dnssec-dsfromkey.html revision cd791043c8a6edbcacc2392575a9816d19b8157c
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang - Copyright (C) 2008-2012 Internet Systems Consortium, Inc. ("ISC")
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - Permission to use, copy, modify, and/or distribute this software for any
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - purpose with or without fee is hereby granted, provided that the above
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - copyright notice and this permission notice appear in all copies.
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc - PERFORMANCE OF THIS SOFTWARE.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<!-- $Id$ -->
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<p><span><strong class="command">dnssec-dsfromkey</strong></span>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc outputs the Delegation Signer (DS) resource record (RR), as defined in
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc RFC 3658 and RFC 4509, for the given key(s).
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Use SHA-1 as the digest algorithm (the default is to use
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc both SHA-1 and SHA-256).
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Use SHA-256 as the digest algorithm.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Select the digest algorithm. The value of
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc SHA-256 (SHA256), GOST or SHA-384 (SHA384).
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc These values are case insensitive.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Specifies the TTL of the DS records.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang Look for key files (or, in keyset mode,
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang Zone file mode: in place of the keyfile name, the argument is
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang the DNS domain name of a zone master file, which can be read
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc from <code class="option">file</code>. If the zone name is the same as
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc <code class="option">file</code>, then it may be omitted.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc the zone data is read from the standard input. This makes it
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc possible to use the output of the <span><strong class="command">dig</strong></span>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc command as input, as in:
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang Include ZSK's when generating DS records. Without this option,
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc only keys which have the KSK flag set will be converted to DS
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang records and printed. Useful only in zone file mode.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Generate a DLV set instead of a DS set. The specified
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc <code class="option">domain</code> is appended to the name for each
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang record in the set.
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang The DNSSEC Lookaside Validation (DLV) RR is described
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc in RFC 4431.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Keyset mode: in place of the keyfile name, the argument is
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc the DNS domain name of a keyset file.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Specifies the DNS class (default is IN). Useful only
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc in keyset or zone file mode.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc Sets the debugging level.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc To build the SHA-256 DS RR from the
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc keyfile name, the following command would be issued:
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc The command would print something like:
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang The keyfile can be designed by the key identification
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang <span class="refentrytitle">dnssec-keygen</span>(8).
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang The keyset file name is built from the <code class="option">directory</code>,
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang the string <code class="filename">keyset-</code> and the
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang A keyfile error can give a "file not found" even if the file exists.
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
0ba2cbe97e0678a691742f98d2532caed0a2c4aaxc <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
e2cf88ac9d753a00c17aa235f6afdc76574fe3a6Quaker Fang<p><span class="corpauthor">Internet Systems Consortium</span>