dnssec-dsfromkey.html revision 163af735c2082a024167be111d27bd5b5ff4f462
2080N/A<!--
2362N/A - Copyright (C) 2008, 2009 Internet Systems Consortium, Inc. ("ISC")
2080N/A -
2080N/A - Permission to use, copy, modify, and/or distribute this software for any
2080N/A - purpose with or without fee is hereby granted, provided that the above
2080N/A - copyright notice and this permission notice appear in all copies.
2362N/A -
2080N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2362N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2080N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2080N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2080N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2080N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2080N/A - PERFORMANCE OF THIS SOFTWARE.
2080N/A-->
2080N/A
2080N/A<!-- $Id: dnssec-dsfromkey.html,v 1.11 2009/08/27 01:14:39 tbox Exp $ -->
2080N/A<html>
2080N/A<head>
2080N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2362N/A<title>dnssec-dsfromkey</title>
2362N/A<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2362N/A</head>
2080N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
2080N/A<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
2080N/A<div class="refnamediv">
2080N/A<h2>Name</h2>
2080N/A<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
2080N/A</div>
2080N/A<div class="refsynopsisdiv">
2080N/A<h2>Synopsis</h2>
2080N/A<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] {keyfile}</p></div>
2080N/A<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
2080N/A</div>
2080N/A<div class="refsect1" lang="en">
2080N/A<a name="id2543461"></a><h2>DESCRIPTION</h2>
2080N/A<p><span><strong class="command">dnssec-dsfromkey</strong></span>
2080N/A outputs the Delegation Signer (DS) resource record (RR), as defined in
2080N/A RFC 3658 and RFC 4509, for the given key(s).
2472N/A </p>
2080N/A</div>
2080N/A<div class="refsect1" lang="en">
2080N/A<a name="id2543473"></a><h2>OPTIONS</h2>
2080N/A<div class="variablelist"><dl>
2080N/A<dt><span class="term">-1</span></dt>
2080N/A<dd><p>
2080N/A Use SHA-1 as the digest algorithm (the default is to use
2080N/A both SHA-1 and SHA-256).
2080N/A </p></dd>
2080N/A<dt><span class="term">-2</span></dt>
2080N/A<dd><p>
2080N/A Use SHA-256 as the digest algorithm.
2080N/A </p></dd>
2080N/A<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
2080N/A<dd><p>
2080N/A Select the digest algorithm. The value of
2080N/A <code class="option">algorithm</code> must be one of SHA-1 (SHA1) or
2080N/A SHA-256 (SHA256). These values are case insensitive.
2080N/A </p></dd>
2080N/A<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
2608N/A<dd><p>
2608N/A Look for key files (or, in keyset mode,
2608N/A <code class="filename">keyset-</code> files) in
2608N/A <code class="option">directory</code>.
2608N/A </p></dd>
2608N/A<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
2608N/A<dd><p>
2608N/A Zone file mode: in place of the keyfile name, the argument is
2608N/A the DNS domain name of a zone master file, which can be read
2608N/A from <code class="option">file</code>. If the zone name is the same as
2608N/A <code class="option">file</code>, then it may be omitted.
2608N/A </p></dd>
2608N/A<dt><span class="term">-A</span></dt>
2608N/A<dd><p>
2608N/A Include ZSK's when generating DS records. Without this option,
2608N/A only keys which have the KSK flag set will be converted to DS
2608N/A records and printed. Useful only in zone file mode.
2608N/A </p></dd>
2608N/A<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
2080N/A<dd><p>
2080N/A Generate a DLV set instead of a DS set. The specified
2080N/A <code class="option">domain</code> is appended to the name for each
2080N/A record in the set.
2080N/A The DNSSEC Lookaside Validation (DLV) RR is described
2080N/A in RFC 4431.
2080N/A </p></dd>
2080N/A<dt><span class="term">-s</span></dt>
2080N/A<dd><p>
2080N/A Keyset mode: in place of the keyfile name, the argument is
2080N/A the DNS domain name of a keyset file.
2080N/A </p></dd>
2080N/A<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
2080N/A<dd><p>
2080N/A Specifies the DNS class (default is IN). Useful only
2080N/A in keyset or zone file mode.
2080N/A </p></dd>
2080N/A<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
2080N/A<dd><p>
2080N/A Sets the debugging level.
2080N/A </p></dd>
2080N/A</dl></div>
2080N/A</div>
2080N/A<div class="refsect1" lang="en">
2080N/A<a name="id2543659"></a><h2>EXAMPLE</h2>
2080N/A<p>
2080N/A To build the SHA-256 DS RR from the
2080N/A <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
2080N/A keyfile name, the following command would be issued:
2080N/A </p>
2080N/A<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
2080N/A </p>
2080N/A<p>
2080N/A The command would print something like:
2080N/A </p>
2246N/A<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
2246N/A </p>
2246N/A</div>
2080N/A<div class="refsect1" lang="en">
2080N/A<a name="id2543689"></a><h2>FILES</h2>
2080N/A<p>
2080N/A The keyfile can be designed by the key identification
2080N/A <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
2080N/A <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
2080N/A <span class="refentrytitle">dnssec-keygen</span>(8).
2080N/A </p>
2080N/A<p>
2080N/A The keyset file name is built from the <code class="option">directory</code>,
2080N/A the string <code class="filename">keyset-</code> and the
2080N/A <code class="option">dnsname</code>.
2080N/A </p>
2080N/A</div>
2080N/A<div class="refsect1" lang="en">
2080N/A<a name="id2543724"></a><h2>CAVEAT</h2>
<p>
A keyfile error can give a "file not found" even if the file exists.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543734"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 3658</em>,
<em class="citetitle">RFC 4431</em>.
<em class="citetitle">RFC 4509</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2543773"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div></body>
</html>