xref: /netbsd-src/external/mpl/bind/dist/bin/dnssec/dnssec-keyfromlabel.rst (revision 345cf9fb81bd0411c53e25d62cd93bdcaa865312) 
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12.. highlight: console
13
14.. iscman:: dnssec-keyfromlabel
15.. program:: dnssec-keyfromlabel
16.. _man_dnssec-keyfromlabel:
17
18dnssec-keyfromlabel - DNSSEC key generation tool
19------------------------------------------------
20
21Synopsis
22~~~~~~~~
23
24:program:`dnssec-keyfromlabel` {**-l** label} [**-3**] [**-a** algorithm] [**-A** date/offset] [**-c** class] [**-D** date/offset] [**-D** sync date/offset] [**-E** engine] [**-f** flag] [**-G**] [**-I** date/offset] [**-i** interval] [**-k**] [**-K** directory] [**-L** ttl] [**-n** nametype] [**-P** date/offset] [**-P** sync date/offset] [**-p** protocol] [**-R** date/offset] [**-S** key] [**-t** type] [**-v** level] [**-V**] [**-y**] {name}
25
26Description
27~~~~~~~~~~~
28
29:program:`dnssec-keyfromlabel` generates a pair of key files that reference a
30key object stored in a cryptographic hardware service module (HSM). The
31private key file can be used for DNSSEC signing of zone data as if it
32were a conventional signing key created by :iscman:`dnssec-keygen`, but the
33key material is stored within the HSM and the actual signing takes
34place there.
35
36The ``name`` of the key is specified on the command line. This must
37match the name of the zone for which the key is being generated.
38
39Options
40~~~~~~~
41
42.. option:: -a algorithm
43
44   This option selects the cryptographic algorithm. The value of ``algorithm`` must
45   be one of RSASHA1, NSEC3RSASHA1, RSASHA256, RSASHA512,
46   ECDSAP256SHA256, ECDSAP384SHA384, ED25519, or ED448.
47
48   These values are case-insensitive. In some cases, abbreviations are
49   supported, such as ECDSA256 for ECDSAP256SHA256 and ECDSA384 for
50   ECDSAP384SHA384. If RSASHA1 is specified along with the :option:`-3`
51   option, then NSEC3RSASHA1 is used instead.
52
53   This option is mandatory except when using the
54   :option:`-S` option, which copies the algorithm from the predecessory key.
55
56   .. versionchanged:: 9.12.0
57      The default value RSASHA1 for newly generated keys was removed.
58
59.. option:: -3
60
61   This option uses an NSEC3-capable algorithm to generate a DNSSEC key. If this
62   option is used with an algorithm that has both NSEC and NSEC3
63   versions, then the NSEC3 version is used; for example,
64   ``dnssec-keygen -3a RSASHA1`` specifies the NSEC3RSASHA1 algorithm.
65
66.. option:: -E engine
67
68   This option specifies the cryptographic hardware to use.
69
70   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
71   engine identifier that drives the cryptographic accelerator or
72   hardware service module (usually ``pkcs11``).
73
74.. option:: -l label
75
76   This option specifies the label for a key pair in the crypto hardware.
77
78   When BIND 9 is built with OpenSSL-based PKCS#11 support, the label is
79   an arbitrary string that identifies a particular key. It may be
80   preceded by an optional OpenSSL engine name, followed by a colon, as
81   in ``pkcs11:keylabel``.
82
83.. option:: -n nametype
84
85   This option specifies the owner type of the key. The value of ``nametype`` must
86   either be ZONE (for a DNSSEC zone key (KEY/DNSKEY)), HOST or ENTITY
87   (for a key associated with a host (KEY)), USER (for a key associated
88   with a user (KEY)), or OTHER (DNSKEY). These values are
89   case-insensitive.
90
91.. option:: -C
92
93   This option enables compatibility mode, which generates an old-style key, without any metadata.
94   By default, :program:`dnssec-keyfromlabel` includes the key's creation
95   date in the metadata stored with the private key; other dates may
96   be set there as well, including publication date, activation date, etc. Keys
97   that include this data may be incompatible with older versions of
98   BIND; the :option:`-C` option suppresses them.
99
100.. option:: -c class
101
102   This option indicates that the DNS record containing the key should have the
103   specified class. If not specified, class IN is used.
104
105.. option:: -f flag
106
107   This option sets the specified flag in the ``flag`` field of the KEY/DNSKEY record.
108   The only recognized flags are KSK (Key-Signing Key) and REVOKE.
109
110.. option:: -G
111
112   This option generates a key, but does not publish it or sign with it. This option is
113   incompatible with :option:`-P` and :option:`-A`.
114
115.. option:: -h
116
117   This option prints a short summary of the options and arguments to
118   :program:`dnssec-keyfromlabel`.
119
120.. option:: -K directory
121
122   This option sets the directory in which the key files are to be written.
123
124.. option:: -k
125
126   This option generates KEY records rather than DNSKEY records.
127
128.. option:: -L ttl
129
130   This option sets the default TTL to use for this key when it is converted into a
131   DNSKEY RR. This is the TTL used when the key is imported into a zone,
132   unless there was already a DNSKEY RRset in
133   place, in which case the existing TTL would take precedence. Setting
134   the default TTL to ``0`` or ``none`` removes it.
