2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"

f6a6245816cd866361da8c576b1f47c7a54b6610fanf "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj [<!ENTITY mdash "&#8212;">]>

85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard

85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<refentry id="man.dnssec-dsfromkey">

85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard <refentryinfo>

85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard <date>May 02, 2012</date>

2aae6faee508221efbeaba5547ca79b7a20ef047stoddard </refentryinfo>

2aae6faee508221efbeaba5547ca79b7a20ef047stoddard

2aae6faee508221efbeaba5547ca79b7a20ef047stoddard <refmeta>

40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>

2aae6faee508221efbeaba5547ca79b7a20ef047stoddard <manvolnum>8</manvolnum>

75960f20f88dad6bc67892c711c429946063d133stoddard <refmiscinfo>BIND9</refmiscinfo>

75960f20f88dad6bc67892c711c429946063d133stoddard </refmeta>

75960f20f88dad6bc67892c711c429946063d133stoddard

75960f20f88dad6bc67892c711c429946063d133stoddard <refnamediv>

4065b438067f3f08d0bd98b31ac4085b581b931dstoddard <refname><application>dnssec-dsfromkey</application></refname>

4065b438067f3f08d0bd98b31ac4085b581b931dstoddard <refpurpose>DNSSEC DS RR generation tool</refpurpose>

2739add8add66e21526ce27f83c2ae133d089070rbb </refnamediv>

2739add8add66e21526ce27f83c2ae133d089070rbb

4065b438067f3f08d0bd98b31ac4085b581b931dstoddard <docinfo>

211bf1d44f4653bf753a15740cd5ebbf330b6e93manoj <copyright>

211bf1d44f4653bf753a15740cd5ebbf330b6e93manoj <year>2008</year>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <year>2009</year>

369edcdd0a9c5516c61e736ec2a6fc8fb0d92fe2manoj <year>2010</year>

369edcdd0a9c5516c61e736ec2a6fc8fb0d92fe2manoj <year>2011</year>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <year>2012</year>

85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard <year>2014</year>

85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard <holder>Internet Systems Consortium, Inc. ("ISC")</holder>

85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard </copyright>

75960f20f88dad6bc67892c711c429946063d133stoddard </docinfo>

75960f20f88dad6bc67892c711c429946063d133stoddard

75960f20f88dad6bc67892c711c429946063d133stoddard <refsynopsisdiv>

75960f20f88dad6bc67892c711c429946063d133stoddard <cmdsynopsis>

75960f20f88dad6bc67892c711c429946063d133stoddard <command>dnssec-dsfromkey</command>

75960f20f88dad6bc67892c711c429946063d133stoddard <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>

75960f20f88dad6bc67892c711c429946063d133stoddard <arg><option>-1</option></arg>

75960f20f88dad6bc67892c711c429946063d133stoddard <arg><option>-2</option></arg>

75960f20f88dad6bc67892c711c429946063d133stoddard <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>

75960f20f88dad6bc67892c711c429946063d133stoddard <arg><option>-C</option></arg>

75960f20f88dad6bc67892c711c429946063d133stoddard <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>

75960f20f88dad6bc67892c711c429946063d133stoddard <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <arg choice="req">keyfile</arg>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </cmdsynopsis>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <cmdsynopsis>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <command>dnssec-dsfromkey</command>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <arg choice="req">-s</arg>

70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj <arg><option>-1</option></arg>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <arg><option>-2</option></arg>

56ca30c968906053ae61acb218420667bb58d996rbb <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>

56ca30c968906053ae61acb218420667bb58d996rbb <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>

a9e07e4f90adcc7bc768db3055431c3dcd560cd1manoj <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>

f6a6245816cd866361da8c576b1f47c7a54b6610fanf <arg><option>-s</option></arg>

f6a6245816cd866361da8c576b1f47c7a54b6610fanf <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>

a9e07e4f90adcc7bc768db3055431c3dcd560cd1manoj <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <arg><option>-A</option></arg>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <arg choice="req">dnsname</arg>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet </cmdsynopsis>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <cmdsynopsis>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <command>dnssec-dsfromkey</command>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <arg><option>-h</option></arg>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <arg><option>-V</option></arg>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet </cmdsynopsis>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet </refsynopsisdiv>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <refsect1>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <title>DESCRIPTION</title>

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <para><command>dnssec-dsfromkey</command>

40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet outputs the Delegation Signer (DS) resource record (RR), as defined in

6686c651e8eb6ad762b842ad5139515c8038dd44dgaudet RFC 3658 and RFC 4509, for the given key(s).

