1008N/A<!
DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 1008N/A [<!ENTITY mdash "—">]>
1008N/A - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC") 1008N/A - Permission to use, copy, modify, and/or distribute this software for any 1008N/A - purpose with or without fee is hereby granted, provided that the above 1008N/A - copyright notice and this permission notice appear in all copies. 1008N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 1008N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 1008N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 1008N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 1008N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 1008N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 1008N/A - PERFORMANCE OF THIS SOFTWARE. 1008N/A <
refentrytitle><
application>dnssec-dsfromkey</
application></
refentrytitle>
1008N/A <
refmiscinfo>BIND9</
refmiscinfo>
1008N/A <
refname><
application>dnssec-dsfromkey</
application></
refname>
1008N/A <
refpurpose>DNSSEC DS RR generation tool</
refpurpose>
1008N/A <
holder>Internet Systems Consortium, Inc. ("ISC")</
holder>
1008N/A <
command>dnssec-dsfromkey</
command>
1008N/A <
arg><
option>-v <
replaceable class="parameter">level</
replaceable></
option></
arg>
1008N/A <
arg><
option>-1</
option></
arg>
1008N/A <
arg><
option>-2</
option></
arg>
1008N/A <
arg><
option>-a <
replaceable class="parameter">alg</
replaceable></
option></
arg>
1008N/A <
arg><
option>-C</
option></
arg>
1008N/A <
arg><
option>-l <
replaceable class="parameter">domain</
replaceable></
option></
arg>
1008N/A <
arg><
option>-T <
replaceable class="parameter">TTL</
replaceable></
option></
arg>
1008N/A <
arg choice="req">keyfile</
arg>
1008N/A <
command>dnssec-dsfromkey</
command>
1008N/A <
arg><
option>-1</
option></
arg>
1008N/A <
arg><
option>-2</
option></
arg>
1008N/A <
arg><
option>-a <
replaceable class="parameter">alg</
replaceable></
option></
arg>
1008N/A <
arg><
option>-K <
replaceable class="parameter">directory</
replaceable></
option></
arg>
1008N/A <
arg><
option>-l <
replaceable class="parameter">domain</
replaceable></
option></
arg>
1008N/A <
arg><
option>-s</
option></
arg>
1008N/A <
arg><
option>-c <
replaceable class="parameter">class</
replaceable></
option></
arg>
1008N/A <
arg><
option>-T <
replaceable class="parameter">TTL</
replaceable></
option></
arg>
1008N/A <
arg><
option>-f <
replaceable class="parameter">file</
replaceable></
option></
arg>
1008N/A <
arg><
option>-A</
option></
arg>
1008N/A <
arg><
option>-v <
replaceable class="parameter">level</
replaceable></
option></
arg>
1008N/A <
arg choice="req">dnsname</
arg>
1008N/A <
command>dnssec-dsfromkey</
command>
1008N/A <
arg><
option>-h</
option></
arg>
1008N/A <
arg><
option>-V</
option></
arg>
1008N/A <
para><
command>dnssec-dsfromkey</
command>
1008N/A outputs the Delegation Signer (DS) resource record (RR), as defined in
1008N/A RFC 3658 and RFC 4509, for the given key(s).
1008N/A Use SHA-1 as the digest algorithm (the default is to use
1008N/A Use SHA-256 as the digest algorithm.
1008N/A <
term>-a <
replaceable class="parameter">algorithm</
replaceable></
term>
1008N/A Select the digest algorithm. The value of
1008N/A <
option>algorithm</
option> must be one of SHA-1 (SHA1),
1008N/A SHA-256 (SHA256), GOST or SHA-384 (SHA384).
1008N/A These values are case insensitive.
1008N/A Generate CDS records rather than DS records. This is mutually
1008N/A exclusive with generating lookaside records.
1008N/A <
term>-T <
replaceable class="parameter">TTL</
replaceable></
term>
1008N/A Specifies the TTL of the DS records.
1008N/A <
term>-K <
replaceable class="parameter">directory</
replaceable></
term>
1008N/A Look for key files (or, in keyset mode,
1008N/A <
filename>keyset-</
filename> files) in
1008N/A <
option>directory</
option>.
1008N/A <
term>-f <
replaceable class="parameter">file</
replaceable></
term>
1008N/A Zone file mode: in place of the keyfile name, the argument is
1008N/A the DNS domain name of a zone master file, which can be read
1008N/A from <
option>file</
option>. If the zone name is the same as
1008N/A <
option>file</
option>, then it may be omitted.
1008N/A If <
option>file</
option> is set to <
literal>"-"</
literal>, then
1008N/A the zone data is read from the standard input. This makes it
1008N/A possible to use the output of the <
command>dig</
command>
1008N/A Include ZSKs when generating DS records. Without this option,
1008N/A only keys which have the KSK flag set will be converted to DS
1008N/A records and printed. Useful only in zone file mode.
1008N/A <
term>-l <
replaceable class="parameter">domain</
replaceable></
term>
1008N/A Generate a DLV set instead of a DS set. The specified
1008N/A <
option>domain</
option> is appended to the name for each
1008N/A The DNSSEC Lookaside Validation (DLV) RR is described
1008N/A in RFC 4431. This is mutually exclusive with generating
1008N/A Keyset mode: in place of the keyfile name, the argument is
1008N/A the DNS domain name of a keyset file.
1008N/A <
term>-c <
replaceable class="parameter">class</
replaceable></
term>
1008N/A Specifies the DNS class (default is IN). Useful only
1008N/A in keyset or zone file mode.
1008N/A <
term>-v <
replaceable class="parameter">level</
replaceable></
term>
1008N/A Prints version information.
1008N/A To build the SHA-256 DS RR from the
1008N/A keyfile name, the following command would be issued:
1008N/A The command would print something like:
1008N/A <
para><
userinput>
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</
userinput>
1008N/A The keyfile can be designed by the key identification
1008N/A <
filename>Knnnn.+aaa+iiiii</
filename> or the full file name
1008N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>.
1008N/A The keyset file name is built from the <
option>directory</
option>,
1008N/A the string <
filename>keyset-</
filename> and the
1008N/A A keyfile error can give a "file not found" even if the file exists.
1008N/A <
refentrytitle>dnssec-keygen</
refentrytitle><
manvolnum>8</
manvolnum>
1008N/A <
refentrytitle>dnssec-signzone</
refentrytitle><
manvolnum>8</
manvolnum>
1008N/A <
citetitle>BIND 9 Administrator Reference Manual</
citetitle>,
1008N/A <
citetitle>RFC 3658</
citetitle>,
1008N/A <
citetitle>RFC 4431</
citetitle>.
1008N/A <
citetitle>RFC 4509</
citetitle>.
1008N/A <
para><
corpauthor>Internet Systems Consortium</
corpauthor>