 key material is stored within the HSM and the actual signing takes 34 place there. 35 36 The ``name`` of the key is specified on the command line. This must 37 match the name of the zone for which the key is being generated. 38 39 Options 40 ~~~~~~~ 41 42 .. option:: -a algorithm 43 44 This option selects the cryptographic algorithm. The value of 45 ``algorithm`` must be one of RSASHA1 (deprecated), NSEC3RSASHA1 46 (deprecated), RSASHA256, RSASHA512, ECDSAP256SHA256, ECDSAP384SHA384, 47 ED25519, or ED448. 48 49 These values are case-insensitive. In some cases, abbreviations 50 are supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 51 for ECDSAP384SHA384. If RSASHA1 (deprecated) is specified along 52 with the :option:`-3` option, then NSEC3RSASHA1 (deprecated) is 53 used instead. 54 55 This option is mandatory except when using the :option:`-S` 56 option, which copies the algorithm from the predecessory key. 57 58 .. versionchanged:: 9.12.0 59 The default value RSASHA1 (deprecated) for newly generated 60 keys was removed. 61 62 .. option:: -3 63 64 This option uses an NSEC3-capable algorithm to generate a DNSSEC 65 key. If this option is used with an algorithm that has both NSEC 66 and NSEC3 versions, then the NSEC3 version is used; for example, 67 ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 68 (deprecated) algorithm. 69 70 .. option:: -E engine 71 72 This option specifies the cryptographic hardware to use. 73 74 When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL 75 engine identifier that drives the cryptographic accelerator or 76 hardware service module (usually ``pkcs11``). 77 78 .. option:: -l label 79 80 This option specifies the label for a key pair in the crypto hardware. 81 82 When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is 83 an arbitrary string that identifies a particular key. It may be 84 preceded by an optional OpenSSL engine name, followed by a colon, as 85 in ``pkcs11:keylabel``. 86 87 .. option:: -n nametype 88 89 This option specifies the owner type of the key. The value of ``nametype`` must 90 either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY 91 (for a key associated with a host (KEY)), USER (for a key associated 92 with a user (KEY)), or OTHER (DNSKEY). These values are 93 case-insensitive. 94 95 .. option:: -C 96 97 This option enables compatibility mode, which generates an old-style key, without any metadata. 98 By default, :program:`dnssec-keyfromlabel` includes the key's creation 99 date in the metadata stored with the private key; other dates may 100 be set there as well, including publication date, activation date, etc. Keys 101 that include this data may be incompatible with older versions of 102 BIND; the :option:`-C` option suppresses them. 103 104 .. option:: -c class 105 106 This option indicates that the DNS record containing the key should have the 107 specified class. If not specified, class IN is used. 108 109 .. option:: -f flag 110 111 This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record. 112 The only recognized flags are KSK (Key-Signing Key) and REVOKE. 113 114 .. option:: -G 115 116 This option generates a key, but does not publish it or sign with it. This option is 117 incompatible with :option:`-P` and :option:`-A`. 118 119 .. option:: -h 120 121 This option prints a short summary of the options and arguments to 122 :program:`dnssec-keyfromlabel`. 123 124 .. option:: -K directory 125 126 This option sets the directory in which the key files are to be written. 127 128 .. option:: -k 129 130 This option generates KEY records rather than DNSKEY records. 131 132 .. option:: -L ttl 133 134 This option sets the default TTL to use for this key when it is converted into a 135 DNSKEY RR. This is the TTL used when the key is imported into a zone, 136 unless there was already a DNSKEY RRset in 137 place, in which case the existing TTL would take precedence. Setting 138 the default TTL to ``0`` or ``none`` removes it. 139 140 .. option:: -M tag_min:tag_max 141 142 This option sets the range of key tag values 143 that ``dnssec-keyfromlabel`` will accept. If the key tag of the new 144 key or the key tag of the revoked version of the new key is 145 outside this range, the new key will be rejected. This is 146 designed to be used when generating keys in a multi-signer 147 scenario, where each operator is given a range of key tags to 148 prevent collisions among different operators. The valid 149 values for ``tag_min`` and ``tag_max`` are [0..65535]. The 150 default allows all key tag values to be accepted. 151 152 .. option:: -p protocol 153 154 This option sets the protocol value for the key. The protocol is a number between 155 0 and 255. The default is 3 (DNSSEC). Other possible values for this 156 argument are listed in :rfc:`2535` and its successors. 157 158 .. option:: -S key 159 160 This option generates a key as an explicit successor to an existing key. The name, 161 algorithm, size, and type of the key are set to match the 162 predecessor. The activation date of the new key is set to the 163 inactivation date of the existing one. The publication date is 164 set to the activation date minus the prepublication interval, which 165 defaults to 30 days. 166 167 .. option:: -t type 168 169 This option indicates the type of the key. ``type`` must be one of AUTHCONF, 170 NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers 171 to the ability to authenticate data, and CONF to the ability to encrypt 172 data. 173 174 .. option:: -v level 175 176 This option sets the debugging level. 