diff options
Diffstat (limited to 'bin/dnssec/dnssec-keyfromlabel.docbook')
-rw-r--r-- | bin/dnssec/dnssec-keyfromlabel.docbook | 195 |
1 files changed, 176 insertions, 19 deletions
diff --git a/bin/dnssec/dnssec-keyfromlabel.docbook b/bin/dnssec/dnssec-keyfromlabel.docbook index a2fff5a..be38a24 100644 --- a/bin/dnssec/dnssec-keyfromlabel.docbook +++ b/bin/dnssec/dnssec-keyfromlabel.docbook @@ -2,7 +2,7 @@ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [<!ENTITY mdash "—">]> <!-- - - Copyright (C) 2008, 2010 Internet Systems Consortium, Inc. ("ISC") + - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC") - - Permission to use, copy, modify, and/or distribute this software for any - purpose with or without fee is hereby granted, provided that the above @@ -17,7 +17,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> -<!-- $Id: dnssec-keyfromlabel.docbook,v 1.6.14.2 2010-01-15 23:47:31 tbox Exp $ --> +<!-- $Id: dnssec-keyfromlabel.docbook,v 1.18.14.1.2.1 2011-06-02 23:47:27 tbox Exp $ --> <refentry id="man.dnssec-keyfromlabel"> <refentryinfo> <date>February 8, 2008</date> @@ -37,7 +37,9 @@ <docinfo> <copyright> <year>2008</year> + <year>2009</year> <year>2010</year> + <year>2011</year> <holder>Internet Systems Consortium, Inc. ("ISC")</holder> </copyright> </docinfo> @@ -45,15 +47,25 @@ <refsynopsisdiv> <cmdsynopsis> <command>dnssec-keyfromlabel</command> - <arg choice="req">-a <replaceable class="parameter">algorithm</replaceable></arg> <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg> + <arg><option>-3</option></arg> + <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg> + <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg> <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg> + <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg> + <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg> <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg> + <arg><option>-G</option></arg> + <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg> <arg><option>-k</option></arg> + <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg> <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg> + <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg> <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg> + <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg> <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg> <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> + <arg><option>-y</option></arg> <arg choice="req">name</arg> </cmdsynopsis> </refsynopsisdiv> @@ -65,6 +77,11 @@ key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. </para> + <para> + The <option>name</option> of the key is specified on the command + line. This must match the name of the zone for which the key is + being generated. + </para> </refsect1> <refsect1> @@ -76,9 +93,8 @@ <listitem> <para> Selects the cryptographic algorithm. The value of - <option>algorithm</option> must be one of RSAMD5, - RSASHA1, DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, - RSASHA512 or DH (Diffie Hellman). + <option>algorithm</option> must be one of RSAMD5, RSASHA1, + DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512 or ECCGOST. These values are case insensitive. </para> <para> @@ -99,11 +115,34 @@ </varlistentry> <varlistentry> + <term>-3</term> + <listitem> + <para> + Use an NSEC3-capable algorithm to generate a DNSSEC key. + If this option is used and no algorithm is explicitly + set on the command line, NSEC3RSASHA1 will be used by + default. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-E <replaceable class="parameter">engine</replaceable></term> + <listitem> + <para> + Specifies the name of the crypto hardware (OpenSSL engine). + When compiled with PKCS#11 support it defaults to "pkcs11". + </para> + </listitem> + </varlistentry> + + <varlistentry> <term>-l <replaceable class="parameter">label</replaceable></term> <listitem> <para> - Specifies the label of keys in the crypto hardware - (PKCS#11 device). + Specifies the label of the key pair in the crypto hardware. + The label may be preceded by an optional OpenSSL engine name, + separated by a colon, as in "pkcs11:keylabel". </para> </listitem> </varlistentry> @@ -117,8 +156,22 @@ zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user(KEY)) or OTHER (DNSKEY). - These values are - case insensitive. + These values are case insensitive. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-C</term> + <listitem> + <para> + Compatibility mode: generates an old-style key, without + any metadata. By default, <command>dnssec-keyfromlabel</command> + will include the key's creation date in the metadata stored + with the private key, and other dates may be set there as well + (publication date, activation date, etc). Keys that include + this data may be incompatible with older versions of BIND; the + <option>-C</option> option suppresses them. </para> </listitem> </varlistentry> @@ -138,7 +191,17 @@ <listitem> <para> Set the specified flag in the flag field of the KEY/DNSKEY record. - The only recognized flag is KSK (Key Signing Key) DNSKEY. + The only recognized flags are KSK (Key Signing Key) and REVOKE. