dnssec-dsfromkey.docbook revision 2eeb74d1cf5355dd98f6d507a10086e16bb08c4b
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<!-- Converted by db4-upgrade version 1.0 -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refname><application>dnssec-dsfromkey</application></refname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refpurpose>DNSSEC DS RR generation tool</refpurpose>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </copyright>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refsynopsisdiv>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-1</option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-2</option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg choice="opt" rep="norepeat"><option>-C</option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </cmdsynopsis>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg choice="opt" rep="norepeat"><option>-1</option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-2</option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-s</option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg choice="opt" rep="norepeat"><option>-A</option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </cmdsynopsis>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg choice="opt" rep="norepeat"><option>-h</option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg choice="opt" rep="norepeat"><option>-V</option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </cmdsynopsis>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refsynopsisdiv>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <refsection><info><title>DESCRIPTION</title></info>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein outputs the Delegation Signer (DS) resource record (RR), as defined in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein RFC 3658 and RFC 4509, for the given key(s).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refsection>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <variablelist>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Use SHA-1 as the digest algorithm (the default is to use
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews both SHA-1 and SHA-256).
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use SHA-256 as the digest algorithm.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-a <replaceable class="parameter">algorithm</replaceable></term>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Select the digest algorithm. The value of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <option>algorithm</option> must be one of SHA-1 (SHA1),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein SHA-256 (SHA256), GOST or SHA-384 (SHA384).
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews These values are case insensitive.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Generate CDS records rather than DS records. This is mutually
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein exclusive with generating lookaside records.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <term>-T <replaceable class="parameter">TTL</replaceable></term>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Specifies the TTL of the DS records.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <term>-K <replaceable class="parameter">directory</replaceable></term>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Look for key files (or, in keyset mode,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-f <replaceable class="parameter">file</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Zone file mode: in place of the keyfile name, the argument is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the DNS domain name of a zone master file, which can be read
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews from <option>file</option>. If the zone name is the same as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If <option>file</option> is set to <literal>"-"</literal>, then
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews the zone data is read from the standard input. This makes it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein possible to use the output of the <command>dig</command>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews command as input, as in:
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Include ZSKs when generating DS records. Without this option,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein only keys which have the KSK flag set will be converted to DS
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein records and printed. Useful only in zone file mode.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <term>-l <replaceable class="parameter">domain</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Generate a DLV set instead of a DS set. The specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <option>domain</option> is appended to the name for each
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews record in the set.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews The DNSSEC Lookaside Validation (DLV) RR is described
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews in RFC 4431. This is mutually exclusive with generating
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein CDS records.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Keyset mode: in place of the keyfile name, the argument is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the DNS domain name of a keyset file.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the DNS class (default is IN). Useful only
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews in keyset or zone file mode.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Sets the debugging level.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Prints usage information.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prints version information.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refsection>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To build the SHA-256 DS RR from the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein keyfile name, the following command would be issued:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>