bin/dnssec/dnssec-dsfromkey.docbook

	dnssec-dsfromkey.docbook revision dde8659175c5798267fb0fdefd7576e4efe271b3
6362N/A<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
6362N/A               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
6362N/A               [<!ENTITY mdash "&#8212;">]>
6362N/A<!--
6362N/A - Copyright (C) 2008, 2009  Internet Systems Consortium, Inc. ("ISC")
6362N/A -
6362N/A - Permission to use, copy, modify, and/or distribute this software for any
6362N/A - purpose with or without fee is hereby granted, provided that the above
6362N/A - copyright notice and this permission notice appear in all copies.
6362N/A -
6362N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
6362N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
6362N/A - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
6362N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
6362N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
6362N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
6362N/A - PERFORMANCE OF THIS SOFTWARE.
6362N/A-->
6362N/A
6362N/A<!-- $Id: dnssec-dsfromkey.docbook,v 1.8 2009/06/17 23:53:04 tbox Exp $ -->
6362N/A<refentry id="man.dnssec-dsfromkey">
6362N/A  <refentryinfo>
6362N/A    <date>November 29, 2008</date>
6362N/A  </refentryinfo>
6362N/A
6362N/A  <refmeta>
6362N/A    <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
6362N/A    <manvolnum>8</manvolnum>
6362N/A    <refmiscinfo>BIND9</refmiscinfo>
6362N/A  </refmeta>
6362N/A
6362N/A  <refnamediv>
6362N/A    <refname><application>dnssec-dsfromkey</application></refname>
6362N/A    <refpurpose>DNSSEC DS RR generation tool</refpurpose>
6362N/A  </refnamediv>
6362N/A
6362N/A  <docinfo>
6362N/A    <copyright>
6362N/A      <year>2008</year>
6362N/A      <year>2009</year>
6362N/A      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
6362N/A    </copyright>
6362N/A  </docinfo>
6362N/A
6362N/A  <refsynopsisdiv>
6362N/A    <cmdsynopsis>
6362N/A      <command>dnssec-dsfromkey</command>
6362N/A      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
6362N/A      <arg><option>-1</option></arg>
6362N/A      <arg><option>-2</option></arg>
6362N/A      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
6362N/A      <arg choice="req">keyfile</arg>
6362N/A    </cmdsynopsis>
6362N/A    <cmdsynopsis>
6362N/A      <command>dnssec-dsfromkey</command>
6362N/A      <arg choice="req">-s</arg>
6362N/A      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
6362N/A      <arg><option>-1</option></arg>
6362N/A      <arg><option>-2</option></arg>
6362N/A      <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
6362N/A      <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
6362N/A      <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
6362N/A      <arg choice="req">dnsname</arg>
6362N/A   </cmdsynopsis>
6362N/A  </refsynopsisdiv>
6362N/A
6362N/A  <refsect1>
6362N/A    <title>DESCRIPTION</title>
6362N/A    <para><command>dnssec-dsfromkey</command>
6362N/A      outputs the Delegation Signer (DS) resource record (RR), as defined in
6362N/A      RFC 3658 and RFC 4509, for the given key(s).
6362N/A    </para>
6362N/A  </refsect1>
6362N/A
6362N/A  <refsect1>
6362N/A    <title>OPTIONS</title>
6362N/A
6362N/A    <variablelist>
6362N/A      <varlistentry>
6362N/A        <term>-1</term>
6362N/A        <listitem>
6362N/A          <para>
6362N/A            Use SHA-1 as the digest algorithm (the default is to use
6362N/A            both SHA-1 and SHA-256).
6362N/A          </para>
6362N/A        </listitem>
6362N/A      </varlistentry>
6362N/A
6362N/A      <varlistentry>
6362N/A        <term>-2</term>
        <listitem>
          <para>
            Use SHA-256 as the digest algorithm.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>-a <replaceable class="parameter">algorithm</replaceable></term>
        <listitem>
          <para>
            Select the digest algorithm. The value of
            <option>algorithm</option> must be one of SHA-1 (SHA1) or
            SHA-256 (SHA256). These values are case insensitive.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>-v <replaceable class="parameter">level</replaceable></term>
        <listitem>
          <para>
            Sets the debugging level.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>-l <replaceable class="parameter">domain</replaceable></term>
        <listitem>
          <para>
            Generate a DLV set instead of a DS set.  The specified
            <option>domain</option> is appended to the name for each
            record in the set.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>-s</term>
        <listitem>
          <para>
            Keyset mode: in place of the keyfile name, the argument is
            the DNS domain name of a keyset file. Following options make sense
            only in this mode.
          </para>
        </listitem>
      </varlistentry>

      <varlistentry>
        <term>-c <replaceable class="parameter">class</replaceable></term>
        <listitem>
          <para>
            Specifies the DNS class (default is IN), useful only
            in the keyset mode.
          </para>
      </listitem>
      </varlistentry>

      <varlistentry>
        <term>-d <replaceable class="parameter">directory</replaceable></term>
        <listitem>
          <para>
            Look for <filename>keyset</filename> files in
            <option>directory</option> as the directory, ignored when
            not in the keyset mode.
          </para>
        </listitem>
      </varlistentry>

    </variablelist>
  </refsect1>

  <refsect1>
    <title>EXAMPLE</title>
    <para>
      To build the SHA-256 DS RR from the
      <userinput>Kexample.com.+003+26160</userinput>
      keyfile name, the following command would be issued:
    </para>
    <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
    </para>
    <para>
      The command would print something like:
    </para>
    <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
    </para>
  </refsect1>

  <refsect1>
    <title>FILES</title>
    <para>
      The keyfile can be designed by the key identification
      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
    </para>
    <para>
      The keyset file name is built from the <option>directory</option>,
      the string <filename>keyset-</filename> and the
      <option>dnsname</option>.
    </para>
  </refsect1>

  <refsect1>
    <title>CAVEAT</title>
    <para>
      A keyfile error can give a "file not found" even if the file exists.
    </para>
  </refsect1>

  <refsect1>
    <title>SEE ALSO</title>
    <para><citerefentry>
        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citerefentry>
        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
      </citerefentry>,
      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
      <citetitle>RFC 3658</citetitle>,
      <citetitle>RFC 4509</citetitle>.
    </para>
  </refsect1>

  <refsect1>
    <title>AUTHOR</title>
    <para><corpauthor>Internet Systems Consortium</corpauthor>
    </para>
  </refsect1>

</refentry><!--
 - Local variables:
 - mode: sgml
 - End:
-->