dnssec-dsfromkey.docbook revision 0c27b3fe77ac1d5094ba3521e8142d9e7973133f
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - This Source Code Form is subject to the terms of the Mozilla Public
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - License, v. 2.0. If a copy of the MPL was not distributed with this
1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic - file, You can obtain one at http://mozilla.org/MPL/2.0/.
4da61833a1cbbca94094f9653fd970582b97a72etrawick<!-- Converted by db4-upgrade version 1.0 -->
4da61833a1cbbca94094f9653fd970582b97a72etrawick<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
4789804be088bcd86ae637a29cdb7fda25169521jailletc <refentryinfo>
4789804be088bcd86ae637a29cdb7fda25169521jailletc <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
e50c3026198fd496f183cda4c32a202925476778covener </refentryinfo>
5b88c8507d5ef6d0c4cfbc78230294968175b638minfrin <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic <refnamediv>
4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic <refname><application>dnssec-dsfromkey</application></refname>
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic <refpurpose>DNSSEC DS RR generation tool</refpurpose>
0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic </refnamediv>
69301145375a889e7e37caf7cc7321ac0f91801erpluem <copyright>
d58a848a016d401b965111e50ef829e1641f7834minfrin <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf </copyright>
2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf </docinfo>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic <refsynopsisdiv>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic <arg choice="opt" rep="norepeat"><option>-1</option></arg>
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic <arg choice="opt" rep="norepeat"><option>-2</option></arg>
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic <arg choice="opt" rep="norepeat"><option>-C</option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic </cmdsynopsis>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <arg choice="opt" rep="norepeat"><option>-1</option></arg>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <arg choice="opt" rep="norepeat"><option>-2</option></arg>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
44ff304057225e944e220e981d434a046d14cf06covener <arg choice="opt" rep="norepeat"><option>-s</option></arg>
44ff304057225e944e220e981d434a046d14cf06covener <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
44ff304057225e944e220e981d434a046d14cf06covener <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
44ff304057225e944e220e981d434a046d14cf06covener <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
5d1ba75b8794925e67591c209085a49279791de9covener <arg choice="opt" rep="norepeat"><option>-A</option></arg>
5d1ba75b8794925e67591c209085a49279791de9covener <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand </cmdsynopsis>
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand <arg choice="opt" rep="norepeat"><option>-h</option></arg>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic <arg choice="opt" rep="norepeat"><option>-V</option></arg>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic </cmdsynopsis>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic </refsynopsisdiv>
45a10d38e6051fd7bdf9d742aaae633d97ff02abjailletc <refsection><info><title>DESCRIPTION</title></info>
2165214331e4afafca4048f66f303d0253d7b001covener outputs the Delegation Signer (DS) resource record (RR), as defined in
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem RFC 3658 and RFC 4509, for the given key(s).
1e2d421a36999d292042a5539971070d54aa6c63ylavic </refsection>
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh <variablelist>
0b67eb8568cd58bb77082703951679b42cf098actrawick <varlistentry>
5ef3c61605a3a021ff71f488983cb0065f8e1a79covener Use SHA-1 as the digest algorithm (the default is to use
fb1985a97912b25ec6564c73e610a31e5fc6e25fcovener both SHA-1 and SHA-256).
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic </listitem>
6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic </varlistentry>
c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic <varlistentry>
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc Use SHA-256 as the digest algorithm.
e466c40e1801982602ee0200c9e8b61cc148742djailletc </listitem>
457468b82e59d01eba00dd9d0817309c8f5e414ejim </varlistentry>
457468b82e59d01eba00dd9d0817309c8f5e414ejim <varlistentry>
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton <term>-a <replaceable class="parameter">algorithm</replaceable></term>
15660979a30d251681463de2e0584853890082accovener Select the digest algorithm. The value of
15660979a30d251681463de2e0584853890082accovener <option>algorithm</option> must be one of SHA-1 (SHA1),
49dacedb6c387b786b7911082ff35121a45f414bcovener SHA-256 (SHA256), GOST or SHA-384 (SHA384).
49dacedb6c387b786b7911082ff35121a45f414bcovener These values are case insensitive.
cfd9415521847b2f9394fad04fb701cfb955f503rjung </listitem>
cfd9415521847b2f9394fad04fb701cfb955f503rjung </varlistentry>
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe <varlistentry>
8491e0600f69b0405e156ea8a419653c065c645bcovener Generate CDS records rather than DS records. This is mutually
63b9f1f5880391261705f696d7d65507bbe9ace3covener exclusive with generating lookaside records.
63b9f1f5880391261705f696d7d65507bbe9ace3covener </listitem>
49dacedb6c387b786b7911082ff35121a45f414bcovener </varlistentry>
49dacedb6c387b786b7911082ff35121a45f414bcovener <varlistentry>
49dacedb6c387b786b7911082ff35121a45f414bcovener <term>-T <replaceable class="parameter">TTL</replaceable></term>
3c990331fc6702119e4f5b8ba9eae3021aea5265jim <listitem>
3c990331fc6702119e4f5b8ba9eae3021aea5265jim Specifies the TTL of the DS records.
