bin/dnssec/dnssec-dsfromkey.html

	dnssec-dsfromkey.html revision aaaf8d4f4873d21e55c3ffb4f656203d08339865
50066670817cdf9e86c832066d73715232b29680Tinderbox User<!--
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2008-2011 Internet Systems Consortium, Inc. ("ISC")
50066670817cdf9e86c832066d73715232b29680Tinderbox User -
50066670817cdf9e86c832066d73715232b29680Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
50066670817cdf9e86c832066d73715232b29680Tinderbox User - purpose with or without fee is hereby granted, provided that the above
50066670817cdf9e86c832066d73715232b29680Tinderbox User - copyright notice and this permission notice appear in all copies.
50066670817cdf9e86c832066d73715232b29680Tinderbox User -
50066670817cdf9e86c832066d73715232b29680Tinderbox User - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
50066670817cdf9e86c832066d73715232b29680Tinderbox User - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
50066670817cdf9e86c832066d73715232b29680Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
50066670817cdf9e86c832066d73715232b29680Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
50066670817cdf9e86c832066d73715232b29680Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
50066670817cdf9e86c832066d73715232b29680Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
50066670817cdf9e86c832066d73715232b29680Tinderbox User - PERFORMANCE OF THIS SOFTWARE.
50066670817cdf9e86c832066d73715232b29680Tinderbox User-->
50066670817cdf9e86c832066d73715232b29680Tinderbox User<!-- $Id$ -->
50066670817cdf9e86c832066d73715232b29680Tinderbox User<html>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<head>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<title>dnssec-dsfromkey</title>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
50066670817cdf9e86c832066d73715232b29680Tinderbox User</head>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refnamediv">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<h2>Name</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsynopsisdiv">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<h2>Synopsis</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsect1" lang="en">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<a name="id2543485"></a><h2>DESCRIPTION</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p><span><strong class="command">dnssec-dsfromkey</strong></span>
50066670817cdf9e86c832066d73715232b29680Tinderbox User      outputs the Delegation Signer (DS) resource record (RR), as defined in
50066670817cdf9e86c832066d73715232b29680Tinderbox User      RFC 3658 and RFC 4509, for the given key(s).
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsect1" lang="en">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<a name="id2543497"></a><h2>OPTIONS</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="variablelist"><dl>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-1</span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Use SHA-1 as the digest algorithm (the default is to use
50066670817cdf9e86c832066d73715232b29680Tinderbox User            both SHA-1 and SHA-256).
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-2</span></dt>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dd><p>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User            Use SHA-256 as the digest algorithm.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Select the digest algorithm. The value of
50066670817cdf9e86c832066d73715232b29680Tinderbox User            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
50066670817cdf9e86c832066d73715232b29680Tinderbox User            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
50066670817cdf9e86c832066d73715232b29680Tinderbox User            These values are case insensitive.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Specifies the TTL of the DS records.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Look for key files (or, in keyset mode,
50066670817cdf9e86c832066d73715232b29680Tinderbox User            <code class="filename">keyset-</code> files) in
50066670817cdf9e86c832066d73715232b29680Tinderbox User            <code class="option">directory</code>.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Zone file mode: in place of the keyfile name, the argument is
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User            the DNS domain name of a zone master file, which can be read
50066670817cdf9e86c832066d73715232b29680Tinderbox User            from <code class="option">file</code>.  If the zone name is the same as
50066670817cdf9e86c832066d73715232b29680Tinderbox User            <code class="option">file</code>, then it may be omitted.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
50066670817cdf9e86c832066d73715232b29680Tinderbox User            the zone data is read from the standard input.  This makes it
50066670817cdf9e86c832066d73715232b29680Tinderbox User            possible to use the output of the <span><strong class="command">dig</strong></span>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            command as input, as in:
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-A</span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Include ZSK's when generating DS records.  Without this option,
50066670817cdf9e86c832066d73715232b29680Tinderbox User            only keys which have the KSK flag set will be converted to DS
50066670817cdf9e86c832066d73715232b29680Tinderbox User            records and printed.  Useful only in zone file mode.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Generate a DLV set instead of a DS set.  The specified
50066670817cdf9e86c832066d73715232b29680Tinderbox User            <code class="option">domain</code> is appended to the name for each
50066670817cdf9e86c832066d73715232b29680Tinderbox User            record in the set.
50066670817cdf9e86c832066d73715232b29680Tinderbox User            The DNSSEC Lookaside Validation (DLV) RR is described
50066670817cdf9e86c832066d73715232b29680Tinderbox User            in RFC 4431.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-s</span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Keyset mode: in place of the keyfile name, the argument is
50066670817cdf9e86c832066d73715232b29680Tinderbox User            the DNS domain name of a keyset file.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Specifies the DNS class (default is IN).  Useful only
6f1205897504b8f50b1785975482c995888dd630Tinderbox User            in keyset or zone file mode.
6f1205897504b8f50b1785975482c995888dd630Tinderbox User          </p></dd>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<dd><p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User            Sets the debugging level.
50066670817cdf9e86c832066d73715232b29680Tinderbox User          </p></dd>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</dl></div>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsect1" lang="en">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<a name="id2543723"></a><h2>EXAMPLE</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User      To build the SHA-256 DS RR from the
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
50066670817cdf9e86c832066d73715232b29680Tinderbox User      keyfile name, the following command would be issued:
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User      The command would print something like:
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsect1" lang="en">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<a name="id2543753"></a><h2>FILES</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User      The keyfile can be designed by the key identification
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <span class="refentrytitle">dnssec-keygen</span>(8).
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User      The keyset file name is built from the <code class="option">directory</code>,
50066670817cdf9e86c832066d73715232b29680Tinderbox User      the string <code class="filename">keyset-</code> and the
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <code class="option">dnsname</code>.
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsect1" lang="en">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<a name="id2543788"></a><h2>CAVEAT</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User      A keyfile error can give a "file not found" even if the file exists.
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsect1" lang="en">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<a name="id2543798"></a><h2>SEE ALSO</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <em class="citetitle">RFC 3658</em>,
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <em class="citetitle">RFC 4431</em>.
50066670817cdf9e86c832066d73715232b29680Tinderbox User      <em class="citetitle">RFC 4509</em>.
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<div class="refsect1" lang="en">
50066670817cdf9e86c832066d73715232b29680Tinderbox User<a name="id2543837"></a><h2>AUTHOR</h2>
50066670817cdf9e86c832066d73715232b29680Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>
50066670817cdf9e86c832066d73715232b29680Tinderbox User    </p>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</div></body>
50066670817cdf9e86c832066d73715232b29680Tinderbox User</html>
50066670817cdf9e86c832066d73715232b29680Tinderbox User