135
136.. option:: -p protocol
137
138   This option sets the protocol value for the key. The protocol is a number between
139   0 and 255. The default is 3 (DNSSEC). Other possible values for this
140   argument are listed in :rfc:`2535` and its successors.
141
142.. option:: -S key
143
144   This option generates a key as an explicit successor to an existing key. The name,
145   algorithm, size, and type of the key are set to match the
146   predecessor. The activation date of the new key is set to the
147   inactivation date of the existing one. The publication date is
148   set to the activation date minus the prepublication interval, which
149   defaults to 30 days.
150
151.. option:: -t type
152
153   This option indicates the type of the key. ``type`` must be one of AUTHCONF,
154   NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers
155   to the ability to authenticate data, and CONF to the ability to encrypt
156   data.
157
158.. option:: -v level
159
160   This option sets the debugging level.
161
162.. option:: -V
163
164   This option prints version information.
165
166.. option:: -y
167
168   This option allows DNSSEC key files to be generated even if the key ID would
169   collide with that of an existing key, in the event of either key
170   being revoked. (This is only safe to enable if
171   :rfc:`5011` trust anchor maintenance is not used with either of the keys
172   involved.)
173
174Timing Options
175~~~~~~~~~~~~~~
176
177Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS
178(which is the format used inside key files),
179or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
180or UNIX epoch time (as printed by ``dnssec-settime -up``),
181or the literal ``now``.
182
183The argument can be followed by ``+`` or ``-`` and an offset from the
184given time. The literal ``now`` can be omitted before an offset. The
185offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
186``d``, ``h``, or ``mi``, so that it is computed in years (defined as
187365 24-hour days, ignoring leap years), months (defined as 30 24-hour
188days), weeks, days, hours, or minutes, respectively. Without a suffix,
189the offset is computed in seconds.
190
191To explicitly prevent a date from being set, use ``none``, ``never``,
192or ``unset``.
193
194All these formats are case-insensitive.
195
196.. option:: -P date/offset
197
198   This option sets the date on which a key is to be published to the zone. After
199   that date, the key is included in the zone but is not used
200   to sign it. If not set, and if the :option:`-G` option has not been used, the
201   default is the current date.
202
203   .. program:: dnssec-keyfromlabel -P
204   .. option:: sync date/offset
205
206      This option sets the date on which CDS and CDNSKEY records that match this key
207      are to be published to the zone.
208
209.. program:: dnssec-keyfromlabel
210
211.. option:: -A date/offset
212
213   This option sets the date on which the key is to be activated. After that date,
214   the key is included in the zone and used to sign it. If not set,
215   and if the :option:`-G` option has not been used, the default is the current date.
216
217.. option:: -R date/offset
218
219   This option sets the date on which the key is to be revoked. After that date, the
220   key is flagged as revoked. It is included in the zone and
221   is used to sign it.
222
223.. option:: -I date/offset
224
225   This option sets the date on which the key is to be retired. After that date, the
226   key is still included in the zone, but it is not used to
227   sign it.
228
229.. option:: -D date/offset
230
231   This option sets the date on which the key is to be deleted. After that date, the
232   key is no longer included in the zone. (However, it may remain in the key
233   repository.)
234
235   .. program:: dnssec-keyfromlabel -D
236   .. option:: sync date/offset
237
238      This option sets the date on which the CDS and CDNSKEY records that match this
239      key are to be deleted.
240
241.. program:: dnssec-keyfromlabel
242
243.. option:: -i interval
244
245   This option sets the prepublication interval for a key. If set, then the
246   publication and activation dates must be separated by at least this
247   much time. If the activation date is specified but the publication
248   date is not, the publication date defaults to this much time
249   before the activation date; conversely, if the publication date is
250   specified but not the activation date, activation is set to
251   this much time after publication.
252
253   If the key is being created as an explicit successor to another key,
254   then the default prepublication interval is 30 days; otherwise it is
255   zero.
256
257   As with date offsets, if the argument is followed by one of the
258   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
259   measured in years, months, weeks, days, hours, or minutes,
260   respectively. Without a suffix, the interval is measured in seconds.
261
262Generated Key Files
263~~~~~~~~~~~~~~~~~~~
264
265When :program:`dnssec-keyfromlabel` completes successfully, it prints a string
266of the form ``Knnnn.+aaa+iiiii`` to the standard output. This is an
267identification string for the key files it has generated.
268
269-  ``nnnn`` is the key name.
270
271-  ``aaa`` is the numeric representation of the algorithm.
272
273-  ``iiiii`` is the key identifier (or footprint).
274
275:program:`dnssec-keyfromlabel` creates two files, with names based on the
276printed string. ``Knnnn.+aaa+iiiii.key`` contains the public key, and
277``Knnnn.+aaa+iiiii.private`` contains the private key.
278
279The ``.key`` file contains a DNS KEY record that can be inserted into a
280zone file (directly or with an $INCLUDE statement).
281
282The ``.private`` file contains algorithm-specific fields. For obvious
283security reasons, this file does not have general read permission.
284
285See Also
286~~~~~~~~
287
288:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
289:rfc:`4034`, :rfc:`7512`.
290