dnssec-dsfromkey.docbook revision 2eeb74d1cf5355dd98f6d507a10086e16bb08c4b
431e5c81dbd81cf411b9a187fa5f611f23c0e16fTinderbox User - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - purpose with or without fee is hereby granted, provided that the above
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - copyright notice and this permission notice appear in all copies.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - PERFORMANCE OF THIS SOFTWARE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<!-- Converted by db4-upgrade version 1.0 -->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-dsfromkey">
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentryinfo>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </refentryinfo>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refnamediv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refname><application>dnssec-dsfromkey</application></refname>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refpurpose>DNSSEC DS RR generation tool</refpurpose>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </refnamediv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </copyright>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-1</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-2</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-C</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-1</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-2</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-s</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-c <replaceable class="parameter">class</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-f <replaceable class="parameter">file</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-A</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-h</option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg choice="opt" rep="norepeat"><option>-V</option></arg>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman </cmdsynopsis>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <refsection><info><title>DESCRIPTION</title></info>
832fb12cfeee424a1e5b7cfd3b2da9f39cac3708Jeremy Reed outputs the Delegation Signer (DS) resource record (RR), as defined in
e17cb80d7cebc23a4de75376155f2231dea193e6Mark Andrews RFC 3658 and RFC 4509, for the given key(s).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <variablelist>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Use SHA-1 as the digest algorithm (the default is to use
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews both SHA-1 and SHA-256).
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Use SHA-256 as the digest algorithm.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-a <replaceable class="parameter">algorithm</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Select the digest algorithm. The value of
37dee1ff94960a61243f611c0f87f8c316815c53Mark Andrews <option>algorithm</option> must be one of SHA-1 (SHA1),
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews SHA-256 (SHA256), GOST or SHA-384 (SHA384).
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews These values are case insensitive.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews <varlistentry>
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews Generate CDS records rather than DS records. This is mutually
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews exclusive with generating lookaside records.
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews </varlistentry>
b1c6de5456a5287b442de5620282902da39a4968Mark Andrews <varlistentry>
b1c6de5456a5287b442de5620282902da39a4968Mark Andrews <term>-T <replaceable class="parameter">TTL</replaceable></term>
b1c6de5456a5287b442de5620282902da39a4968Mark Andrews Specifies the TTL of the DS records.
b1c6de5456a5287b442de5620282902da39a4968Mark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-K <replaceable class="parameter">directory</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Look for key files (or, in keyset mode,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-f <replaceable class="parameter">file</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Zone file mode: in place of the keyfile name, the argument is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt the DNS domain name of a zone master file, which can be read
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt from <option>file</option>. If the zone name is the same as
0a82492610e2424bb999946bd6e5a13c83f453b4Mark Andrews If <option>file</option> is set to <literal>"-"</literal>, then
0a82492610e2424bb999946bd6e5a13c83f453b4Mark Andrews the zone data is read from the standard input. This makes it
0a82492610e2424bb999946bd6e5a13c83f453b4Mark Andrews possible to use the output of the <command>dig</command>
0a82492610e2424bb999946bd6e5a13c83f453b4Mark Andrews command as input, as in:
0a82492610e2424bb999946bd6e5a13c83f453b4Mark Andrews <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
edad003e630cf9a25db88d95247d10eb96117d66Jeremy C. Reed Include ZSKs when generating DS records. Without this option,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt only keys which have the KSK flag set will be converted to DS
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt records and printed. Useful only in zone file mode.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <varlistentry>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <term>-l <replaceable class="parameter">domain</replaceable></term>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt Generate a DLV set instead of a DS set. The specified
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <option>domain</option> is appended to the name for each
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt record in the set.
35490da6150316932957908f2f85109ecf9f7c59Jeremy Reed The DNSSEC Lookaside Validation (DLV) RR is described
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews in RFC 4431. This is mutually exclusive with generating
598b502695802c3d4e23316b85368e54f39f5cabMark Andrews CDS records.
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Keyset mode: in place of the keyfile name, the argument is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt the DNS domain name of a keyset file.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Specifies the DNS class (default is IN). Useful only
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt in keyset or zone file mode.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-v <replaceable class="parameter">level</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the debugging level.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman Prints usage information.
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman </varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman <varlistentry>
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman Prints version information.
42782931073786f98d3d0a617351db40066949a4Mukund Sivaraman </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews To build the SHA-256 DS RR from the
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews keyfile name, the following command would be issued:
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The command would print something like:
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The keyfile can be designed by the key identification
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <filename>Knnnn.+aaa+iiiii</filename> or the full file name
832fb12cfeee424a1e5b7cfd3b2da9f39cac3708Jeremy Reed <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The keyset file name is built from the <option>directory</option>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews the string <filename>keyset-</filename> and the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews A keyfile error can give a "file not found" even if the file exists.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </citerefentry>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <citerefentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </citerefentry>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsection>