bin/dnssec/dnssec-dsfromkey.html

	dnssec-dsfromkey.html revision 5347c0fcb04eaea19d9f39795646239f487c6207
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<!--
fb777d35fc4730c312e161b3d803ae32700f6ca7sascha - Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj -
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - This Source Code Form is subject to the terms of the Mozilla Public
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj - License, v. 2.0. If a copy of the MPL was not distributed with this
09bd86d0db1114ee23eda0a6eb76ca055877a1cftrawick - file, You can obtain one at http://mozilla.org/MPL/2.0/.
09bd86d0db1114ee23eda0a6eb76ca055877a1cftrawick-->
2deb319e6b3de239f45c16a3e9e836d44f1f7108rbb<html>
bd929c73ef04789b7183b840d8db6e01d03a4d86rbb<head>
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<title>dnssec-dsfromkey</title>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
e3838a090d22197ee5f0d2c10b5a3d5e6f550f6erbb</head>
e3838a090d22197ee5f0d2c10b5a3d5e6f550f6erbb<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
91a71946d0fb28c0866139edef3dd59f36ba5b9cstoddard<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
91a71946d0fb28c0866139edef3dd59f36ba5b9cstoddard<div class="refnamediv">
91a71946d0fb28c0866139edef3dd59f36ba5b9cstoddard<h2>Name</h2>
91a71946d0fb28c0866139edef3dd59f36ba5b9cstoddard<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
91a71946d0fb28c0866139edef3dd59f36ba5b9cstoddard</div>
bd929c73ef04789b7183b840d8db6e01d03a4d86rbb<div class="refsynopsisdiv">
bd929c73ef04789b7183b840d8db6e01d03a4d86rbb<h2>Synopsis</h2>
bd929c73ef04789b7183b840d8db6e01d03a4d86rbb<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
bd929c73ef04789b7183b840d8db6e01d03a4d86rbb<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
632b0b53511f3bb9c32aa2869fbc73ee35081b38rbb<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
632b0b53511f3bb9c32aa2869fbc73ee35081b38rbb</div>
632b0b53511f3bb9c32aa2869fbc73ee35081b38rbb<div class="refsection">
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein<a name="id-1.7"></a><h2>DESCRIPTION</h2>
f6a6245816cd866361da8c576b1f47c7a54b6610fanf<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
b7663b97a437dc089ac7a1a9ebd42e0c372a48b6gstein      outputs the Delegation Signer (DS) resource record (RR), as defined in
b7663b97a437dc089ac7a1a9ebd42e0c372a48b6gstein      RFC 3658 and RFC 4509, for the given key(s).
b7663b97a437dc089ac7a1a9ebd42e0c372a48b6gstein    </p>
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein</div>
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein<div class="refsection">
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein<a name="id-1.8"></a><h2>OPTIONS</h2>
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein<div class="variablelist"><dl class="variablelist">
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein<dt><span class="term">-1</span></dt>
b7663b97a437dc089ac7a1a9ebd42e0c372a48b6gstein<dd><p>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj        Use SHA-1 as the digest algorithm (the default is to use
369edcdd0a9c5516c61e736ec2a6fc8fb0d92fe2manoj        both SHA-1 and SHA-256).
369edcdd0a9c5516c61e736ec2a6fc8fb0d92fe2manoj      </p></dd>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<dt><span class="term">-2</span></dt>
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard<dd><p>
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard        Use SHA-256 as the digest algorithm.
85cbdc16ac57fa68ce1358a308269abcd417f4d9stoddard      </p></dd>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard<dd><p>
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard        Select the digest algorithm. The value of
d208bda4a893cc81ed5d3ed1cdd7d706e012bd42stoddard        <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
10b386767f6c87b45937244371cb751f0b454d16wrowe        SHA-256 (SHA256), GOST or SHA-384 (SHA384).
10b386767f6c87b45937244371cb751f0b454d16wrowe        These values are case insensitive.
75960f20f88dad6bc67892c711c429946063d133stoddard      </p></dd>
75960f20f88dad6bc67892c711c429946063d133stoddard<dt><span class="term">-C</span></dt>
75960f20f88dad6bc67892c711c429946063d133stoddard<dd><p>
75960f20f88dad6bc67892c711c429946063d133stoddard        Generate CDS records rather than DS records.  This is mutually
75960f20f88dad6bc67892c711c429946063d133stoddard        exclusive with generating lookaside records.