6686c651e8eb6ad762b842ad5139515c8038dd44dgaudet </para>

6686c651e8eb6ad762b842ad5139515c8038dd44dgaudet </refsect1>

6686c651e8eb6ad762b842ad5139515c8038dd44dgaudet

6686c651e8eb6ad762b842ad5139515c8038dd44dgaudet <refsect1>

6686c651e8eb6ad762b842ad5139515c8038dd44dgaudet <title>OPTIONS</title>

6686c651e8eb6ad762b842ad5139515c8038dd44dgaudet

8de99b4c89d4ed4292a7dca42dd8a96b9a7c456fdgaudet <variablelist>

0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet <varlistentry>

0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet <term>-1</term>

0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet <listitem>

0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet <para>

0b0a5225c5ed94b9f689839a14842ad4a24215e9dgaudet Use SHA-1 as the digest algorithm (the default is to use

f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard both SHA-1 and SHA-256).

f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard </para>

f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard </listitem>

f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard </varlistentry>

2aae6faee508221efbeaba5547ca79b7a20ef047stoddard

2aae6faee508221efbeaba5547ca79b7a20ef047stoddard <varlistentry>

75960f20f88dad6bc67892c711c429946063d133stoddard <term>-2</term>

75960f20f88dad6bc67892c711c429946063d133stoddard <listitem>

75960f20f88dad6bc67892c711c429946063d133stoddard <para>

75960f20f88dad6bc67892c711c429946063d133stoddard Use SHA-256 as the digest algorithm.

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard </para>

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard </listitem>

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard </varlistentry>

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard

40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet <varlistentry>

40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet <term>-a <replaceable class="parameter">algorithm</replaceable></term>

40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet <listitem>

40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet <para>

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard Select the digest algorithm. The value of

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard <option>algorithm</option> must be one of SHA-1 (SHA1),

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard SHA-256 (SHA256), GOST or SHA-384 (SHA384).

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard These values are case insensitive.

a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard </para>

56ca30c968906053ae61acb218420667bb58d996rbb </listitem>

56ca30c968906053ae61acb218420667bb58d996rbb </varlistentry>

56ca30c968906053ae61acb218420667bb58d996rbb

56ca30c968906053ae61acb218420667bb58d996rbb <varlistentry>

70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj <term>-C</term>

70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj <listitem>

70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj <para>

56ca30c968906053ae61acb218420667bb58d996rbb Generate CDS records rather than DS records. This is mutually

0bff2f28ef945280c17099c142126178a78e1e54manoj exclusive with generating lookaside records.

0bff2f28ef945280c17099c142126178a78e1e54manoj </para>

0bff2f28ef945280c17099c142126178a78e1e54manoj </listitem>

0bff2f28ef945280c17099c142126178a78e1e54manoj </varlistentry>

9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard

9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard <varlistentry>

9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard <term>-T <replaceable class="parameter">TTL</replaceable></term>

0bff2f28ef945280c17099c142126178a78e1e54manoj <listitem>

0bff2f28ef945280c17099c142126178a78e1e54manoj <para>

0bff2f28ef945280c17099c142126178a78e1e54manoj Specifies the TTL of the DS records.

9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard </para>

75960f20f88dad6bc67892c711c429946063d133stoddard </listitem>

0bff2f28ef945280c17099c142126178a78e1e54manoj </varlistentry>

0bff2f28ef945280c17099c142126178a78e1e54manoj

9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard <varlistentry>

aa1faea36e4ae357bc603a2337b6adc54f5daec1manoj <term>-K <replaceable class="parameter">directory</replaceable></term>

f03d292915be9977eaf74e9be7b0404aec226f84manoj <listitem>

f03d292915be9977eaf74e9be7b0404aec226f84manoj <para>

f03d292915be9977eaf74e9be7b0404aec226f84manoj Look for key files (or, in keyset mode,

3304cbd819df02e7548e9338dc0afa8d3ba29358manoj <filename>keyset-</filename> files) in

f03d292915be9977eaf74e9be7b0404aec226f84manoj <option>directory</option>.

f03d292915be9977eaf74e9be7b0404aec226f84manoj </para>

f03d292915be9977eaf74e9be7b0404aec226f84manoj </listitem>

f03d292915be9977eaf74e9be7b0404aec226f84manoj </varlistentry>

aa1faea36e4ae357bc603a2337b6adc54f5daec1manoj

aa1faea36e4ae357bc603a2337b6adc54f5daec1manoj <varlistentry>

aa1faea36e4ae357bc603a2337b6adc54f5daec1manoj <term>-f <replaceable class="parameter">file</replaceable></term>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <listitem>

302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj <para>

302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj Zone file mode: in place of the keyfile name, the argument is

302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj the DNS domain name of a zone master file, which can be read

302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj from <option>file</option>. If the zone name is the same as

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <option>file</option>, then it may be omitted.

