dnssec-dsfromkey.html revision 163af735c2082a024167be111d27bd5b5ff4f462
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - Permission to use, copy, modify, and/or distribute this software for any
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - purpose with or without fee is hereby granted, provided that the above
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - copyright notice and this permission notice appear in all copies.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson - PERFORMANCE OF THIS SOFTWARE.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<!-- $Id: dnssec-dsfromkey.html,v 1.11 2009/08/27 01:14:39 tbox Exp $ -->
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dbeb32261081835bb9ba44db68df5dfed0fda411Andreas Gustafsson<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
a1747570262ed336c213aaf6bd31bc91993a46deAndreas Gustafsson<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<a name="id2543461"></a><h2>DESCRIPTION</h2>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<p><span><strong class="command">dnssec-dsfromkey</strong></span>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson outputs the Delegation Signer (DS) resource record (RR), as defined in
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson RFC 3658 and RFC 4509, for the given key(s).
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Use SHA-1 as the digest algorithm (the default is to use
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson both SHA-1 and SHA-256).
dbeb32261081835bb9ba44db68df5dfed0fda411Andreas Gustafsson Use SHA-256 as the digest algorithm.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Select the digest algorithm. The value of
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson SHA-256 (SHA256). These values are case insensitive.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Look for key files (or, in keyset mode,
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <code class="filename">keyset-</code> files) in
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Zone file mode: in place of the keyfile name, the argument is
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson the DNS domain name of a zone master file, which can be read
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson from <code class="option">file</code>. If the zone name is the same as
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <code class="option">file</code>, then it may be omitted.
cbe5f076ba5595c3d63daa223ea373bef55561b2Andreas Gustafsson Include ZSK's when generating DS records. Without this option,
cbe5f076ba5595c3d63daa223ea373bef55561b2Andreas Gustafsson only keys which have the KSK flag set will be converted to DS
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson records and printed. Useful only in zone file mode.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Generate a DLV set instead of a DS set. The specified
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <code class="option">domain</code> is appended to the name for each
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson record in the set.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson The DNSSEC Lookaside Validation (DLV) RR is described
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Keyset mode: in place of the keyfile name, the argument is
2cc3f128610eb9e42d7c386160665583b63882bfAndreas Gustafsson the DNS domain name of a keyset file.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Specifies the DNS class (default is IN). Useful only
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson in keyset or zone file mode.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson Sets the debugging level.
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson To build the SHA-256 DS RR from the
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson keyfile name, the following command would be issued:
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson The command would print something like:
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson The keyfile can be designed by the key identification
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson <span class="refentrytitle">dnssec-keygen</span>(8).
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson The keyset file name is built from the <code class="option">directory</code>,
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson the string <code class="filename">keyset-</code> and the
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson A keyfile error can give a "file not found" even if the file exists.
38e62f7bfbe301b4718bc9e8525bf141cc080e71Andreas Gustafsson<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
38e62f7bfbe301b4718bc9e8525bf141cc080e71Andreas Gustafsson <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
cbe5f076ba5595c3d63daa223ea373bef55561b2Andreas Gustafsson <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
250ed9e230b3903b1b264dd1ed2f691fc7cd2f8fAndreas Gustafsson<p><span class="corpauthor">Internet Systems Consortium</span>