75960f20f88dad6bc67892c711c429946063d133stoddard      </p></dd>
75960f20f88dad6bc67892c711c429946063d133stoddard<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
10b386767f6c87b45937244371cb751f0b454d16wrowe<dd><p>
10b386767f6c87b45937244371cb751f0b454d16wrowe        Specifies the TTL of the DS records.
10b386767f6c87b45937244371cb751f0b454d16wrowe      </p></dd>
10b386767f6c87b45937244371cb751f0b454d16wrowe<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
10b386767f6c87b45937244371cb751f0b454d16wrowe<dd><p>
10b386767f6c87b45937244371cb751f0b454d16wrowe        Look for key files (or, in keyset mode,
10b386767f6c87b45937244371cb751f0b454d16wrowe        <code class="filename">keyset-</code> files) in
10b386767f6c87b45937244371cb751f0b454d16wrowe        <code class="option">directory</code>.
10b386767f6c87b45937244371cb751f0b454d16wrowe      </p></dd>
10b386767f6c87b45937244371cb751f0b454d16wrowe<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
10b386767f6c87b45937244371cb751f0b454d16wrowe<dd>
a9e07e4f90adcc7bc768db3055431c3dcd560cd1manoj<p>
f6a6245816cd866361da8c576b1f47c7a54b6610fanf        Zone file mode: in place of the keyfile name, the argument is
f6a6245816cd866361da8c576b1f47c7a54b6610fanf        the DNS domain name of a zone master file, which can be read
97b758d0b174d7b7c5a1de1a583f5840ec3fc910trawick        from <code class="option">file</code>.  If the zone name is the same as
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein        <code class="option">file</code>, then it may be omitted.
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj      </p>
8bed76428f56e5c643174a2d6807c3f18016af5cbjh<p>
8bed76428f56e5c643174a2d6807c3f18016af5cbjh        If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
8bed76428f56e5c643174a2d6807c3f18016af5cbjh        the zone data is read from the standard input.  This makes it
8bed76428f56e5c643174a2d6807c3f18016af5cbjh        possible to use the output of the <span class="command"><strong>dig</strong></span>
8bed76428f56e5c643174a2d6807c3f18016af5cbjh        command as input, as in:
cfc020d6d6fc9b31d8945915e65a8787a796eb73stoddard      </p>
cfc020d6d6fc9b31d8945915e65a8787a796eb73stoddard<p>
cfc020d6d6fc9b31d8945915e65a8787a796eb73stoddard        <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard      </p>
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard</dd>
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard<dt><span class="term">-A</span></dt>
f824925ac58ff729289c017235eeb3bdd21ec3a2stoddard<dd><p>
2aae6faee508221efbeaba5547ca79b7a20ef047stoddard            Include ZSKs when generating DS records.  Without this option,
2aae6faee508221efbeaba5547ca79b7a20ef047stoddard            only keys which have the KSK flag set will be converted to DS
10b386767f6c87b45937244371cb751f0b454d16wrowe            records and printed.  Useful only in zone file mode.
10b386767f6c87b45937244371cb751f0b454d16wrowe          </p></dd>
10b386767f6c87b45937244371cb751f0b454d16wrowe<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
10b386767f6c87b45937244371cb751f0b454d16wrowe<dd><p>
10b386767f6c87b45937244371cb751f0b454d16wrowe        Generate a DLV set instead of a DS set.  The specified
10b386767f6c87b45937244371cb751f0b454d16wrowe        <code class="option">domain</code> is appended to the name for each
10b386767f6c87b45937244371cb751f0b454d16wrowe        record in the set.
10b386767f6c87b45937244371cb751f0b454d16wrowe        The DNSSEC Lookaside Validation (DLV) RR is described
75960f20f88dad6bc67892c711c429946063d133stoddard        in RFC 4431.  This is mutually exclusive with generating
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard        CDS records.
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard      </p></dd>
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard<dt><span class="term">-s</span></dt>
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard<dd><p>
a5ed555df952c85bc1b179f5981e8a6c54ba16e6stoddard        Keyset mode: in place of the keyfile name, the argument is
56ca30c968906053ae61acb218420667bb58d996rbb        the DNS domain name of a keyset file.
