man.dnssec-dsfromkey.html revision c986916269e0d9ca0a31efb62ff5ac06938815db
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - Copyright (C) 2000-2003 Internet Software Consortium.
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - Permission to use, copy, modify, and/or distribute this software for any
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - purpose with or without fee is hereby granted, provided that the above
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - copyright notice and this permission notice appear in all copies.
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina - PERFORMANCE OF THIS SOFTWARE.
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<link rel="prev" href="man.dnssec-coverage.html" title="dnssec-coverage">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<table width="100%" summary="Navigation header">
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<th width="60%" align="center">Manual pages</th>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<p><span><strong class="command">dnssec-dsfromkey</strong></span>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina outputs the Delegation Signer (DS) resource record (RR), as defined in
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina RFC 3658 and RFC 4509, for the given key(s).
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina Use SHA-1 as the digest algorithm (the default is to use
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina both SHA-1 and SHA-256).
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina Use SHA-256 as the digest algorithm.
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina Select the digest algorithm. The value of
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina SHA-256 (SHA256), GOST or SHA-384 (SHA384).
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina These values are case insensitive.
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina Specifies the TTL of the DS records.
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina Look for key files (or, in keyset mode,
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina <code class="filename">keyset-</code> files) in
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina Zone file mode: in place of the keyfile name, the argument is
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina the DNS domain name of a zone master file, which can be read
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina from <code class="option">file</code>. If the zone name is the same as
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina <code class="option">file</code>, then it may be omitted.
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina the zone data is read from the standard input. This makes it
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina possible to use the output of the <span><strong class="command">dig</strong></span>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina command as input, as in:
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina Include ZSK's when generating DS records. Without this option,
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina only keys which have the KSK flag set will be converted to DS
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina records and printed. Useful only in zone file mode.
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina Generate a DLV set instead of a DS set. The specified
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina <code class="option">domain</code> is appended to the name for each
e085a79acfcd5331b6f99748e21765579a9a99f2Pavel Březina record in the set.
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina The DNSSEC Lookaside Validation (DLV) RR is described
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina Keyset mode: in place of the keyfile name, the argument is
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina the DNS domain name of a keyset file.
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina Specifies the DNS class (default is IN). Useful only
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina in keyset or zone file mode.
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina Sets the debugging level.
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina To build the SHA-256 DS RR from the
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina keyfile name, the following command would be issued:
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina The command would print something like:
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina The keyfile can be designed by the key identification
f58ffb26aeaae0642a149643672fa59ec01a3a36Pavel Březina <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina <span class="refentrytitle">dnssec-keygen</span>(8).
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina The keyset file name is built from the <code class="option">directory</code>,
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina the string <code class="filename">keyset-</code> and the
f58ffb26aeaae0642a149643672fa59ec01a3a36Pavel Březina A keyfile error can give a "file not found" even if the file exists.
f58ffb26aeaae0642a149643672fa59ec01a3a36Pavel Březina<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
f58ffb26aeaae0642a149643672fa59ec01a3a36Pavel Březina <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
3ff3bb43ae6509905bbf7fa6540c44cdbbd0f738Pavel Březina <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina<p><span class="corpauthor">Internet Systems Consortium</span>
f58ffb26aeaae0642a149643672fa59ec01a3a36Pavel Březina<table width="100%" summary="Navigation footer">
ef5e33f7db1e314226b0077596e38ef16305cba5Pavel Březina<a accesskey="p" href="man.dnssec-coverage.html">Prev</a>�</td>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
85feb8d77a2c832787880944e02104846c4d5376Pavel Březina<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>