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-G</term> + <listitem> + <para> + Generate a key, but do not publish it or sign with it. This + option is incompatible with -P and -A. </para> </listitem> </varlistentry> @@ -148,7 +211,16 @@ <listitem> <para> Prints a short summary of the options and arguments to - <command>dnssec-keygen</command>. + <command>dnssec-keyfromlabel</command>. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-K <replaceable class="parameter">directory</replaceable></term> + <listitem> + <para> + Sets the directory in which the key files are to be written. </para> </listitem> </varlistentry> @@ -166,7 +238,7 @@ <term>-p <replaceable class="parameter">protocol</replaceable></term> <listitem> <para> - Sets the protocol value for the generated key. The protocol + Sets the protocol value for the key. The protocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors. @@ -195,6 +267,93 @@ </listitem> </varlistentry> + <varlistentry> + <term>-y</term> + <listitem> + <para> + Allows DNSSEC key files to be generated even if the key ID + would collide with that of an existing key, in the event of + either key being revoked. (This is only safe to use if you + are sure you won't be using RFC 5011 trust anchor maintenance + with either of the keys involved.) + </para> + </listitem> + </varlistentry> + + </variablelist> + </refsect1> + + <refsect1> + <title>TIMING OPTIONS</title> + + <para> + Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. + If the argument begins with a '+' or '-', it is interpreted as + an offset from the present time. For convenience, if such an offset + is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', + then the offset is computed in years (defined as 365 24-hour days, + ignoring leap years), months (defined as 30 24-hour days), weeks, + days, hours, or minutes, respectively. Without a suffix, the offset + is computed in seconds. + </para> + + <variablelist> + <varlistentry> + <term>-P <replaceable class="parameter">date/offset</replaceable></term> + <listitem> + <para> + Sets the date on which a key is to be published to the zone. + After that date, the key will be included in the zone but will + not be used to sign it. If not set, and if the -G option has + not been used, the default is "now". + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-A <replaceable class="parameter">date/offset</replaceable></term> + <listitem> + <para> + Sets the date on which the key is to be activated. After that + date, the key will be included in the zone and used to sign + it. If not set, and if the -G option has not been used, the + default is "now". + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-R <replaceable class="parameter">date/offset</replaceable></term> + <listitem> + <para> + Sets the date on which the key is to be revoked. After that + date, the key will be flagged as revoked. It will be included + in the zone and will be used to sign it. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-I <replaceable class="parameter">date/offset</replaceable></term> + <listitem> + <para> + Sets the date on which the key is to be retired. After that + date, the key will still be included in the zone, but it + will not be used to sign it. + </para> + </listitem> + </varlistentry> + + <varlistentry> + <term>-D <replaceable class="parameter">date/offset</replaceable></term> + <listitem> + <para> + Sets the date on which the key is to be deleted. After that + date, the key will no longer be included in the zone. (It + may remain in the key repository, however.) + </para> + </listitem> + </varlistentry> </variablelist> </refsect1> @@ -214,8 +373,7 @@ </listitem> <listitem> <para><filename>aaa</filename> is the numeric representation - of the - algorithm. + of the algorithm. </para> </listitem> <listitem> @@ -229,8 +387,7 @@ on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename> contains the public key, and <filename>Knnnn.+aaa+iiiii.private</filename> contains the - private - key. + private key. </para> <para> The <filename>.key</filename> file contains a DNS KEY record @@ -239,8 +396,8 @@ statement). </para> <para> - The <filename>.private</filename> file contains algorithm - specific + The <filename>.private</filename> file contains + algorithm-specific fields. For obvious security reasons, this file does not have general read permission. </para> |