bin/dnssec/dnssec-dsfromkey.docbook

	dnssec-dsfromkey.docbook revision 35490da6150316932957908f2f85109ecf9f7c59
49dbdb0186eb23d87d685b96eaefa9ec3c71d9b8David Lawrence<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
499b34cea04a46823d003d4c0520c8b03e8513cbBrian Wellington               [<!ENTITY mdash "&#8212;">]>
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence<!--
49dbdb0186eb23d87d685b96eaefa9ec3c71d9b8David Lawrence - Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
49dbdb0186eb23d87d685b96eaefa9ec3c71d9b8David Lawrence -
49dbdb0186eb23d87d685b96eaefa9ec3c71d9b8David Lawrence - Permission to use, copy, modify, and/or distribute this software for any
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - purpose with or without fee is hereby granted, provided that the above
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews -
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
49dbdb0186eb23d87d685b96eaefa9ec3c71d9b8David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence - PERFORMANCE OF THIS SOFTWARE.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein-->
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence<!-- $Id: dnssec-dsfromkey.docbook,v 1.10 2009/08/26 21:56:05 jreed Exp $ -->
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence<refentry id="man.dnssec-dsfromkey">
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence  <refentryinfo>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein    <date>August 26, 2009</date>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein  </refentryinfo>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  <refmeta>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <manvolnum>8</manvolnum>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <refmiscinfo>BIND9</refmiscinfo>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  </refmeta>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  <refnamediv>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <refname><application>dnssec-dsfromkey</application></refname>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <refpurpose>DNSSEC DS RR generation tool</refpurpose>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  </refnamediv>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  <docinfo>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <copyright>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <year>2008</year>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <year>2009</year>
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    </copyright>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  </docinfo>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  <refsynopsisdiv>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein    <cmdsynopsis>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      <command>dnssec-dsfromkey</command>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-1</option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-2</option></arg>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg choice="req">keyfile</arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    </cmdsynopsis>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein    <cmdsynopsis>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <command>dnssec-dsfromkey</command>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg choice="req">-s</arg>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      <arg><option>-1</option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-2</option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      <arg><option>-s</option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg><option>-A</option></arg>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <arg choice="req">dnsname</arg>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence   </cmdsynopsis>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  </refsynopsisdiv>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  <refsect1>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <title>DESCRIPTION</title>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <para><command>dnssec-dsfromkey</command>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      outputs the Delegation Signer (DS) resource record (RR), as defined in
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      RFC 3658 and RFC 4509, for the given key(s).
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  </refsect1>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence  <refsect1>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence    <title>OPTIONS</title>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein    <variablelist>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        <term>-1</term>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <listitem>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein          <para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            Use SHA-1 as the digest algorithm (the default is to use
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            both SHA-1 and SHA-256).
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      </varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence        <term>-2</term>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          <para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            Use SHA-256 as the digest algorithm.
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      </varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <listitem>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein          <para>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein            Select the digest algorithm. The value of
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein            <option>algorithm</option> must be one of SHA-1 (SHA1) or
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            SHA-256 (SHA256). These values are case insensitive.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      </varlistentry>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <term>-K <replaceable class="parameter">directory</replaceable></term>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        <listitem>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein          <para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            Look for key files (or, in keyset mode,
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            <filename>keyset-</filename> files) in
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein            <option>directory</option>.
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      </varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <term>-f <replaceable class="parameter">file</replaceable></term>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          <para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            Zone file mode: in place of the keyfile name, the argument is
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            the DNS domain name of a zone master file, which can be read
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            from <option>file</option>.  If the zone name is the same as
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence            <option>file</option>, then it may be omitted.
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      </varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        <term>-A</term>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        <listitem>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein          <para>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein            Include ZSK's when generating DS records.  Without this option,
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            only keys which have the KSK flag set will be converted to DS
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            records and printed.  Useful only in zone file mode.
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      </varlistentry>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein      <varlistentry>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        <term>-l <replaceable class="parameter">domain</replaceable></term>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein        <listitem>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein          <para>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein            Generate a DLV set instead of a DS set.  The specified
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            <option>domain</option> is appended to the name for each
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein            record in the set.
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            The DNSSEC Lookaside Validation (DLV) RR is described
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            in RFC 4431.
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      </varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <term>-s</term>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <listitem>
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence          <para>
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence            Keyset mode: in place of the keyfile name, the argument is
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence            the DNS domain name of a keyset file.
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence          </para>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        </listitem>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      </varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence      <varlistentry>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <term>-c <replaceable class="parameter">class</replaceable></term>
a904de0bc85cc3974a87a32deedb69d6a68ec36cDavid Lawrence        <listitem>
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence          <para>
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence            Specifies the DNS class (default is IN).  Useful only
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence            in keyset or zone file mode.
bac5798358e0a6f7f72224d2d907414517631d38David Lawrence          </para>
      </listitem>
      </varlistentry>

      <varlistentry>
        <term>-v <replaceable class="parameter">level</replaceable></term>
        <listitem>
          <para>
            Sets the debugging level.
          </para>
        </listitem>
      </varlistentry>
    </variablelist>
  </refsect1>

  <refsect1>
    <title>EXAMPLE</title>
    <para>
      To build the SHA-256 DS RR from the
      <userinput>Kexample.com.+003+26160</userinput>
      keyfile name, the following command would be issued:
    </para>
    <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
    </para>
    <para>
      The command would print something like:
    </para>
    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
    </para>
  </refsect1>

  <refsect1>
    <title>FILES</title>
    <para>
      The keyfile can be designed by the key identification
      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
    </para>
    <para>
      The keyset file name is built from the <option>directory</option>,
      the string <filename>keyset-</filename> and the
      <option>dnsname</option>.
    </para>
  </refsect1>

  <refsect1>
    <title>CAVEAT</title>
    <para>
      A keyfile error can give a "file not found" even if the file exists.
    </para>
  </refsect1>

  <refsect1>
    <title>SEE ALSO</title>
    <para><citerefentry>
        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
      <citetitle>RFC 3658</citetitle>,
      <citetitle>RFC 4431</citetitle>.
      <citetitle>RFC 4509</citetitle>.
    </para>
  </refsect1>

  <refsect1>
    <title>AUTHOR</title>
    <para><corpauthor>Internet Systems Consortium</corpauthor>
    </para>
  </refsect1>

</refentry><!--
 - Local variables:
 - mode: sgml
 - End:
-->