man.dnssec-dsfromkey.html revision 5347c0fcb04eaea19d9f39795646239f487c6207
bd911976d51f102751848568ccf56592fd5f6d77Tinderbox User - Copyright (C) 2000-2015 Internet Systems Consortium, Inc. ("ISC")
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d25afd60ee2286cb171c4960a790f3d7041b6f85Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
142784f574e0b63e8bbcccb762eb8727ac7c76feBrian Wellington<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<link rel="next" href="man.dnssec-importkey.html" title="dnssec-importkey">
16a68807e13caea3183a41a5292f1b3f48b81a26Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
4f851656c4d0837dbcceb345838ec74568a11aeeMark Andrews<table width="100%" summary="Navigation header">
4f851656c4d0837dbcceb345838ec74568a11aeeMark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
4095b364155591b10bfe79c77e686031f6976852Michael Graff<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
f12aba1ef84f0d703c86ed803fe452227f33564fMichael Graff<th width="60%" align="center">Manual pages</th>
f12aba1ef84f0d703c86ed803fe452227f33564fMichael Graff<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-importkey.html">Next</a>
6d05b41aaef2a56d8d806b2cbf3ab08a1b4990e6Michael Graff<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-C</code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<a name="id-1.14.7.7"></a><h2>DESCRIPTION</h2>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<p><span class="command"><strong>dnssec-dsfromkey</strong></span>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence outputs the Delegation Signer (DS) resource record (RR), as defined in
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence RFC 3658 and RFC 4509, for the given key(s).
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<div class="variablelist"><dl class="variablelist">
b292230ab8dd33480dabad2b3615dcce5dd70c35Mark Andrews Use SHA-1 as the digest algorithm (the default is to use
b292230ab8dd33480dabad2b3615dcce5dd70c35Mark Andrews both SHA-1 and SHA-256).
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Use SHA-256 as the digest algorithm.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
3740b569ae76295b941d57a724a43beb75b533baBob Halley Select the digest algorithm. The value of
3740b569ae76295b941d57a724a43beb75b533baBob Halley <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff SHA-256 (SHA256), GOST or SHA-384 (SHA384).
c9b758b7c3cc4751f38319752d0a4ecf28ec65e8Michael Graff These values are case insensitive.
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff Generate CDS records rather than DS records. This is mutually
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff exclusive with generating lookaside records.
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
c9b758b7c3cc4751f38319752d0a4ecf28ec65e8Michael Graff Specifies the TTL of the DS records.
91cd0f93ad34d23e8b09dca337120f64fbe8f0a1Andreas Gustafsson<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
c9b758b7c3cc4751f38319752d0a4ecf28ec65e8Michael Graff Look for key files (or, in keyset mode,
c9b758b7c3cc4751f38319752d0a4ecf28ec65e8Michael Graff <code class="filename">keyset-</code> files) in
c9b758b7c3cc4751f38319752d0a4ecf28ec65e8Michael Graff<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff Zone file mode: in place of the keyfile name, the argument is
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff the DNS domain name of a zone master file, which can be read
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff from <code class="option">file</code>. If the zone name is the same as
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff <code class="option">file</code>, then it may be omitted.
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff the zone data is read from the standard input. This makes it
300cb0a39704449d29c87e325e214244fe77bb4dMichael Graff possible to use the output of the <span class="command"><strong>dig</strong></span>
0ab04d76c8b47210c91cb960854a17b28e2daa35Bob Halley command as input, as in:
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
ad1317338af79edad878c9c3e4361798503310baMark Andrews Include ZSKs when generating DS records. Without this option,
ad1317338af79edad878c9c3e4361798503310baMark Andrews only keys which have the KSK flag set will be converted to DS
121ac7295fcc986a8993c1f398adb78ee830bd92Bob Halley records and printed. Useful only in zone file mode.
b292230ab8dd33480dabad2b3615dcce5dd70c35Mark Andrews<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
b292230ab8dd33480dabad2b3615dcce5dd70c35Mark Andrews Generate a DLV set instead of a DS set. The specified
b292230ab8dd33480dabad2b3615dcce5dd70c35Mark Andrews <code class="option">domain</code> is appended to the name for each
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff record in the set.
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff The DNSSEC Lookaside Validation (DLV) RR is described
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff in RFC 4431. This is mutually exclusive with generating
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff Keyset mode: in place of the keyfile name, the argument is
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff the DNS domain name of a keyset file.
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0ab04d76c8b47210c91cb960854a17b28e2daa35Bob Halley Specifies the DNS class (default is IN). Useful only
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence in keyset or zone file mode.
3740b569ae76295b941d57a724a43beb75b533baBob Halley<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff Sets the debugging level.
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence Prints usage information.
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff Prints version information.
7bf75b4ca4ffca7805a9628a921642ec8e7159d2Michael Graff To build the SHA-256 DS RR from the
7bf75b4ca4ffca7805a9628a921642ec8e7159d2Michael Graff <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
7bf75b4ca4ffca7805a9628a921642ec8e7159d2Michael Graff keyfile name, the following command would be issued:
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff The command would print something like:
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff The keyfile can be designed by the key identification
3740b569ae76295b941d57a724a43beb75b533baBob Halley <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff <span class="refentrytitle">dnssec-keygen</span>(8).
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff The keyset file name is built from the <code class="option">directory</code>,
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff the string <code class="filename">keyset-</code> and the
a21e2e7fea21498dde43d69f9679d7233f13955aMichael Graff A keyfile error can give a "file not found" even if the file exists.
7cd594b8427fe742d44295790ba367e1de22a47dEvan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
121ac7295fcc986a8993c1f398adb78ee830bd92Bob Halley <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
b292230ab8dd33480dabad2b3615dcce5dd70c35Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff<table width="100%" summary="Navigation footer">
0ab04d76c8b47210c91cb960854a17b28e2daa35Bob Halley<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-importkey.html">Next</a>
7f9e7076849ac56b03c6f578c22a47c81aa5d171Michael Graff<span class="application">dnssec-coverage</span>�</td>
3740b569ae76295b941d57a724a43beb75b533baBob Halley<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff<td width="40%" align="right" valign="top">�<span class="application">dnssec-importkey</span>
8871894f2d84b66c4e3e48e301b1e7bbe5d5833eMichael Graff<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0b2</p>