System Administration Commands dnssec-keyfromlabel(1M)
NAME
dnssec-keyfromlabel - DNSSEC key generation tool
SYNOPSIS
dnssec-keyfromlabel -a algorithm -l label [-c class] [-f flag] [-k]
[-n nametype] [-p protocol] [-t type] [-v level] name
DESCRIPTION
dnssec-keyfromlabel retrieves keys with a specified label
from a crypto hardware device and builds key files for DNSSEC (Secure DNS), as defined in RFC 2535 and RFC 4034. OPTIONS The following options are supported:-a algorithm
Selects the cryptographic algorithm. The value of algo-
rithm must be one of RSAMD5 (RSA) or RSASHA1, DSA,NSEC3RSASHA1, NSEC3DSA, or DH (Diffie-Hellman). These
values are case-insensitive.
Note that for DNSSEC, RSASHA1 is a mandatory-to-
implement algorithm, and DSA is recommended. Note alsothat DH automatically sets the -k flag.
-l label
Specifies the label of keys in the crypto hardware(PKCS#11) device.
-n nametype
Specifies the owner type of the key. The value of name-
type must either be ZONE (for a DNSSEC zone key(KEY/DNSKEY)), HOST or ENTITY (for a key associated with a host (KEY)), USER (for a key associated with a user
(KEY)), or OTHER (DNSKEY). These values are case-
insensitive.-c class
Indicates that the DNS record containing the key should have the specified class. If not specified, class IN is used.SunOS 5.11 Last change: 11 Jan 2010 1
System Administration Commands dnssec-keyfromlabel(1M)
-f flag
Set the specified flag in the flag field of theKEY/DNSKEY record. The only recognized flag is KSK (Key Signing Key) DNSKEY.
-h
Displays a short summary of the options and arguments todnssec-keyfromlabel.
-k
Generate KEY records rather than DNSKEY records.-p protocol
Sets the protocol value for the generated key. The pro-
tocol is a number between 0 and 255. The default is 3 (DNSSEC). Other possible values for this argument are listed in RFC 2535 and its successors.-t type
Indicates the use of the key. type must be one of AUTH-
CONF, NOAUTHCONF, NOAUTH, or NOCONF. The default is AUTHCONF. AUTH refers to the ability to authenticate data, and CONF the ability to encrypt data.-v level
Sets the debugging level. GENERATED KEY FILESWhen dnssec-keyfromlabel completes successfully, it displays
a string of the form Knnnn.+aaa+iiiii to the standard out-
put. This is an identification string for the key files it has generated, which translates as follows. o nnnn is the key name. o aaa is the numeric representation of the algorithm. o iiiii is the key identifier (or footprint).SunOS 5.11 Last change: 11 Jan 2010 2
System Administration Commands dnssec-keyfromlabel(1M)
dnssec-keyfromlabel creates two files, with names based on
the displayed string. Knnnn.+aaa+iiiii.key contains the public key, and Knnnn.+aaa+iiiii.private contains the private key. The first file contains a DNS KEY record that can beinserted into a zone file (directly or with an $INCLUDE
statement).The second file contains algorithm-specific fields. For
obvious security reasons, this file does not have general read permission.ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | service/network/dns/bind ||_____________________________|_____________________________|
| Interface Stability | Volatile ||_____________________________|_____________________________|
SEE ALSO
dnssec-keygen(1M), dnssec-signzone(1M), attributes(5)
RFC 2539, RFC 2845, RFC 4033 See the BIND 9 Administrator's Reference Manual. As of the date of publication of this man page, this document is available at https://www.isc.org/software/bind/documentation.SunOS 5.11 Last change: 11 Jan 2010 3