bin/dnssec/dnssec-dsfromkey.html

	dnssec-dsfromkey.html revision 6478b87fd23bcd3ab74c25b261021fe19a239c4f
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!--
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein -
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein-->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<html>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>dnssec-dsfromkey</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews</head>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refnamediv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Name</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsynopsisdiv">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<h2>Synopsis</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2543514"></a><h2>DESCRIPTION</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-dsfromkey</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      outputs the Delegation Signer (DS) resource record (RR), as defined in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      RFC 3658 and RFC 4509, for the given key(s).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
ab8729140b1ad688ab03e1e9ce438fb1cbb49222Automatic Updater<a name="id2543526"></a><h2>OPTIONS</h2>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<div class="variablelist"><dl>
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews<dt><span class="term">-1</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Use SHA-1 as the digest algorithm (the default is to use
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            both SHA-1 and SHA-256).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-2</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Use SHA-256 as the digest algorithm.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dd><p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            Select the digest algorithm. The value of
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            These values are case insensitive.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater          </p></dd>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dd><p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            Specifies the TTL of the DS records.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews            Look for key files (or, in keyset mode,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="filename">keyset-</code> files) in
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            <code class="option">directory</code>.
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater          </p></dd>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<dd>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Zone file mode: in place of the keyfile name, the argument is
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the DNS domain name of a zone master file, which can be read
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            from <code class="option">file</code>.  If the zone name is the same as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="option">file</code>, then it may be omitted.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            the zone data is read from the standard input.  This makes it
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            possible to use the output of the <span><strong class="command">dig</strong></span>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater            command as input, as in:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
1fdd2470b625a58b57d0b155e6caf8c4fc0afe8aAutomatic Updater<p>
3b2c6af63e0367c6eabe0a21ca23841ca87cd22fAutomatic Updater            <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-A</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Include ZSKs when generating DS records.  Without this option,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            only keys which have the KSK flag set will be converted to DS
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            records and printed.  Useful only in zone file mode.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Generate a DLV set instead of a DS set.  The specified
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            <code class="option">domain</code> is appended to the name for each
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater            record in the set.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater            The DNSSEC Lookaside Validation (DLV) RR is described
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater            in RFC 4431.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater          </p></dd>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-s</span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Keyset mode: in place of the keyfile name, the argument is
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater            the DNS domain name of a keyset file.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater            Specifies the DNS class (default is IN).  Useful only
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater            in keyset or zone file mode.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Sets the debugging level.
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater          </p></dd>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dt><span class="term">-h</span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Prints usage information.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews          </p></dd>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-V</span></dt>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<dd><p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein            Prints version information.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein          </p></dd>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews</dl></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2543780"></a><h2>EXAMPLE</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater      To build the SHA-256 DS RR from the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      keyfile name, the following command would be issued:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater      The command would print something like:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater    </p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<a name="id2543810"></a><h2>FILES</h2>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater      The keyfile can be designed by the key identification
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater      <span class="refentrytitle">dnssec-keygen</span>(8).
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater    </p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<p>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater      The keyset file name is built from the <code class="option">directory</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      the string <code class="filename">keyset-</code> and the
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater      <code class="option">dnsname</code>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2543845"></a><h2>CAVEAT</h2>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater      A keyfile error can give a "file not found" even if the file exists.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater    </p>
a1ad6695ed6f988406cf155aa26376f84f73bcb9Automatic Updater</div>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<div class="refsect1" lang="en">
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<a name="id2543854"></a><h2>SEE ALSO</h2>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <em class="citetitle">RFC 3658</em>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein      <em class="citetitle">RFC 4431</em>.
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater      <em class="citetitle">RFC 4509</em>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<div class="refsect1" lang="en">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2543894"></a><h2>AUTHOR</h2>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein    </p>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</div>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater</div></body>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein</html>
e2e4d321999340802f77adaacd19c797d04b4b95Automatic Updater