dnssec-keyfromlabel

Name

dnssec-keyfromlabel — DNSSEC key generation tool

Synopsis

dnssec-keyfromlabel {-a algorithm} {-l label} [-c class] [-f flag] [-k] [-n nametype] [-p protocol] [-t type] [-v level] {name}

DESCRIPTION

dnssec-keyfromlabel + gets keys with the given label from a crypto hardware and builds + key files for DNSSEC (Secure DNS), as defined in RFC 2535 + and RFC 4034. +

OPTIONS

-a algorithm

+ Selects the cryptographic algorithm. The value of + algorithm must be one of RSAMD5 (RSA) + or RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA or DH (Diffie Hellman). + These values are case insensitive. +

+ Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement + algorithm, and DSA is recommended. +

+ Note 2: DH automatically sets the -k flag. +

-l label

+ Specifies the label of keys in the crypto hardware + (PKCS#11 device). +

-n nametype

+ Specifies the owner type of the key. The value of + nametype must either be ZONE (for a DNSSEC + zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with + a host (KEY)), + USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). + These values are + case insensitive. +

-c class

+ Indicates that the DNS record containing the key should have + the specified class. If not specified, class IN is used. +

-f flag

+ Set the specified flag in the flag field of the KEY/DNSKEY record. + The only recognized flag is KSK (Key Signing Key) DNSKEY. +

-h

+ Prints a short summary of the options and arguments to + dnssec-keygen. +

-k

+ Generate KEY records rather than DNSKEY records. +

-p protocol

+ Sets the protocol value for the generated key. The protocol + is a number between 0 and 255. The default is 3 (DNSSEC). + Other possible values for this argument are listed in + RFC 2535 and its successors. +

-t type

+ Indicates the use of the key. type must be + one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default + is AUTHCONF. AUTH refers to the ability to authenticate + data, and CONF the ability to encrypt data. +

-v level

+ Sets the debugging level. +

GENERATED KEY FILES

+ When dnssec-keyfromlabel completes + successfully, + it prints a string of the form Knnnn.+aaa+iiiii + to the standard output. This is an identification string for + the key files it has generated. +

nnnn is the key name. +
aaa is the numeric representation + of the + algorithm. +
iiiii is the key identifier (or + footprint). +

dnssec-keyfromlabel + creates two files, with names based + on the printed string. Knnnn.+aaa+iiiii.key + contains the public key, and + Knnnn.+aaa+iiiii.private contains the + private + key. +

+ The .key file contains a DNS KEY record + that + can be inserted into a zone file (directly or with a $INCLUDE + statement). +

+ The .private file contains algorithm + specific + fields. For obvious security reasons, this file does not have + general read permission. +

AUTHOR