177 178 .. option:: -V 179 180 This option prints version information. 181 182 .. option:: -y 183 184 This option allows DNSSEC key files to be generated even if the key ID would 185 collide with that of an existing key, in the event of either key 186 being revoked. (This is only safe to enable if 187 :rfc:`5011` trust anchor maintenance is not used with either of the keys 188 involved.) 189 190 Timing Options 191 ~~~~~~~~~~~~~~ 192 193 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS 194 (which is the format used inside key files), 195 or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``), 196 or UNIX epoch time (as printed by ``dnssec-settime -up``), 197 or the literal ``now``. 198 199 The argument can be followed by ``+`` or ``-`` and an offset from the 200 given time. The literal ``now`` can be omitted before an offset. The 201 offset can be followed by one of the suffixes ``y``, ``mo``, ``w``, 202 ``d``, ``h``, or ``mi``, so that it is computed in years (defined as 203 365 24-hour days, ignoring leap years), months (defined as 30 24-hour 204 days), weeks, days, hours, or minutes, respectively. Without a suffix, 205 the offset is computed in seconds. 206 207 To explicitly prevent a date from being set, use ``none``, ``never``, 208 or ``unset``. 209 210 All these formats are case-insensitive. 211 212 .. option:: -P date/offset 213 214 This option sets the date on which a key is to be published to the zone. After 215 that date, the key is included in the zone but is not used 216 to sign it. If not set, and if the :option:`-G` option has not been used, the 217 default is the current date. 218 219 .. program:: dnssec-keyfromlabel -P 220 .. option:: sync date/offset 221 222 This option sets the date on which CDS and CDNSKEY records that match this key 223 are to be published to the zone. 224 225 .. program:: dnssec-keyfromlabel 226 227 .. option:: -A date/offset 228 229 This option sets the date on which the key is to be activated. After that date, 230 the key is included in the zone and used to sign it. If not set, 231 and if the :option:`-G` option has not been used, the default is the current date. 232 233 .. option:: -R date/offset 234 235 This option sets the date on which the key is to be revoked. After that date, the 236 key is flagged as revoked. It is included in the zone and 237 is used to sign it. 238 239 .. option:: -I date/offset 240 241 This option sets the date on which the key is to be retired. After that date, the 242 key is still included in the zone, but it is not used to 243 sign it. 244 245 .. option:: -D date/offset 246 247 This option sets the date on which the key is to be deleted. After that date, the 248 key is no longer included in the zone. (However, it may remain in the key 249 repository.) 250 251 .. program:: dnssec-keyfromlabel -D 252 .. option:: sync date/offset 253 254 This option sets the date on which the CDS and CDNSKEY records that match this 255 key are to be deleted. 256 257 .. program:: dnssec-keyfromlabel 258 259 .. option:: -i interval 260 261 This option sets the prepublication interval for a key. If set, then the 262 publication and activation dates must be separated by at least this 263 much time. If the activation date is specified but the publication 264 date is not, the publication date defaults to this much time 265 before the activation date; conversely, if the publication date is 266 specified but not the activation date, activation is set to 267 this much time after publication. 268 269 If the key is being created as an explicit successor to another key, 270 then the default prepublication interval is 30 days; otherwise it is 271 zero. 272 273 As with date offsets, if the argument is followed by one of the 274 suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is 275 measured in years, months, weeks, days, hours, or minutes, 276 respectively. Without a suffix, the interval is measured in seconds. 277 278 Generated Key Files 279 ~~~~~~~~~~~~~~~~~~~ 280 281 When :program:`dnssec-keyfromlabel` completes successfully, it prints a string 282 of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an 283 identification string for the key files it has generated. 284 285 - ``nnnn`` is the key name. 286 287 - ``aaa`` is the numeric representation of the algorithm. 288 289 - ``iiiii`` is the key identifier (or footprint). 290 291 :program:`dnssec-keyfromlabel` creates two files, with names based on the 292 printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and 293 ``Knnnn.+aaa+iiiii.private`` contains the private key. 294 295 The ``.key`` file contains a DNS KEY record that can be inserted into a 296 zone file (directly or with an $INCLUDE statement). 297 298 The ``.private`` file contains algorithm-specific fields. For obvious 299 security reasons, this file does not have general read permission. 300 301 See Also 302 ~~~~~~~~ 303 304 :iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual, 305 :rfc:`4034`, :rfc:`7512`. 306
Indexes created Wed Mar 04 15:26:31 UTC 2026