fc42512879dd0504532f52fe5d0d0383dda96a1eniq </listitem>
fc42512879dd0504532f52fe5d0d0383dda96a1eniq </varlistentry>
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq <varlistentry>
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq <term>-K <replaceable class="parameter">directory</replaceable></term>
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq <listitem>
983528026996668ea295be95aedb9c7a346af470ylavic Look for key files (or, in keyset mode,
06b8f183140c8e02e0974e938a05078b511d1603covener </listitem>
06b8f183140c8e02e0974e938a05078b511d1603covener </varlistentry>
259878293a997ff49f5ddfc53d3739cbdc25444ecovener <varlistentry>
259878293a997ff49f5ddfc53d3739cbdc25444ecovener <term>-f <replaceable class="parameter">file</replaceable></term>
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem Zone file mode: in place of the keyfile name, the argument is
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin the DNS domain name of a zone master file, which can be read
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin from <option>file</option>. If the zone name is the same as
65967d05f839dbf27cf91d91fa79585eeae19660minfrin If <option>file</option> is set to <literal>"-"</literal>, then
65967d05f839dbf27cf91d91fa79585eeae19660minfrin the zone data is read from the standard input. This makes it
8152945ae46857b170cb227e79bb799f4fc7710dminfrin possible to use the output of the <command>dig</command>
8152945ae46857b170cb227e79bb799f4fc7710dminfrin command as input, as in:
75f5c2db254c0167a0e396254460de09b775d203trawick <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
75f5c2db254c0167a0e396254460de09b775d203trawick </listitem>
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph </varlistentry>
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph <varlistentry>
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick Include ZSKs when generating DS records. Without this option,
54d750a84a175d8e338880514d440773eb986b50covener only keys which have the KSK flag set will be converted to DS
54d750a84a175d8e338880514d440773eb986b50covener records and printed. Useful only in zone file mode.
54d750a84a175d8e338880514d440773eb986b50covener </listitem>
54d750a84a175d8e338880514d440773eb986b50covener </varlistentry>
54d750a84a175d8e338880514d440773eb986b50covener <varlistentry>
54d750a84a175d8e338880514d440773eb986b50covener <term>-l <replaceable class="parameter">domain</replaceable></term>
54d750a84a175d8e338880514d440773eb986b50covener Generate a DLV set instead of a DS set. The specified
83b50288fa7d306324bba68832011ea08f5c7832covener <option>domain</option> is appended to the name for each
4e30ef014533a7e93c92d88306291f5e49c9692ftrawick record in the set.
83b50288fa7d306324bba68832011ea08f5c7832covener The DNSSEC Lookaside Validation (DLV) RR is described
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick in RFC 4431. This is mutually exclusive with generating
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick CDS records.
2e15620d724fb8e3a5be183b917359a2fd6e9468covener </listitem>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener </varlistentry>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener <varlistentry>
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener Keyset mode: in place of the keyfile name, the argument is
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener the DNS domain name of a keyset file.
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener </listitem>
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd </varlistentry>
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd <varlistentry>
179565be4043d7e5f9161aa75271fa0a001866d9covener <term>-c <replaceable class="parameter">class</replaceable></term>
111436a32ba1254291e4883292fb116d15fe8f64covener Specifies the DNS class (default is IN). Useful only
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener in keyset or zone file mode.
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener </listitem>
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener </varlistentry>
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick <varlistentry>
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick <term>-v <replaceable class="parameter">level</replaceable></term>
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz Sets the debugging level.
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza </listitem>
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza </varlistentry>
fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin <varlistentry>
993d1261a278d7322bccef219101220b7b4fb8c5jkaluza Prints usage information.
ba050a6f942b9fa0e81ed73437588005c569655ccovener </listitem>
ba050a6f942b9fa0e81ed73437588005c569655ccovener </varlistentry>
ba050a6f942b9fa0e81ed73437588005c569655ccovener <varlistentry>
135ddda3a989215d2bedbcf1529bfb269c3eda23niq <listitem>
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh Prints version information.
efe780dcf13b2b95effabf897d694d8f23feac74trawick </varlistentry>
793214f67dede32edfd9ee96c664ead04d175cbbjfclere </variablelist>
cc5a4a08dc9783fcbc52ce86f11e01c281a43810minfrin </refsection>
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza To build the SHA-256 DS RR from the
249d09d51808cb7981af99762c3b3736ca126cd5jkaluza keyfile name, the following command would be issued:
56589be3d7a3e9343370df240010c6928cc78b39jkaluza <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc The command would print something like:
77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
f87299dab99bc04b51a6b8cad51b6795db862c0atrawick </refsection>
85eacfc96a04547ef25aabbc06440039715084c2jorton The keyfile can be designed by the key identification
85eacfc96a04547ef25aabbc06440039715084c2jorton <filename>Knnnn.+aaa+iiiii</filename> or the full file name
e5d909f2b06bd880fb3675cd49363df981caa631trawick <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
a4df2cd1e1391575a327c2a90ba4315f805a0a78covener <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
cb666b29f81df1d11d65002250153353568021fccovener The keyset file name is built from the <option>directory</option>,
1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener </refsection>
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener A keyfile error can give a "file not found" even if the file exists.
1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener </refsection>
65a4e663b82f8bce28ac22ab2edfd7502de36998sf <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
65a4e663b82f8bce28ac22ab2edfd7502de36998sf </citerefentry>,
65a4e663b82f8bce28ac22ab2edfd7502de36998sf <citerefentry>
65a4e663b82f8bce28ac22ab2edfd7502de36998sf <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
c7de1955eb0eaeabf7042902476397692672d549sf </citerefentry>,
74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
a511a29faf2ff7ead3b67680154a624effb31aafminfrin </refsection>