dnssec-dsfromkey.docbook revision 35490da6150316932957908f2f85109ecf9f7c59
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews [<!ENTITY mdash "—">]>
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - purpose with or without fee is hereby granted, provided that the above
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - copyright notice and this permission notice appear in all copies.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - PERFORMANCE OF THIS SOFTWARE.
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater<!-- $Id: dnssec-dsfromkey.docbook,v 1.10 2009/08/26 21:56:05 jreed Exp $ -->
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentryinfo>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </refentryinfo>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refnamediv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refname><application>dnssec-dsfromkey</application></refname>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refpurpose>DNSSEC DS RR generation tool</refpurpose>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </refnamediv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </copyright>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refsynopsisdiv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <cmdsynopsis>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </cmdsynopsis>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <cmdsynopsis>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </cmdsynopsis>
832fb12cfeee424a1e5b7cfd3b2da9f39cac3708Jeremy Reed </refsynopsisdiv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews outputs the Delegation Signer (DS) resource record (RR), as defined in
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews RFC 3658 and RFC 4509, for the given key(s).
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <variablelist>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Use SHA-1 as the digest algorithm (the default is to use
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews both SHA-1 and SHA-256).
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Use SHA-256 as the digest algorithm.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-a <replaceable class="parameter">algorithm</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Select the digest algorithm. The value of
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <option>algorithm</option> must be one of SHA-1 (SHA1) or
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews SHA-256 (SHA256). These values are case insensitive.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-K <replaceable class="parameter">directory</replaceable></term>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt Look for key files (or, in keyset mode,
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt </varlistentry>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <varlistentry>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <term>-f <replaceable class="parameter">file</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Zone file mode: in place of the keyfile name, the argument is
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews the DNS domain name of a zone master file, which can be read
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews from <option>file</option>. If the zone name is the same as
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Include ZSK's when generating DS records. Without this option,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews only keys which have the KSK flag set will be converted to DS
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews records and printed. Useful only in zone file mode.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-l <replaceable class="parameter">domain</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Generate a DLV set instead of a DS set. The specified
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <option>domain</option> is appended to the name for each
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews record in the set.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The DNSSEC Lookaside Validation (DLV) RR is described
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews in RFC 4431.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Keyset mode: in place of the keyfile name, the argument is
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews the DNS domain name of a keyset file.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Specifies the DNS class (default is IN). Useful only
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews in keyset or zone file mode.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
832fb12cfeee424a1e5b7cfd3b2da9f39cac3708Jeremy Reed Sets the debugging level.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </variablelist>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews To build the SHA-256 DS RR from the
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews keyfile name, the following command would be issued:
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The command would print something like:
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The keyfile can be designed by the key identification
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <filename>Knnnn.+aaa+iiiii</filename> or the full file name
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The keyset file name is built from the <option>directory</option>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews the string <filename>keyset-</filename> and the
59a4c9c6b4e8af2553216894e5ed8fd879987b7cAutomatic Updater A keyfile error can give a "file not found" even if the file exists.