56ca30c968906053ae61acb218420667bb58d996rbb      </p></dd>
56ca30c968906053ae61acb218420667bb58d996rbb<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
56ca30c968906053ae61acb218420667bb58d996rbb<dd><p>
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj        Specifies the DNS class (default is IN).  Useful only
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj        in keyset or zone file mode.
70f6f32765cfaadd6da8de6f0fea97ddd72d8fadmanoj      </p></dd>
56ca30c968906053ae61acb218420667bb58d996rbb<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0bff2f28ef945280c17099c142126178a78e1e54manoj<dd><p>
0bff2f28ef945280c17099c142126178a78e1e54manoj        Sets the debugging level.
0bff2f28ef945280c17099c142126178a78e1e54manoj      </p></dd>
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard<dt><span class="term">-h</span></dt>
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard<dd><p>
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard        Prints usage information.
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard      </p></dd>
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard<dt><span class="term">-V</span></dt>
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard<dd><p>
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard        Prints version information.
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard      </p></dd>
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard</dl></div>
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard</div>
0bff2f28ef945280c17099c142126178a78e1e54manoj<div class="refsection">
0bff2f28ef945280c17099c142126178a78e1e54manoj<a name="id-1.9"></a><h2>EXAMPLE</h2>
0bff2f28ef945280c17099c142126178a78e1e54manoj<p>
9c09943bad734ebd5c7cc10bd6d63b75c4c6e056stoddard      To build the SHA-256 DS RR from the
75960f20f88dad6bc67892c711c429946063d133stoddard      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
1e585ba09ea32272e63c4c39c35491e975d21d98stoddard      keyfile name, the following command would be issued:
f03d292915be9977eaf74e9be7b0404aec226f84manoj    </p>
aa1faea36e4ae357bc603a2337b6adc54f5daec1manoj<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
bd929c73ef04789b7183b840d8db6e01d03a4d86rbb    </p>
2a6c49cfaef5979a5a06098f3ce987cd76769409manoj<p>
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj      The command would print something like:
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj    </p>
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
302dc1f7b3feee23a91ad8f3cf3cb2edd95a557bmanoj    </p>
ff849e4163ed879288f0df15f78b6c9d278ec804fanf</div>
ff849e4163ed879288f0df15f78b6c9d278ec804fanf<div class="refsection">
9805ac88e1befa6dea11d8513023f150d8f8e807fanf<a name="id-1.10"></a><h2>FILES</h2>
9805ac88e1befa6dea11d8513023f150d8f8e807fanf<p>
9805ac88e1befa6dea11d8513023f150d8f8e807fanf      The keyfile can be designed by the key identification
9805ac88e1befa6dea11d8513023f150d8f8e807fanf      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
df4a7c143b27b489dd2d865bb3f6668c8420b3a9fanf      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgstein      <span class="refentrytitle">dnssec-keygen</span>(8).
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgstein    </p>
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgstein<p>
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgstein      The keyset file name is built from the <code class="option">directory</code>,
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgstein      the string <code class="filename">keyset-</code> and the
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgstein      <code class="option">dnsname</code>.
c03566fa0156d3a1500a42e4fe539e3e0fc8a11dgstein    </p>
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein</div>
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein<div class="refsection">
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein<a name="id-1.11"></a><h2>CAVEAT</h2>
db3ccce11afac4fc1d4f51a65424412f7480c46cgstein<p>
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein      A keyfile error can give a "file not found" even if the file exists.
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein    </p>
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein</div>
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein<div class="refsection">
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein<a name="id-1.12"></a><h2>SEE ALSO</h2>
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
6fa71a1bd8c61518b05f5798a7a1594c270e78afrbb      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
93c5cba06b623ebe8e4372e886eece12d9a80c3egstein      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
be386cf0beed1c3331e47f0736d92b9744a21f3agstein      <em class="citetitle">RFC 3658</em>,
be386cf0beed1c3331e47f0736d92b9744a21f3agstein      <em class="citetitle">RFC 4431</em>.
be386cf0beed1c3331e47f0736d92b9744a21f3agstein      <em class="citetitle">RFC 4509</em>.
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein    </p>
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein</div>
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein</div></body>
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein</html>
14cccaddba3a9263cf0d0ddc311e18f3e3dc9b0fgstein