dnssec-dsfromkey.html revision 6f1205897504b8f50b1785975482c995888dd630
4d237bbe075b1d2c19428cd954d721d65b31f67cwrowe<!--
bf52162f2d05c1fb1a107c7ef108de73f739b3edpquerna - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
bf52162f2d05c1fb1a107c7ef108de73f739b3edpquerna -
bf52162f2d05c1fb1a107c7ef108de73f739b3edpquerna - Permission to use, copy, modify, and/or distribute this software for any
df46ff21c57d00f6addccaaf9b1484f2b56b8577pquerna - purpose with or without fee is hereby granted, provided that the above
7f4ac5a4cd99a9cae866b5908e358bd932736307chrisd - copyright notice and this permission notice appear in all copies.
1c03114a0f0315ed19a05f654021da9f66005897rjung -
1c03114a0f0315ed19a05f654021da9f66005897rjung - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
89691c9bd17f5f53fa0aa8d3fe2e1faee5a5d984rpluem - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
89691c9bd17f5f53fa0aa8d3fe2e1faee5a5d984rpluem - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
89691c9bd17f5f53fa0aa8d3fe2e1faee5a5d984rpluem - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
89691c9bd17f5f53fa0aa8d3fe2e1faee5a5d984rpluem - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
3e9c0665b06e44cf776528c6954ed3ca34a77c7fsctemme - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
51a475d92e7d68ee6d7b57aa7fd6e73b2712ce31sctemme - PERFORMANCE OF THIS SOFTWARE.
3e9c0665b06e44cf776528c6954ed3ca34a77c7fsctemme-->
019f2b58acb34e31ea3a062bdb5e6c863cd82d66trawick<!-- $Id$ -->
873c287c391b0bbc4719b68bb84946515811e1batrawick<html>
6707208ba4e9a5841ca1ab830830fd286ea5b7c5trawick<head>
6707208ba4e9a5841ca1ab830830fd286ea5b7c5trawick<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
873c287c391b0bbc4719b68bb84946515811e1batrawick<title>dnssec-dsfromkey</title>
832853bb93c1831daf24e4727c5ca0e1b1786e83lars<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
832853bb93c1831daf24e4727c5ca0e1b1786e83lars</head>
832853bb93c1831daf24e4727c5ca0e1b1786e83lars<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
d2696ac6757b3d8bdaa27634a141ac8c8a045e08fielding<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
d2696ac6757b3d8bdaa27634a141ac8c8a045e08fielding<div class="refnamediv">
d2696ac6757b3d8bdaa27634a141ac8c8a045e08fielding<h2>Name</h2>
d2696ac6757b3d8bdaa27634a141ac8c8a045e08fielding<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
1782dcd420de504978945e6b812523eeae6d56a2lars</div>
1782dcd420de504978945e6b812523eeae6d56a2lars<div class="refsynopsisdiv">
d2696ac6757b3d8bdaa27634a141ac8c8a045e08fielding<h2>Synopsis</h2>
1782dcd420de504978945e6b812523eeae6d56a2lars<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
59dc8d935dbf862712683bbc9e267bd08ced0b14fielding</div>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<div class="refsect1" lang="en">
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<a name="id2543506"></a><h2>DESCRIPTION</h2>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<p><span><strong class="command">dnssec-dsfromkey</strong></span>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem outputs the Delegation Signer (DS) resource record (RR), as defined in
cf8d02ea0c91653917b044529f3133c5a1bb9200fielding RFC 3658 and RFC 4509, for the given key(s).
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem</div>
17ac330ebaa71b24cb77580411a231ee45996e03pquerna<div class="refsect1" lang="en">
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<a name="id2543517"></a><h2>OPTIONS</h2>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<div class="variablelist"><dl>
9f38f3ec3e8087985d108a24ae796962fef83644takashi<dt><span class="term">-1</span></dt>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dd><p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Use SHA-1 as the digest algorithm (the default is to use
d4ee4552489641d35d1195bbbd6021351c4b79aarjung both SHA-1 and SHA-256).
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p></dd>
9e152751ed380f87c5ecae4fb0221c956e5fbd24rjung<dt><span class="term">-2</span></dt>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dd><p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Use SHA-256 as the digest algorithm.
abb99af8aa7da2cb4c324133a4e10bd7a50f875erpluem </p></dd>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dd><p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Select the digest algorithm. The value of
382d14411b582d97075a836190d74c778977505fcovener <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem SHA-256 (SHA256), GOST or SHA-384 (SHA384).
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem These values are case insensitive.
