dnssec-dsfromkey.docbook revision 37dee1ff94960a61243f611c0f87f8c316815c53
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont [<!ENTITY mdash "—">]>
4a253e12fc611763cd7c1b793e78a00d47894399Francis Dupont - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
4a253e12fc611763cd7c1b793e78a00d47894399Francis Dupont - Permission to use, copy, modify, and/or distribute this software for any
cffe96e26744abcf33494837b234219046a631d8Mark Andrews - purpose with or without fee is hereby granted, provided that the above
cffe96e26744abcf33494837b234219046a631d8Mark Andrews - copyright notice and this permission notice appear in all copies.
f703353673abc17ef76c89561a1fbf3555d38927Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
f703353673abc17ef76c89561a1fbf3555d38927Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
f703353673abc17ef76c89561a1fbf3555d38927Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
f703353673abc17ef76c89561a1fbf3555d38927Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
7e26a2a646877bcd5e03fce6d7347e88f059011eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
7e26a2a646877bcd5e03fce6d7347e88f059011eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7e26a2a646877bcd5e03fce6d7347e88f059011eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
a95a9de45ca739dab17ec1263186dbaaaba50d97Tatuya JINMEI 神明達哉<!-- $Id: dnssec-dsfromkey.docbook,v 1.11 2010/12/23 04:07:59 marka Exp $ -->
ea8564f68adbacd904e55e47668fe1bbf65ddd1dMark Andrews <refentryinfo>
55f580c7fc4b99316a54ef54ed79c58efca5fff1Mark Andrews </refentryinfo>
d9936b218d9d0fd7c6a1a418e5b91b356190ea12Mark Andrews <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
664e11f0b14c78cef7cf6b8c70323a1da494e351Mark Andrews <refnamediv>
0283e511317cae3785a9d48e236289a234a25368Mark Andrews <refname><application>dnssec-dsfromkey</application></refname>
016c4317500eb565b82b27d00ba6b621c6e29110Mark Andrews <refpurpose>DNSSEC DS RR generation tool</refpurpose>
ce9c1558a6c81b49a5cedf55d168f889aeb5d310Mark Andrews </refnamediv>
0f3264c8d1b66de8dedd137d53615b8a8556adfaMark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
0e30609d7b3e31e3ff249d185041b9140b5410baMark Andrews </copyright>
9e8947d9e606b967d0792d0ab1ee7afac5e5f39dMark Andrews <refsynopsisdiv>
9e8947d9e606b967d0792d0ab1ee7afac5e5f39dMark Andrews <cmdsynopsis>
3cff31d890bf0815b6b2c7603d1e5c37dc3f26b7Mark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
2005c3b37bb39a37dc0b034bb2149006df7e3759Mark Andrews <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
c09c2bf800ba0f5e6efe6b47ba72f43e4a61ca7dMark Andrews <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
9a7d202077fae00fbdca610d8a8d90689e30f331Mark Andrews </cmdsynopsis>
9a7d202077fae00fbdca610d8a8d90689e30f331Mark Andrews <cmdsynopsis>
4a5b30c24ca7ceefec4ca142069b886f3d4ab9f9Mark Andrews <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
4a5b30c24ca7ceefec4ca142069b886f3d4ab9f9Mark Andrews <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
c368f28dad471c70213b41f7a0ad1b4ef4d8c543Mark Andrews <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
f1d6c77eccf502398ae5954fb884bde70764a047Mark Andrews <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
f1d6c77eccf502398ae5954fb884bde70764a047Mark Andrews <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
7adca0ea2fcd44641861523b718d6980c0666103Mark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
7adca0ea2fcd44641861523b718d6980c0666103Mark Andrews </cmdsynopsis>
9dcc44d7b309b61e89083807d47af471ec6bae1fMark Andrews </refsynopsisdiv>
dc2a0aa7aaa8b85398ae183c7274c0eeec5009afMark Andrews outputs the Delegation Signer (DS) resource record (RR), as defined in
2005c3b37bb39a37dc0b034bb2149006df7e3759Mark Andrews RFC 3658 and RFC 4509, for the given key(s).
