bin/dnssec/dnssec-dsfromkey.html

	dnssec-dsfromkey.html revision 9d557856c2a19ec95ee73245f60a92f8675cf5ba
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson<!--
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson -
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - copyright notice and this permission notice appear in all copies.
9c49c394b4218cc9c743a372a8fcfb787f5ea8caAndreas Gustafsson -
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - PERFORMANCE OF THIS SOFTWARE.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt-->
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<html>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<head>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<title>dnssec-dsfromkey</title>
072440df4f65033eb058c06f2cc72be450606720Jeremy Reed<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
a8f6b2aa46f882c7c680b7bdab1dfb78a76787eaMark Andrews</head>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refnamediv">
072440df4f65033eb058c06f2cc72be450606720Jeremy Reed<h2>Name</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="refsynopsisdiv">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<h2>Synopsis</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
26e2a07a0b6a3b1eccef82ba31270d0c54ad4f06Mark Andrews</div>
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews<div class="refsection">
030aac3dbc57f99bad1d251b0783890ff0369952Automatic Updater<a name="id-1.7"></a><h2>DESCRIPTION</h2>
d60212e03fbef1d3dd7f7eb05c0545cc373cb9fcAutomatic Updater<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
1b892cf691dd0907e0e75774df102dd4d92dd877Automatic Updater      outputs the Delegation Signer (DS) resource record (RR), as defined in
a9f68291c8db8111b88442635a04dfd35221411bAutomatic Updater      RFC 3658 and RFC 4509, for the given key(s).
5fa46bc91672ef5737aee6f99763161511566c24Tinderbox User    </p>
938440694b33cd752e9e4b71a526368b4811c177Tinderbox User</div>
c10fda07d68c04221c2d552dc71a2de1352074cbTinderbox User<div class="refsection">
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews<a name="id-1.8"></a><h2>OPTIONS</h2>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<div class="variablelist"><dl class="variablelist">
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-1</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Use SHA-1 as the digest algorithm (the default is to use
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            both SHA-1 and SHA-256).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-2</span></dt>
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Use SHA-256 as the digest algorithm.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Select the digest algorithm. The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            These values are case insensitive.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-C</span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Generate CDS records rather than DS records.  This is mutually
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt        exclusive with generating lookaside records.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Specifies the TTL of the DS records.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dd><p>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            Look for key files (or, in keyset mode,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="filename">keyset-</code> files) in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            <code class="option">directory</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt          </p></dd>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Zone file mode: in place of the keyfile name, the argument is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt            the DNS domain name of a zone master file, which can be read
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews            from <code class="option">file</code>.  If the zone name is the same as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="option">file</code>, then it may be omitted.
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt          </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            the zone data is read from the standard input.  This makes it
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            possible to use the output of the <span class="command"><strong>dig</strong></span>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            command as input, as in:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein</dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-A</span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Include ZSKs when generating DS records.  Without this option,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            only keys which have the KSK flag set will be converted to DS
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            records and printed.  Useful only in zone file mode.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein          </p></dd>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dd><p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            Generate a DLV set instead of a DS set.  The specified
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            <code class="option">domain</code> is appended to the name for each
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            record in the set.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein            The DNSSEC Lookaside Validation (DLV) RR is described
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews            in RFC 4431.  This is mutually exclusive with generating
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews        CDS records.
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt          </p></dd>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dt><span class="term">-s</span></dt>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dd><p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt            Keyset mode: in place of the keyfile name, the argument is
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt            the DNS domain name of a keyset file.
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews          </p></dd>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dd><p>
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews            Specifies the DNS class (default is IN).  Useful only
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews            in keyset or zone file mode.
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews          </p></dd>
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dd><p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt            Sets the debugging level.
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt          </p></dd>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dt><span class="term">-h</span></dt>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dd><p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt            Prints usage information.
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt          </p></dd>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<dt><span class="term">-V</span></dt>
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews<dd><p>
b98225ff8a5721a998ccb440df4d261488fef163Mark Andrews            Prints version information.
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt          </p></dd>
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt</dl></div>
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt</div>
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt<div class="refsection">
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt<a name="id-1.9"></a><h2>EXAMPLE</h2>
8f7de3db7ec299ddeded142905f5eb1f22076353Evan Hunt<p>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein      To build the SHA-256 DS RR from the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      keyfile name, the following command would be issued:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt    </p>
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt    </p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      The command would print something like:
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt    </p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt    </p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt</div>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<div class="refsection">
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<a name="id-1.10"></a><h2>FILES</h2>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      The keyfile can be designed by the key identification
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <span class="refentrytitle">dnssec-keygen</span>(8).
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt    </p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      The keyset file name is built from the <code class="option">directory</code>,
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      the string <code class="filename">keyset-</code> and the
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <code class="option">dnsname</code>.
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt    </p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt</div>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<div class="refsection">
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<a name="id-1.11"></a><h2>CAVEAT</h2>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      A keyfile error can give a "file not found" even if the file exists.
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt    </p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt</div>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<div class="refsection">
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<a name="id-1.12"></a><h2>SEE ALSO</h2>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <em class="citetitle">RFC 3658</em>,
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <em class="citetitle">RFC 4431</em>.
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt      <em class="citetitle">RFC 4509</em>.
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt    </p>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt</div>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt</div></body>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt</html>
ca6e60cb704c4c8eea1385a9fbef3eaa476eca28Evan Hunt