dnssec-dsfromkey.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
5cd4555ad444fd391002ae32450572054369fd42Rob Austein - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
0e27506ce3135f9bd49e12564ad0e15256135118Automatic Updater - purpose with or without fee is hereby granted, provided that the above
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews - copyright notice and this permission notice appear in all copies.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
f5d30e2864e048a42c4dc1134993ae7efdb5d6c3Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b5ad6dfea4cc3e7d1d322ac99f1e5a31096837c4Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington outputs the Delegation Signer (DS) resource record (RR), as defined in
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein RFC 3658 and RFC 4509, for the given key(s).
c1a883f2e04d94e99c433b1f6cfd0c0338f4ed85Mark Andrews<div class="variablelist"><dl class="variablelist">
0e27506ce3135f9bd49e12564ad0e15256135118Automatic Updater Use SHA-1 as the digest algorithm (the default is to use
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein both SHA-1 and SHA-256).
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Use SHA-256 as the digest algorithm.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Select the digest algorithm. The value of
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein SHA-256 (SHA256), GOST or SHA-384 (SHA384).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington These values are case insensitive.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Generate CDS records rather than DS records. This is mutually
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington exclusive with generating lookaside records.
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the TTL of the DS records.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews Look for key files (or, in keyset mode,
50105afc551903541608b11851d73278b23579a3Mark Andrews <code class="filename">keyset-</code> files) in
6e8a8077faf96d8da0b6cf738913f5f1f86e4008Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
e174044290953a2499f574e35cc9c22ba126a303Mark Andrews Zone file mode: in place of the keyfile name, the argument is
2534a73a5914470f7ffe00663b6bbaff5e411e57Mark Andrews the DNS domain name of a zone master file, which can be read
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt from <code class="option">file</code>. If the zone name is the same as
35f1a4fc935ad0f05a23d5a6cfba17f5913fdcc1Evan Hunt <code class="option">file</code>, then it may be omitted.
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt the zone data is read from the standard input. This makes it
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington possible to use the output of the <span class="command"><strong>dig</strong></span>
fb596cc9af28ab5bf71c6796ebd1809654307a08Evan Hunt command as input, as in:
3727725bb7d63605b68a644060857013d563b67fEvan Hunt <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Include ZSKs when generating DS records. Without this option,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington only keys which have the KSK flag set will be converted to DS
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington records and printed. Useful only in zone file mode.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Generate a DLV set instead of a DS set. The specified
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="option">domain</code> is appended to the name for each
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein record in the set.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The DNSSEC Lookaside Validation (DLV) RR is described
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein in RFC 4431. This is mutually exclusive with generating
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein CDS records.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Keyset mode: in place of the keyfile name, the argument is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the DNS domain name of a keyset file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the DNS class (default is IN). Useful only
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington in keyset or zone file mode.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Prints usage information.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Prints version information.
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt To build the SHA-256 DS RR from the
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt keyfile name, the following command would be issued:
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt The command would print something like:
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein The keyfile can be designed by the key identification
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <span class="refentrytitle">dnssec-keygen</span>(8).
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews The keyset file name is built from the <code class="option">directory</code>,
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews the string <code class="filename">keyset-</code> and the
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews A keyfile error can give a "file not found" even if the file exists.
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,