doc/arm/man.dnssec-dsfromkey.html

	man.dnssec-dsfromkey.html revision b397f922936e9f73aa8c3ea40be3ad74285dacaa
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<!--
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - Copyright (C) 2000-2003 Internet Software Consortium.
381a2a9a387f449fab7d0c7e97c4184c26963abfdr -
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - Permission to use, copy, modify, and/or distribute this software for any
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - purpose with or without fee is hereby granted, provided that the above
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - copyright notice and this permission notice appear in all copies.
381a2a9a387f449fab7d0c7e97c4184c26963abfdr -
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
381a2a9a387f449fab7d0c7e97c4184c26963abfdr - PERFORMANCE OF THIS SOFTWARE.
381a2a9a387f449fab7d0c7e97c4184c26963abfdr-->
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<!-- $Id$ -->
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<html>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<head>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<title>dnssec-dsfromkey</title>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<link rel="prev" href="man.host.html" title="host">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</head>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="navheader">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<table width="100%" summary="Navigation header">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<tr>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<td width="20%" align="left">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<a accesskey="p" href="man.host.html">Prev</a>�</td>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<th width="60%" align="center">Manual pages</th>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</td>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</tr>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</table>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<hr>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</div>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="refentry" lang="en">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="refnamediv">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<h2>Name</h2>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<p><span class="application">dnssec-dsfromkey</span> &#8212; DNSSEC DS RR generation tool</p>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed</div>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed<div class="refsynopsisdiv">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<h2>Synopsis</h2>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code>  {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</div>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="refsect1" lang="en">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<a name="id2612548"></a><h2>DESCRIPTION</h2>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<p><span><strong class="command">dnssec-dsfromkey</strong></span>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed      outputs the Delegation Signer (DS) resource record (RR), as defined in
381a2a9a387f449fab7d0c7e97c4184c26963abfdr      RFC 3658 and RFC 4509, for the given key(s).
381a2a9a387f449fab7d0c7e97c4184c26963abfdr    </p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</div>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="refsect1" lang="en">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<a name="id2612562"></a><h2>OPTIONS</h2>
1b47e080b07ee427f2239a6564769802c9e5ac99dr<div class="variablelist"><dl>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed<dt><span class="term">-1</span></dt>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dd><p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            Use SHA-1 as the digest algorithm (the default is to use
1b47e080b07ee427f2239a6564769802c9e5ac99dr            both SHA-1 and SHA-256).
1b47e080b07ee427f2239a6564769802c9e5ac99dr          </p></dd>
1b47e080b07ee427f2239a6564769802c9e5ac99dr<dt><span class="term">-2</span></dt>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dd><p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            Use SHA-256 as the digest algorithm.
381a2a9a387f449fab7d0c7e97c4184c26963abfdr          </p></dd>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dd><p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            Select the digest algorithm. The value of
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            SHA-256 (SHA256), GOST or SHA-384 (SHA384).
b127ac411761a3d8d642d9342d9cac2785e1faaaPhilip Kirk            These values are case insensitive.
b127ac411761a3d8d642d9342d9cac2785e1faaaPhilip Kirk          </p></dd>
b127ac411761a3d8d642d9342d9cac2785e1faaaPhilip Kirk<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dd><p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            Specifies the TTL of the DS records.
381a2a9a387f449fab7d0c7e97c4184c26963abfdr          </p></dd>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dd><p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            Look for key files (or, in keyset mode,
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            <code class="filename">keyset-</code> files) in
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            <code class="option">directory</code>.
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed          </p></dd>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<dd>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            Zone file mode: in place of the keyfile name, the argument is
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            the DNS domain name of a zone master file, which can be read
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            from <code class="option">file</code>.  If the zone name is the same as
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            <code class="option">file</code>, then it may be omitted.
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed          </p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            the zone data is read from the standard input.  This makes it
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            possible to use the output of the <span><strong class="command">dig</strong></span>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr            command as input, as in:
381a2a9a387f449fab7d0c7e97c4184c26963abfdr          </p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<p>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed            <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed          </p>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed</dd>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed<dt><span class="term">-A</span></dt>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed<dd><p>
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed            Include ZSK's when generating DS records.  Without this option,
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed            only keys which have the KSK flag set will be converted to DS
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed            records and printed.  Useful only in zone file mode.
7ddc9b1afd18f260b9fb78ec7732facd91769131Darren Reed          </p></dd>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dd><p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            Generate a DLV set instead of a DS set.  The specified
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            <code class="option">domain</code> is appended to the name for each
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            record in the set.
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            The DNSSEC Lookaside Validation (DLV) RR is described
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            in RFC 4431.
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed          </p></dd>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dt><span class="term">-s</span></dt>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dd><p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            Keyset mode: in place of the keyfile name, the argument is
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            the DNS domain name of a keyset file.
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed          </p></dd>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dd><p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            Specifies the DNS class (default is IN).  Useful only
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            in keyset or zone file mode.
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed          </p></dd>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<dd><p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed            Sets the debugging level.
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed          </p></dd>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed</dl></div>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed</div>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<div class="refsect1" lang="en">
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<a name="id2613547"></a><h2>EXAMPLE</h2>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      To build the SHA-256 DS RR from the
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      keyfile name, the following command would be issued:
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed    </p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed    </p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      The command would print something like:
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed    </p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed    </p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed</div>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<div class="refsect1" lang="en">
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<a name="id2613584"></a><h2>FILES</h2>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      The keyfile can be designed by the key identification
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      <span class="refentrytitle">dnssec-keygen</span>(8).
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed    </p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed<p>
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      The keyset file name is built from the <code class="option">directory</code>,
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      the string <code class="filename">keyset-</code> and the
0a0e9771ca0211c15f3ac4466b661c145feeb9e4Darren Reed      <code class="option">dnsname</code>.
381a2a9a387f449fab7d0c7e97c4184c26963abfdr    </p>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr</div>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<div class="refsect1" lang="en">
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<a name="id2613625"></a><h2>CAVEAT</h2>
381a2a9a387f449fab7d0c7e97c4184c26963abfdr<p>
      A keyfile error can give a "file not found" even if the file exists.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2613635"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 3658</em>,
      <em class="citetitle">RFC 4431</em>.
      <em class="citetitle">RFC 4509</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2613674"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.host.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">host�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-keyfromlabel</span>
</td>
</tr>
</table>
</div>
</body>
</html>