dnssec-dsfromkey.docbook revision dde8659175c5798267fb0fdefd7576e4efe271b3
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews [<!ENTITY mdash "—">]>
dde8659175c5798267fb0fdefd7576e4efe271b3Automatic Updater - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - purpose with or without fee is hereby granted, provided that the above
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - copyright notice and this permission notice appear in all copies.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - PERFORMANCE OF THIS SOFTWARE.
35490da6150316932957908f2f85109ecf9f7c59Jeremy Reed<!-- $Id: dnssec-dsfromkey.docbook,v 1.8 2009/06/17 23:53:04 tbox Exp $ -->
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentryinfo>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </refentryinfo>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refnamediv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refname><application>dnssec-dsfromkey</application></refname>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refpurpose>DNSSEC DS RR generation tool</refpurpose>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </refnamediv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </copyright>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refsynopsisdiv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <cmdsynopsis>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </cmdsynopsis>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <cmdsynopsis>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
35490da6150316932957908f2f85109ecf9f7c59Jeremy Reed <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </cmdsynopsis>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </refsynopsisdiv>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews outputs the Delegation Signer (DS) resource record (RR), as defined in
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews RFC 3658 and RFC 4509, for the given key(s).
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <variablelist>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Use SHA-1 as the digest algorithm (the default is to use
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews both SHA-1 and SHA-256).
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Use SHA-256 as the digest algorithm.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-a <replaceable class="parameter">algorithm</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Select the digest algorithm. The value of
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <option>algorithm</option> must be one of SHA-1 (SHA1) or
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews SHA-256 (SHA256). These values are case insensitive.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <term>-v <replaceable class="parameter">level</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Sets the debugging level.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-l <replaceable class="parameter">domain</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Generate a DLV set instead of a DS set. The specified
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <option>domain</option> is appended to the name for each
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt record in the set.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Keyset mode: in place of the keyfile name, the argument is
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt the DNS domain name of a keyset file. Following options make sense
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt only in this mode.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-c <replaceable class="parameter">class</replaceable></term>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews Specifies the DNS class (default is IN), useful only
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews in the keyset mode.
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt </varlistentry>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <varlistentry>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <term>-d <replaceable class="parameter">directory</replaceable></term>
35490da6150316932957908f2f85109ecf9f7c59Jeremy Reed <option>directory</option> as the directory, ignored when
35490da6150316932957908f2f85109ecf9f7c59Jeremy Reed not in the keyset mode.
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt </varlistentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </variablelist>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews To build the SHA-256 DS RR from the
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews keyfile name, the following command would be issued:
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The command would print something like:
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The keyfile can be designed by the key identification
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <filename>Knnnn.+aaa+iiiii</filename> or the full file name
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews The keyset file name is built from the <option>directory</option>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews the string <filename>keyset-</filename> and the
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews A keyfile error can give a "file not found" even if the file exists.
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </citerefentry>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <citerefentry>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews </citerefentry>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews <para><corpauthor>Internet Systems Consortium</corpauthor>
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - Local variables:
582f8b9a8d170a80ef67475bddb8ad5cf7cd7cadMark Andrews - mode: sgml