7fe86a54252bab063030512a0e4150e1b7814effMark Andrews <variablelist>
7fe86a54252bab063030512a0e4150e1b7814effMark Andrews <varlistentry>
e951a79d901cc9b72a4882c38f02b568eed6bf24Mark Andrews Use SHA-1 as the digest algorithm (the default is to use
fc53f564caa9d40f4b73a2808260b1dc07e86fddEvan Hunt both SHA-1 and SHA-256).
a59640bf27db16e02e01484297e36b7456e163bbMark Andrews </varlistentry>
4462e590791925b6a5efceacbff054a6b5fe35edMark Andrews <varlistentry>
fc7043d7d1294478c9988c10af9a7fb8fd810338Evan Hunt Use SHA-256 as the digest algorithm.
cef715b6556ca1207b85aa1eac6ce817af2be44eMark Andrews </varlistentry>
cef715b6556ca1207b85aa1eac6ce817af2be44eMark Andrews <varlistentry>
5497de6931b5ac26f65c2343b0318614f73933baMark Andrews <term>-a <replaceable class="parameter">algorithm</replaceable></term>
f86c5d30de5d2bf4a4aab98f72295309d62e92eeMark Andrews Select the digest algorithm. The value of
f86c5d30de5d2bf4a4aab98f72295309d62e92eeMark Andrews <option>algorithm</option> must be one of SHA-1 (SHA1),
f86c5d30de5d2bf4a4aab98f72295309d62e92eeMark Andrews SHA-256 (SHA256) or GOST. These values are case insensitive.
262c39b2366bf79062f7f86b218947523dd1cbacEvan Hunt </varlistentry>
b1e32169ac5cf21fca540fa122a546db71090491Mark Andrews <varlistentry>
827572e191fad1326c624593bf35d8eb1928f607Mark Andrews <term>-K <replaceable class="parameter">directory</replaceable></term>
1aba9fe67899522364a9dbc3ee5a14da081f0314Evan Hunt Look for key files (or, in keyset mode,
6c7f722d31d12cf83964c8132f0a59ef70e34cb5Mark Andrews </varlistentry>
fcc2a57e13fbecf085e9d11702709b3d5a49b043Mark Andrews <varlistentry>
fcc2a57e13fbecf085e9d11702709b3d5a49b043Mark Andrews <term>-f <replaceable class="parameter">file</replaceable></term>
f1263d2aa405087e74caf001cd443079f50ee903Mark Andrews Zone file mode: in place of the keyfile name, the argument is
f1263d2aa405087e74caf001cd443079f50ee903Mark Andrews the DNS domain name of a zone master file, which can be read
f1263d2aa405087e74caf001cd443079f50ee903Mark Andrews from <option>file</option>. If the zone name is the same as
efb3fa669f00ccfd9aada997b426616b6b0ce044Mark Andrews </varlistentry>
034f775ae1bbc260d88bc372f01fdf4b50554514Mark Andrews <varlistentry>
80f20cb452989a423ed0ab84cfbf67d258b92247Mark Andrews Include ZSK's when generating DS records. Without this option,
80f20cb452989a423ed0ab84cfbf67d258b92247Mark Andrews only keys which have the KSK flag set will be converted to DS
93ee06cbe34294c300834d383ff89162ad5c241aMark Andrews records and printed. Useful only in zone file mode.
494143860bbe118050f46ecac3d196c779d4b7b0Mark Andrews </varlistentry>
494143860bbe118050f46ecac3d196c779d4b7b0Mark Andrews <varlistentry>
400a1b6604ede895cc8d67a7aa66796a5dbc75e4Mark Andrews <term>-l <replaceable class="parameter">domain</replaceable></term>
c0fb34e8156aea6b7fde8488e7440524c703f22eMark Andrews Generate a DLV set instead of a DS set. The specified
c0fb34e8156aea6b7fde8488e7440524c703f22eMark Andrews <option>domain</option> is appended to the name for each
c0fb34e8156aea6b7fde8488e7440524c703f22eMark Andrews record in the set.