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p></dd>
06e6657fd0f376a16db696876f9bff5927cc3cb0trawick<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dd><p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Specifies the TTL of the DS records.
0e9dae659943679108357054e9aa7657cdc52dc4minfrin </p></dd>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dd><p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Look for key files (or, in keyset mode,
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem <code class="filename">keyset-</code> files) in
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem <code class="option">directory</code>.
d03aa31ada476d8eb97feaec2b1099809e7f3d57niq </p></dd>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dd>
a7757dd38bb2a1afc93e241b7ea67b3de85ecc8bminfrin<p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Zone file mode: in place of the keyfile name, the argument is
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem the DNS domain name of a zone master file, which can be read
df46ff21c57d00f6addccaaf9b1484f2b56b8577pquerna from <code class="option">file</code>. If the zone name is the same as
df46ff21c57d00f6addccaaf9b1484f2b56b8577pquerna <code class="option">file</code>, then it may be omitted.
df46ff21c57d00f6addccaaf9b1484f2b56b8577pquerna </p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem the zone data is read from the standard input. This makes it
a5cce34e21a5b472f3806b4526043887bcb7e9eajim possible to use the output of the <span><strong class="command">dig</strong></span>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem command as input, as in:
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p>
8c3667cd1d0db08647793137c0d1aa7f6526bebfniq<p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p>
8c3667cd1d0db08647793137c0d1aa7f6526bebfniq</dd>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dt><span class="term">-A</span></dt>
6824182b3b8e045db97a228d3127bdfcbdfeb0bcniq<dd><p>
6824182b3b8e045db97a228d3127bdfcbdfeb0bcniq Include ZSK's when generating DS records. Without this option,
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem only keys which have the KSK flag set will be converted to DS
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem records and printed. Useful only in zone file mode.
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p></dd>
0c26d213d85bc40fc05963c63bf670b42b352d25niq<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dd><p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Generate a DLV set instead of a DS set. The specified
92357fb76d3ad043e29ba2ba2041a7bdb8d13390niq <code class="option">domain</code> is appended to the name for each
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem record in the set.
9f07b6dc343a4e3eba5f4c47050a77441723ce89nd The DNSSEC Lookaside Validation (DLV) RR is described
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem in RFC 4431.
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p></dd>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dt><span class="term">-s</span></dt>
f7cec4a86292b160401472286a17497ae0d4df18covener<dd><p>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem Keyset mode: in place of the keyfile name, the argument is
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem the DNS domain name of a keyset file.
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem </p></dd>
abc69b39766c0de3eaf99e9016ea3f35e23c116drpluem<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
1464434c2c104e0ba224644c42552330f5158537covener<dd><p>
8d574b3ac4185e4f71c8b9aae76e7122a78201c4rpluem Specifies the DNS class (default is IN). Useful only
8d574b3ac4185e4f71c8b9aae76e7122a78201c4rpluem in keyset or zone file mode.
8d574b3ac4185e4f71c8b9aae76e7122a78201c4rpluem </p></dd>
7f4ac5a4cd99a9cae866b5908e358bd932736307chrisd<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
92357fb76d3ad043e29ba2ba2041a7bdb8d13390niq<dd><p>
8d574b3ac4185e4f71c8b9aae76e7122a78201c4rpluem Sets the debugging level.
509111f5f58a9effd4c832f6a0cbd6ad9d549188jorton </p></dd>
509111f5f58a9effd4c832f6a0cbd6ad9d549188jorton<dt><span class="term">-h</span></dt>
509111f5f58a9effd4c832f6a0cbd6ad9d549188jorton<dd><p>
0e2a2eae9b72ac099aa25d7419e55af13b004be9minfrin Prints usage information.
235b900b78cf6849f8344e377a91ded37d9cc9depquerna </p></dd>
235b900b78cf6849f8344e377a91ded37d9cc9depquerna<dt><span class="term">-V</span></dt>
235b900b78cf6849f8344e377a91ded37d9cc9depquerna<dd><p>
66b8ec445dced7a2036bcd3b87b6fc3f08a1ab24jorton Prints version information.
