man.dnssec-dsfromkey.html revision 892503bd484c106493e3c8053155b364a522ec03
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - Copyright (C) 2000-2003 Internet Software Consortium.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - purpose with or without fee is hereby granted, provided that the above
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - copyright notice and this permission notice appear in all copies.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington - PERFORMANCE OF THIS SOFTWARE.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<link rel="next" href="man.dnssec-importkey.html" title="dnssec-importkey">
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<table width="100%" summary="Navigation header">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<th width="60%" align="center">Manual pages</th>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-importkey.html">Next</a>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="id2617346"></a><h2>DESCRIPTION</h2>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><span><strong class="command">dnssec-dsfromkey</strong></span>
90c099e88e9f16bfee9edee3ac1a51fc98843772Brian Wellington outputs the Delegation Signer (DS) resource record (RR), as defined in
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington RFC 3658 and RFC 4509, for the given key(s).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Use SHA-1 as the digest algorithm (the default is to use
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington both SHA-1 and SHA-256).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Use SHA-256 as the digest algorithm.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Select the digest algorithm. The value of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington SHA-256 (SHA256), GOST or SHA-384 (SHA384).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington These values are case insensitive.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Specifies the TTL of the DS records.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Look for key files (or, in keyset mode,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">keyset-</code> files) in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Zone file mode: in place of the keyfile name, the argument is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the DNS domain name of a zone master file, which can be read
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley from <code class="option">file</code>. If the zone name is the same as
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <code class="option">file</code>, then it may be omitted.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the zone data is read from the standard input. This makes it
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley possible to use the output of the <span><strong class="command">dig</strong></span>
622df0afb82c1b711b5f3c272db4c4b83d09bc4aBob Halley command as input, as in:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Include ZSK's when generating DS records. Without this option,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington only keys which have the KSK flag set will be converted to DS
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington records and printed. Useful only in zone file mode.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Generate a DLV set instead of a DS set. The specified
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="option">domain</code> is appended to the name for each
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington record in the set.
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington The DNSSEC Lookaside Validation (DLV) RR is described
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Keyset mode: in place of the keyfile name, the argument is
6ec499054450c5e0fd69d78961deef46985ba363Brian Wellington the DNS domain name of a keyset file.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington Specifies the DNS class (default is IN). Useful only
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington in keyset or zone file mode.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Sets the debugging level.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington To build the SHA-256 DS RR from the
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington keyfile name, the following command would be issued:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The command would print something like:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The keyfile can be designed by the key identification
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="refentrytitle">dnssec-keygen</span>(8).
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The keyset file name is built from the <code class="option">directory</code>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the string <code class="filename">keyset-</code> and the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington A keyfile error can give a "file not found" even if the file exists.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<p><span class="corpauthor">Internet Systems Consortium</span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<table width="100%" summary="Navigation footer">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-importkey.html">Next</a>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<span class="application">dnssec-coverage</span>�</td>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<td width="40%" align="right" valign="top">�<span class="application">dnssec-importkey</span>