48fa5940280d65a83b020cca12769b4cd0422e91Mark Andrews The DNSSEC Lookaside Validation (DLV) RR is described
48fa5940280d65a83b020cca12769b4cd0422e91Mark Andrews in RFC 4431.
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 </varlistentry>
bfcc5ae79a46c5c55e6cf1a9fe4d70a957712d2bTatuya JINMEI 神明達哉 <varlistentry>
1c9f629c181dfd14bb429a6699d22c3c023aa218Mark Andrews Keyset mode: in place of the keyfile name, the argument is
f61a7c87bf36b189d8f04ea4c8ab3ec55778355cMark Andrews the DNS domain name of a keyset file.
f61a7c87bf36b189d8f04ea4c8ab3ec55778355cMark Andrews </varlistentry>
f61a7c87bf36b189d8f04ea4c8ab3ec55778355cMark Andrews <varlistentry>
2678fccde3453facce53f857d95fec30ca4a284fMark Andrews <term>-c <replaceable class="parameter">class</replaceable></term>
562460463b6f4c4d6f815c58c129451c82d66823Mark Andrews Specifies the DNS class (default is IN). Useful only
562460463b6f4c4d6f815c58c129451c82d66823Mark Andrews in keyset or zone file mode.
577272cf7935770fa2ea817e656a572cdcd94eccMark Andrews </varlistentry>
8486ce1efa5deded85415d21d5696e5a51c63357Mark Andrews <varlistentry>
8486ce1efa5deded85415d21d5696e5a51c63357Mark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
92f60809e854ccf5f115883c6347e370da048848Mark Andrews Sets the debugging level.
f5d0f495847eb4eb9f0058e73051f855800bee0bMark Andrews </varlistentry>
f5d0f495847eb4eb9f0058e73051f855800bee0bMark Andrews </variablelist>
dc19dcbc236bc876a6cdb426ec7c5fab964f8dfcMark Andrews To build the SHA-256 DS RR from the
dc19dcbc236bc876a6cdb426ec7c5fab964f8dfcMark Andrews keyfile name, the following command would be issued:
114c14f8adfc249cf2e5cdcb9007af46fed257e3Mark Andrews <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
3d78993c6d415f600f57520d1566627b5535d715Mark Andrews The command would print something like:
8c850a29eda020642c84038e449d60f124c6123bMark Andrews <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
e8ca2abed76b550fd3baddcfb17f2c9a630d6b71Mark Andrews The keyfile can be designed by the key identification
e8ca2abed76b550fd3baddcfb17f2c9a630d6b71Mark Andrews <filename>Knnnn.+aaa+iiiii</filename> or the full file name
e8ca2abed76b550fd3baddcfb17f2c9a630d6b71Mark Andrews <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
81d9d7a10e52b421d7f4784c48ae995b13203c59Mark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
301f6ffbbeabcbf765f8163f4ffb7f6f0146b926Mark Andrews The keyset file name is built from the <option>directory</option>,
301f6ffbbeabcbf765f8163f4ffb7f6f0146b926Mark Andrews the string <filename>keyset-</filename> and the
541b9722d8031485922ab11221c2e747c0262cf5Mark Andrews A keyfile error can give a "file not found" even if the file exists.
d7e8610d31d83ff863e8b2dc05c238376c35e949Mark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
d7e8610d31d83ff863e8b2dc05c238376c35e949Mark Andrews </citerefentry>,
7e8214191899dc8043babdfbe9235ba14c825005Mark Andrews <citerefentry>
7e8214191899dc8043babdfbe9235ba14c825005Mark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
c4dc5966e0a66f4d75677f1634eff3b45baf988eMark Andrews </citerefentry>,
c4dc5966e0a66f4d75677f1634eff3b45baf988eMark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
d2e440ca30f27468443ccc7e21db0b8e10c4faf8Mark Andrews <para><corpauthor>Internet Systems Consortium</corpauthor>
544d0efa38490d67e458aa9c23a7dac2a9d546bfMark Andrews - Local variables:
544d0efa38490d67e458aa9c23a7dac2a9d546bfMark Andrews - mode: sgml