dnssec-dsfromkey.docbook revision 99d8f5a70440ee8b63ab1745d713b96dde890546
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User [<!ENTITY mdash "—">]>
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt - purpose with or without fee is hereby granted, provided that the above
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - copyright notice and this permission notice appear in all copies.
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater - PERFORMANCE OF THIS SOFTWARE.
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt<!-- $Id: dnssec-dsfromkey.docbook,v 1.17 2011/10/25 01:54:18 marka Exp $ -->
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <refentryinfo>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt </refentryinfo>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <refnamediv>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <refname><application>dnssec-dsfromkey</application></refname>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <refpurpose>DNSSEC DS RR generation tool</refpurpose>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </refnamediv>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
f5ae3cca1d2832239cc821bdef77e90c1739e66dTinderbox User <refsynopsisdiv>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt </cmdsynopsis>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User </cmdsynopsis>
ec899c963c91c16c393e067996400ae244921110Tinderbox User </refsynopsisdiv>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User outputs the Delegation Signer (DS) resource record (RR), as defined in
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User RFC 3658 and RFC 4509, for the given key(s).
ec899c963c91c16c393e067996400ae244921110Tinderbox User <variablelist>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <varlistentry>
ec899c963c91c16c393e067996400ae244921110Tinderbox User Use SHA-1 as the digest algorithm (the default is to use
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User both SHA-1 and SHA-256).
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt </varlistentry>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater <varlistentry>
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater Use SHA-256 as the digest algorithm.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <term>-a <replaceable class="parameter">algorithm</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Select the digest algorithm. The value of
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <option>algorithm</option> must be one of SHA-1 (SHA1),
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User SHA-256 (SHA256), GOST or SHA-384 (SHA384).
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt These values are case insensitive.
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt </varlistentry>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <varlistentry>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <term>-T <replaceable class="parameter">TTL</replaceable></term>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Specifies the TTL of the DS records.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <term>-K <replaceable class="parameter">directory</replaceable></term>
2cbb4ab75757fbb656997a82c14ca07db37d481aAutomatic Updater Look for key files (or, in keyset mode,
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater </varlistentry>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
ec899c963c91c16c393e067996400ae244921110Tinderbox User <term>-f <replaceable class="parameter">file</replaceable></term>
7ae7246a6339bb3a79ffc9f2f9c486de9a2bf65eAutomatic Updater Zone file mode: in place of the keyfile name, the argument is
ec899c963c91c16c393e067996400ae244921110Tinderbox User the DNS domain name of a zone master file, which can be read
ec899c963c91c16c393e067996400ae244921110Tinderbox User from <option>file</option>. If the zone name is the same as
ec899c963c91c16c393e067996400ae244921110Tinderbox User <option>file</option>, then it may be omitted.
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt If <option>file</option> is set to <literal>"-"</literal>, then
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the zone data is read from the standard input. This makes it
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User possible to use the output of the <command>dig</command>
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User command as input, as in:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User </varlistentry>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <varlistentry>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt Include ZSK's when generating DS records. Without this option,
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt only keys which have the KSK flag set will be converted to DS
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User records and printed. Useful only in zone file mode.
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt </varlistentry>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <varlistentry>
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <term>-l <replaceable class="parameter">domain</replaceable></term>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater Generate a DLV set instead of a DS set. The specified
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt <option>domain</option> is appended to the name for each
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt record in the set.
76786c2904942b708d8a7a4659df74da5dc9446eEvan Hunt The DNSSEC Lookaside Validation (DLV) RR is described
<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>