man.dnssec-dsfromkey.html revision 25ae0fd27c7f65d235511e9b20f97f6ba92a14cf
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - Copyright (C) 2000-2003 Internet Software Consortium.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - Permission to use, copy, modify, and/or distribute this software for any
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - purpose with or without fee is hereby granted, provided that the above
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - copyright notice and this permission notice appear in all copies.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose - PERFORMANCE OF THIS SOFTWARE.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<!-- $Id$ -->
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<link rel="next" href="man.dnssec-importkey.html" title="dnssec-importkey">
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-importkey.html">Next</a>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<p><span><strong class="command">dnssec-dsfromkey</strong></span>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose outputs the Delegation Signer (DS) resource record (RR), as defined in
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose RFC 3658 and RFC 4509, for the given key(s).
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Use SHA-1 as the digest algorithm (the default is to use
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose both SHA-1 and SHA-256).
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Use SHA-256 as the digest algorithm.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Select the digest algorithm. The value of
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose SHA-256 (SHA256), GOST or SHA-384 (SHA384).
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose These values are case insensitive.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Specifies the TTL of the DS records.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Look for key files (or, in keyset mode,
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Zone file mode: in place of the keyfile name, the argument is
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose the DNS domain name of a zone master file, which can be read
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose from <code class="option">file</code>. If the zone name is the same as
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <code class="option">file</code>, then it may be omitted.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose the zone data is read from the standard input. This makes it
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose possible to use the output of the <span><strong class="command">dig</strong></span>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose command as input, as in:
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Include ZSKs when generating DS records. Without this option,
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose only keys which have the KSK flag set will be converted to DS
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose records and printed. Useful only in zone file mode.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Generate a DLV set instead of a DS set. The specified
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <code class="option">domain</code> is appended to the name for each
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose record in the set.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose The DNSSEC Lookaside Validation (DLV) RR is described
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose in RFC 4431.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Keyset mode: in place of the keyfile name, the argument is
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose the DNS domain name of a keyset file.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Specifies the DNS class (default is IN). Useful only
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose in keyset or zone file mode.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Sets the debugging level.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Prints usage information.
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose Prints version information.
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose To build the SHA-256 DS RR from the
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose keyfile name, the following command would be issued:
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose The command would print something like:
8167761a1e1d7575d49babcea45937fc9cd45fdcSumit Bose<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose The keyfile can be designed by the key identification
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <span class="refentrytitle">dnssec-keygen</span>(8).
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose The keyset file name is built from the <code class="option">directory</code>,
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose the string <code class="filename">keyset-</code> and the
de8815aba87d08b6b7ac5d502dcb1755787e0857Jakub Hrozek A keyfile error can give a "file not found" even if the file exists.
de8815aba87d08b6b7ac5d502dcb1755787e0857Jakub Hrozek<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<p><span class="corpauthor">Internet Systems Consortium</span>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-importkey.html">Next</a>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<span class="application">dnssec-coverage</span>�</td>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<td width="40%" align="right" valign="top">�<span class="application">dnssec-importkey</span>
5f7cd30c865046a7ea69944f7e07c85b4c43465aSumit Bose<p style="text-align: center;">BIND 9.11.0pre-alpha</p>