5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<html lang="en">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<head>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<title>dnssec-dsfromkey</title>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</head>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<div class="refnamediv">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<h2>Name</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsynopsisdiv">

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<h2>Synopsis</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.7"></a><h2>DESCRIPTION</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="command"><strong>dnssec-dsfromkey</strong></span>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews outputs the Delegation Signer (DS) resource record (RR), as defined in

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews RFC 3658 and RFC 4509, for the given key(s).

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.8"></a><h2>OPTIONS</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="variablelist"><dl class="variablelist">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-1</span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Use SHA-1 as the digest algorithm (the default is to use

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews both SHA-1 and SHA-256).

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-2</span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Use SHA-256 as the digest algorithm.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Select the digest algorithm. The value of

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">algorithm</code> must be one of SHA-1 (SHA1),

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews SHA-256 (SHA256), GOST or SHA-384 (SHA384).

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews These values are case insensitive.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<dt><span class="term">-C</span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate CDS records rather than DS records. This is mutually

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews exclusive with generating lookaside records.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the TTL of the DS records.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Look for key files (or, in keyset mode,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">keyset-</code> files) in

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">directory</code>.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Zone file mode: in place of the keyfile name, the argument is

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the DNS domain name of a zone master file, which can be read

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews from <code class="option">file</code>. If the zone name is the same as

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">file</code>, then it may be omitted.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews If <code class="option">file</code> is set to <code class="literal">"-"</code>, then

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the zone data is read from the standard input. This makes it

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews possible to use the output of the <span class="command"><strong>dig</strong></span>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews command as input, as in:

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-A</span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Include ZSKs when generating DS records. Without this option,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews only keys which have the KSK flag set will be converted to DS

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews records and printed. Useful only in zone file mode.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Generate a DLV set instead of a DS set. The specified

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">domain</code> is appended to the name for each

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews record in the set.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The DNSSEC Lookaside Validation (DLV) RR is described

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in RFC 4431. This is mutually exclusive with generating

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews CDS records.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-s</span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Keyset mode: in place of the keyfile name, the argument is

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the DNS domain name of a keyset file.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Specifies the DNS class (default is IN). Useful only

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews in keyset or zone file mode.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the debugging level.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-h</span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints usage information.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-V</span></dt>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dd><p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Prints version information.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p></dd>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</dl></div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.9"></a><h2>EXAMPLE</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews To build the SHA-256 DS RR from the

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews keyfile name, the following command would be issued:

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The command would print something like:

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.10"></a><h2>FILES</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The keyfile can be designed by the key identification

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="refentrytitle">dnssec-keygen</span>(8).

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews The keyset file name is built from the <code class="option">directory</code>,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the string <code class="filename">keyset-</code> and the

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="option">dnsname</code>.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.11"></a><h2>CAVEAT</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews A keyfile error can give a "file not found" even if the file exists.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<div class="refsection">

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id-1.12"></a><h2>SEE ALSO</h2>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <em class="citetitle">RFC 3658</em>,

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <em class="citetitle">RFC 4431</em>.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <em class="citetitle">RFC 4509</em>.

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews </p>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</div></body>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews</html>

5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews