dnssec-dsfromkey.docbook revision 2eeb74d1cf5355dd98f6d507a10086e16bb08c4b
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<!--
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap -
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - Permission to use, copy, modify, and/or distribute this software for any
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - purpose with or without fee is hereby granted, provided that the above
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - copyright notice and this permission notice appear in all copies.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap -
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap - PERFORMANCE OF THIS SOFTWARE.
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap-->
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<!-- Converted by db4-upgrade version 1.0 -->
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <info>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <date>2012-05-02</date>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </info>
4558d122136f151d62acbbc02ddb42df89a5ef66Viswanathan Kannappan <refentryinfo>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <corpname>ISC</corpname>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </refentryinfo>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refmeta>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <manvolnum>8</manvolnum>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refmiscinfo>BIND9</refmiscinfo>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </refmeta>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refnamediv>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refname><application>dnssec-dsfromkey</application></refname>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refpurpose>DNSSEC DS RR generation tool</refpurpose>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </refnamediv>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <docinfo>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <copyright>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <year>2008</year>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <year>2009</year>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <year>2010</year>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <year>2011</year>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <year>2012</year>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <year>2014</year>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <year>2015</year>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </copyright>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </docinfo>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refsynopsisdiv>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <cmdsynopsis sepchar=" ">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <command>dnssec-dsfromkey</command>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-1</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-2</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-C</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
0f1702c5201310f0529cd5abb77652e5e9b241b6Yu Xiangning <arg choice="req" rep="norepeat">keyfile</arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </cmdsynopsis>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <cmdsynopsis sepchar=" ">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <command>dnssec-dsfromkey</command>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="req" rep="norepeat">-s</arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-1</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-2</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-s</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-A</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="req" rep="norepeat">dnsname</arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </cmdsynopsis>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <cmdsynopsis sepchar=" ">
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <command>dnssec-dsfromkey</command>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-h</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <arg choice="opt" rep="norepeat"><option>-V</option></arg>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </cmdsynopsis>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap </refsynopsisdiv>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <refsection><info><title>DESCRIPTION</title></info>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap <para><command>dnssec-dsfromkey</command>
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap outputs the Delegation Signer (DS) resource record (RR), as defined in
a6d42e7d71324c5193c3b94d57d96ba2925d52e1Peter Dunlap RFC 3658 and RFC 4509, for the given key(s).
</para>
</refsection>
<refsection><info><title>OPTIONS</title></info>
<variablelist>
<varlistentry>
<term>-1</term>
<listitem>
<para>
Use SHA-1 as the digest algorithm (the default is to use
both SHA-1 and SHA-256).
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-2</term>
<listitem>
<para>
Use SHA-256 as the digest algorithm.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
<listitem>
<para>
Select the digest algorithm. The value of
<option>algorithm</option> must be one of SHA-1 (SHA1),
SHA-256 (SHA256), GOST or SHA-384 (SHA384).
These values are case insensitive.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-C</term>
<listitem>
<para>
Generate CDS records rather than DS records. This is mutually
exclusive with generating lookaside records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-T <replaceable class="parameter">TTL</replaceable></term>
<listitem>
<para>
Specifies the TTL of the DS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
<para>
Look for key files (or, in keyset mode,
<filename>keyset-</filename> files) in
<option>directory</option>.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-f <replaceable class="parameter">file</replaceable></term>
<listitem>
<para>
Zone file mode: in place of the keyfile name, the argument is
the DNS domain name of a zone master file, which can be read
from <option>file</option>. If the zone name is the same as
<option>file</option>, then it may be omitted.
</para>
<para>
If <option>file</option> is set to <literal>"-"</literal>, then
the zone data is read from the standard input. This makes it
possible to use the output of the <command>dig</command>
command as input, as in:
</para>
<para>
<userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-A</term>
<listitem>
<para>
Include ZSKs when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
Generate a DLV set instead of a DS set. The specified
<option>domain</option> is appended to the name for each
record in the set.
The DNSSEC Lookaside Validation (DLV) RR is described
in RFC 4431. This is mutually exclusive with generating
CDS records.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-s</term>
<listitem>
<para>
Keyset mode: in place of the keyfile name, the argument is
the DNS domain name of a keyset file.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-c <replaceable class="parameter">class</replaceable></term>
<listitem>
<para>
Specifies the DNS class (default is IN). Useful only
in keyset or zone file mode.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
<para>
Sets the debugging level.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
<para>
Prints usage information.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-V</term>
<listitem>
<para>
Prints version information.
</para>
</listitem>
</varlistentry>
</variablelist>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
<para>
To build the SHA-256 DS RR from the
<userinput>Kexample.com.+003+26160</userinput>
keyfile name, the following command would be issued:
</para>
<para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
</para>
<para>
The command would print something like:
</para>
<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
</para>
</refsection>
<refsection><info><title>FILES</title></info>
<para>
The keyfile can be designed by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
<filename>Knnnn.+aaa+iiiii.key</filename> as generated by
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
</para>
<para>
The keyset file name is built from the <option>directory</option>,
the string <filename>keyset-</filename> and the
<option>dnsname</option>.
</para>
</refsection>
<refsection><info><title>CAVEAT</title></info>
<para>
A keyfile error can give a "file not found" even if the file exists.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 3658</citetitle>,
<citetitle>RFC 4431</citetitle>.
<citetitle>RFC 4509</citetitle>.
</para>
</refsection>
</refentry>