dnssec-dsfromkey.html revision e62b9c9ce6413fb183c8116381e75dcd07ca5517
5cd4555ad444fd391002ae32450572054369fd42Rob Austein - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
43b94483957d3168796a816ed86cf097518817dcTinderbox User - purpose with or without fee is hereby granted, provided that the above
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - copyright notice and this permission notice appear in all copies.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington outputs the Delegation Signer (DS) resource record (RR), as defined in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RFC 3658 and RFC 4509, for the given key(s).
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews<div class="variablelist"><dl class="variablelist">
0e27506ce3135f9bd49e12564ad0e15256135118Automatic Updater Use SHA-1 as the digest algorithm (the default is to use
3b398443f0dca316ba7a6e057ba2d1b8ab4ddf70Tinderbox User both SHA-1 and SHA-256).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use SHA-256 as the digest algorithm.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Select the digest algorithm. The value of
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein SHA-256 (SHA256), GOST or SHA-384 (SHA384).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein These values are case insensitive.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Generate CDS records rather than DS records. This is mutually
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington exclusive with generating lookaside records.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont Specifies the TTL of the DS records.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Look for key files (or, in keyset mode,
50105afc551903541608b11851d73278b23579a3Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews Zone file mode: in place of the keyfile name, the argument is
6ed53e5949d9fcd9715b440015b56e5a896d63dfDavid Hankins the DNS domain name of a zone master file, which can be read
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington from <code class="option">file</code>. If the zone name is the same as
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews <code class="option">file</code>, then it may be omitted.
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the zone data is read from the standard input. This makes it
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt possible to use the output of the <span class="command"><strong>dig</strong></span>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews command as input, as in:
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews Include ZSKs when generating DS records. Without this option,
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews only keys which have the KSK flag set will be converted to DS
6098d364b690cb9dabf96e9664c4689c8559bd2eMark Andrews records and printed. Useful only in zone file mode.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Generate a DLV set instead of a DS set. The specified
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <code class="option">domain</code> is appended to the name for each
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington record in the set.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The DNSSEC Lookaside Validation (DLV) RR is described
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in RFC 4431. This is mutually exclusive with generating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CDS records.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Keyset mode: in place of the keyfile name, the argument is
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the DNS domain name of a keyset file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the DNS class (default is IN). Useful only
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington in keyset or zone file mode.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Prints usage information.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Prints version information.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To build the SHA-256 DS RR from the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt keyfile name, the following command would be issued:
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt The command would print something like:
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt The keyfile can be designed by the key identification
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <span class="refentrytitle">dnssec-keygen</span>(8).
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt The keyset file name is built from the <code class="option">directory</code>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein the string <code class="filename">keyset-</code> and the
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews A keyfile error can give a "file not found" even if the file exists.
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
6844e3f010440a9f3eb200b3c2123a19e58a64dcEvan Hunt <em class="citetitle">BIND 9 Administrator Reference Manual</em>,