man.dnssec-dsfromkey.html revision 43b94483957d3168796a816ed86cf097518817dc
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
8a66318e41ed14c5a88130e8c362610e8faa2121Mark Andrews<!-- $Id$ -->
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<link rel="prev" href="man.host.html" title="host">
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<table width="100%" summary="Navigation header">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<a accesskey="p" href="man.host.html">Prev</a>�</td>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<th width="60%" align="center">Manual pages</th>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<a name="id2614251"></a><h2>DESCRIPTION</h2>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span><strong class="command">dnssec-dsfromkey</strong></span>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington outputs the Delegation Signer (DS) resource record (RR), as defined in
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington RFC 3658 and RFC 4509, for the given key(s).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Use SHA-1 as the digest algorithm (the default is to use
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington both SHA-1 and SHA-256).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Use SHA-256 as the digest algorithm.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Select the digest algorithm. The value of
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington SHA-256 (SHA256), GOST or SHA-384 (SHA384).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington These values are case insensitive.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the TTL of the DS records.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Look for key files (or, in keyset mode,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <code class="filename">keyset-</code> files) in
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Zone file mode: in place of the keyfile name, the argument is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the DNS domain name of a zone master file, which can be read
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington from <code class="option">file</code>. If the zone name is the same as
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <code class="option">file</code>, then it may be omitted.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the zone data is read from the standard input. This makes it
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington possible to use the output of the <span><strong class="command">dig</strong></span>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington command as input, as in:
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews Include ZSK's when generating DS records. Without this option,
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews only keys which have the KSK flag set will be converted to DS
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews records and printed. Useful only in zone file mode.
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews Generate a DLV set instead of a DS set. The specified
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <code class="option">domain</code> is appended to the name for each
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington record in the set.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The DNSSEC Lookaside Validation (DLV) RR is described
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Keyset mode: in place of the keyfile name, the argument is
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the DNS domain name of a keyset file.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Specifies the DNS class (default is IN). Useful only
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington in keyset or zone file mode.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington To build the SHA-256 DS RR from the
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington keyfile name, the following command would be issued:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The command would print something like:
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews The keyfile can be designed by the key identification
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews <span class="refentrytitle">dnssec-keygen</span>(8).
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington The keyset file name is built from the <code class="option">directory</code>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington the string <code class="filename">keyset-</code> and the
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews A keyfile error can give a "file not found" even if the file exists.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
3970098dcd2a7122541667b4b56cea8abce8ccf2Mark Andrews<p><span class="corpauthor">Internet Systems Consortium</span>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<table width="100%" summary="Navigation footer">
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<a accesskey="p" href="man.host.html">Prev</a>�</td>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<td width="40%" align="left" valign="top">host�</td>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<td width="40%" align="right" valign="top">�<span class="application">dnssec-keyfromlabel</span>