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <para>

d5defd5a0c5cdbaf74b85939484dc2b6c8317d19manoj If <option>file</option> is set to <literal>"-"</literal>, then

d5defd5a0c5cdbaf74b85939484dc2b6c8317d19manoj the zone data is read from the standard input. This makes it

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj possible to use the output of the <command>dig</command>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj command as input, as in:

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </para>

0bff2f28ef945280c17099c142126178a78e1e54manoj </listitem>

0bff2f28ef945280c17099c142126178a78e1e54manoj </varlistentry>

0bff2f28ef945280c17099c142126178a78e1e54manoj

d6b3cb141f0667101c1bca883ad15b383402c93bfielding <varlistentry>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <term>-A</term>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <listitem>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <para>

40a5b7189dbbb28e107bf008ee625f2f0142c2ccdgaudet Include ZSKs when generating DS records. Without this option,

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj only keys which have the KSK flag set will be converted to DS

dbf0c7bef06259486cd2748a2d0e82f27e099d6efielding records and printed. Useful only in zone file mode.

dbf0c7bef06259486cd2748a2d0e82f27e099d6efielding </para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </listitem>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </varlistentry>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <varlistentry>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <term>-l <replaceable class="parameter">domain</replaceable></term>

f6a6245816cd866361da8c576b1f47c7a54b6610fanf <listitem>

f6a6245816cd866361da8c576b1f47c7a54b6610fanf <para>

f6a6245816cd866361da8c576b1f47c7a54b6610fanf Generate a DLV set instead of a DS set. The specified

f6a6245816cd866361da8c576b1f47c7a54b6610fanf <option>domain</option> is appended to the name for each

f6a6245816cd866361da8c576b1f47c7a54b6610fanf record in the set.

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj The DNSSEC Lookaside Validation (DLV) RR is described

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj in RFC 4431. This is mutually exclusive with generating

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj CDS records.

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </listitem>

d6b3cb141f0667101c1bca883ad15b383402c93bfielding </varlistentry>

d6b3cb141f0667101c1bca883ad15b383402c93bfielding

d6b3cb141f0667101c1bca883ad15b383402c93bfielding <varlistentry>

d6b3cb141f0667101c1bca883ad15b383402c93bfielding <term>-s</term>

d6b3cb141f0667101c1bca883ad15b383402c93bfielding <listitem>

d6b3cb141f0667101c1bca883ad15b383402c93bfielding <para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj Keyset mode: in place of the keyfile name, the argument is

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj the DNS domain name of a keyset file.

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </listitem>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj </varlistentry>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <varlistentry>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <term>-c <replaceable class="parameter">class</replaceable></term>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <listitem>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj <para>

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj Specifies the DNS class (default is IN). Useful only

2a6c49cfaef5979a5a06098f3ce987cd76769409manoj in keyset or zone file mode.

d6b3cb141f0667101c1bca883ad15b383402c93bfielding </para>

d6b3cb141f0667101c1bca883ad15b383402c93bfielding </listitem>

d6b3cb141f0667101c1bca883ad15b383402c93bfielding </varlistentry>

<varlistentry>

<term>-v <replaceable class="parameter">level</replaceable></term>

<listitem>

<para>

Sets the debugging level.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-h</term>

<listitem>

<para>

Prints usage information.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-V</term>

<listitem>

<para>

Prints version information.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect1>

<refsect1>

<title>EXAMPLE</title>

<para>

To build the SHA-256 DS RR from the

<userinput>Kexample.com.+003+26160</userinput>

keyfile name, the following command would be issued:

</para>

<para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>

</para>

<para>

The command would print something like:

</para>

<para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>

</para>

</refsect1>

<refsect1>

<title>FILES</title>

<para>

The keyfile can be designed by the key identification

<filename>Knnnn.+aaa+iiiii</filename> or the full file name

<filename>Knnnn.+aaa+iiiii.key</filename> as generated by

<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.

</para>

<para>

The keyset file name is built from the <option>directory</option>,

the string <filename>keyset-</filename> and the

<option>dnsname</option>.

</para>

</refsect1>

<refsect1>

<title>CAVEAT</title>

<para>

A keyfile error can give a "file not found" even if the file exists.

</para>

</refsect1>

<refsect1>

<title>SEE ALSO</title>

<para><citerefentry>

<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>

</citerefentry>,

<citerefentry>

<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>

</citerefentry>,

<citetitle>BIND 9 Administrator Reference Manual</citetitle>,

<citetitle>RFC 3658</citetitle>,

<citetitle>RFC 4431</citetitle>.

<citetitle>RFC 4509</citetitle>.

</para>

</refsect1>

<refsect1>

<title>AUTHOR</title>

<para><corpauthor>Internet Systems Consortium</corpauthor>

</para>

</refsect1>

</refentry><!--