66b8ec445dced7a2036bcd3b87b6fc3f08a1ab24jorton </p></dd>
66b8ec445dced7a2036bcd3b87b6fc3f08a1ab24jorton</dl></div>
66b8ec445dced7a2036bcd3b87b6fc3f08a1ab24jorton</div>
0e2a2eae9b72ac099aa25d7419e55af13b004be9minfrin<div class="refsect1" lang="en">
0e2a2eae9b72ac099aa25d7419e55af13b004be9minfrin<a name="id2543771"></a><h2>EXAMPLE</h2>
0e2a2eae9b72ac099aa25d7419e55af13b004be9minfrin<p>
0e2a2eae9b72ac099aa25d7419e55af13b004be9minfrin To build the SHA-256 DS RR from the
0e2a2eae9b72ac099aa25d7419e55af13b004be9minfrin <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
8d574b3ac4185e4f71c8b9aae76e7122a78201c4rpluem keyfile name, the following command would be issued:
6f33babce8f8bc723f0b2c755aef049cd509504fpquerna </p>
6f33babce8f8bc723f0b2c755aef049cd509504fpquerna<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
0a12339f39799193ac6866fce812a1deb8f4a1abpquerna </p>
0a12339f39799193ac6866fce812a1deb8f4a1abpquerna<p>
0a12339f39799193ac6866fce812a1deb8f4a1abpquerna The command would print something like:
3fb118bc4e1a634f71c1fa509819ceac36c79dcbpquerna </p>
3fb118bc4e1a634f71c1fa509819ceac36c79dcbpquerna<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
3fb118bc4e1a634f71c1fa509819ceac36c79dcbpquerna </p>
fb59af4ce3fcdd314b848359faeddf1e51bb24c5jim</div>
fb59af4ce3fcdd314b848359faeddf1e51bb24c5jim<div class="refsect1" lang="en">
fb59af4ce3fcdd314b848359faeddf1e51bb24c5jim<a name="id2543801"></a><h2>FILES</h2>
fb59af4ce3fcdd314b848359faeddf1e51bb24c5jim<p>
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna The keyfile can be designed by the key identification
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna <span class="refentrytitle">dnssec-keygen</span>(8).
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna </p>
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna<p>
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna The keyset file name is built from the <code class="option">directory</code>,
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna the string <code class="filename">keyset-</code> and the
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna <code class="option">dnsname</code>.
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna </p>
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna</div>
a91a59d0b0ceed7cd5621fe8757eda5ff6a043a8pquerna<div class="refsect1" lang="en">
19e5deda3a29d71ac1cc4bfecce39f96ea3ab55dcovener<a name="id2543836"></a><h2>CAVEAT</h2>
19e5deda3a29d71ac1cc4bfecce39f96ea3ab55dcovener<p>
19e5deda3a29d71ac1cc4bfecce39f96ea3ab55dcovener A keyfile error can give a "file not found" even if the file exists.
19e5deda3a29d71ac1cc4bfecce39f96ea3ab55dcovener </p>
19e5deda3a29d71ac1cc4bfecce39f96ea3ab55dcovener</div>
3ec1e3a35106ec4c8bcf8fae6a20cb623aed0b62pquerna<div class="refsect1" lang="en">
3ec1e3a35106ec4c8bcf8fae6a20cb623aed0b62pquerna<a name="id2543846"></a><h2>SEE ALSO</h2>
3ec1e3a35106ec4c8bcf8fae6a20cb623aed0b62pquerna<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
97f7daaffd9b6c1031302d7e551d5279fa0d0d72pquerna <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
97f7daaffd9b6c1031302d7e551d5279fa0d0d72pquerna <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
97f7daaffd9b6c1031302d7e551d5279fa0d0d72pquerna <em class="citetitle">RFC 3658</em>,
847db8b2f0188cd9c840acbe4fea77a32748b2edpquerna <em class="citetitle">RFC 4431</em>.
97f7daaffd9b6c1031302d7e551d5279fa0d0d72pquerna <em class="citetitle">RFC 4509</em>.
97f7daaffd9b6c1031302d7e551d5279fa0d0d72pquerna </p>
527fc83e2bf315b2026a9ac6b1e6ce83143609bbcovener</div>
527fc83e2bf315b2026a9ac6b1e6ce83143609bbcovener<div class="refsect1" lang="en">
527fc83e2bf315b2026a9ac6b1e6ce83143609bbcovener<a name="id2543885"></a><h2>AUTHOR</h2>
527fc83e2bf315b2026a9ac6b1e6ce83143609bbcovener<p><span class="corpauthor">Internet Systems Consortium</span>
527fc83e2bf315b2026a9ac6b1e6ce83143609bbcovener </p>
99c8705f69fae71940ad9b091bd2f588a7b9f484minfrin</div>
99c8705f69fae71940ad9b091bd2f588a7b9f484minfrin</div></body>
99c8705f69fae71940ad9b091bd2f588a7b9f484minfrin</html>
99c8705f69fae71940ad9b091bd2f588a7b9f484minfrin