man.dnssec-dsfromkey.html revision dba3c818ae00b10388d31703e86a28415db398ac
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - Copyright (C) 2000-2003 Internet Software Consortium.
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - Permission to use, copy, modify, and/or distribute this software for any
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - purpose with or without fee is hereby granted, provided that the above
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - copyright notice and this permission notice appear in all copies.
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers - PERFORMANCE OF THIS SOFTWARE.
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers<!-- $Id$ -->
d23965a64eb5c2c97b839dc2e3e79fc1613994f1Kay Sievers<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
472780d8b1ec3f3f4ff78eb21a013136e5aa1cfeKay Sievers<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
472780d8b1ec3f3f4ff78eb21a013136e5aa1cfeKay Sievers<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
472780d8b1ec3f3f4ff78eb21a013136e5aa1cfeKay Sievers<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
472780d8b1ec3f3f4ff78eb21a013136e5aa1cfeKay Sievers<link rel="prev" href="man.host.html" title="host">
472780d8b1ec3f3f4ff78eb21a013136e5aa1cfeKay Sievers<link rel="next" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
25da63b9dac8f166ebf390ca92d1de18fbfc9d11Kay Sievers<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers<tr><th colspan="3" align="center"><span class="application">dnssec-dsfromkey</span></th></tr>
ad37f393fa97f4274cc3bf97a0d8c388a429037eKay Sievers<a accesskey="p" href="man.host.html">Prev</a>�</td>
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
472780d8b1ec3f3f4ff78eb21a013136e5aa1cfeKay Sievers<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
0d6ce9236f61cb991d7e8f2359d818e41ead0cf5Kay Sievers<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p>
decd634e801bee2c554edb35383cc9d43417a850Kay Sievers<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div>
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div>
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers<p><span><strong class="command">dnssec-dsfromkey</strong></span>
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers outputs the Delegation Signer (DS) resource record (RR), as defined in
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers RFC 3658 and RFC 4509, for the given key(s).
decd634e801bee2c554edb35383cc9d43417a850Kay Sievers Use SHA-1 as the digest algorithm (the default is to use
decd634e801bee2c554edb35383cc9d43417a850Kay Sievers both SHA-1 and SHA-256).
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers Use SHA-256 as the digest algorithm.
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers Select the digest algorithm. The value of
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers <code class="option">algorithm</code> must be one of SHA-1 (SHA1),
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers SHA-256 (SHA256), GOST or SHA-384 (SHA384).
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers These values are case insensitive.
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
f610d6de38119b372b377ec41b2a6089872d3294Kay Sievers Specifies the TTL of the DS records.
d23965a64eb5c2c97b839dc2e3e79fc1613994f1Kay Sievers<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers Look for key files (or, in keyset mode,
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers Zone file mode: in place of the keyfile name, the argument is
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers the DNS domain name of a zone master file, which can be read
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers from <code class="option">file</code>. If the zone name is the same as
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers <code class="option">file</code>, then it may be omitted.
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
984c4348ff14d29c526d3d372daa82e278eeb5b4Kay Sievers the zone data is read from the standard input. This makes it
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers possible to use the output of the <span><strong class="command">dig</strong></span>
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers command as input, as in:
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers Include ZSK's when generating DS records. Without this option,
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers only keys which have the KSK flag set will be converted to DS
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers records and printed. Useful only in zone file mode.
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
984c4348ff14d29c526d3d372daa82e278eeb5b4Kay Sievers Generate a DLV set instead of a DS set. The specified
984c4348ff14d29c526d3d372daa82e278eeb5b4Kay Sievers <code class="option">domain</code> is appended to the name for each
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers record in the set.
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers The DNSSEC Lookaside Validation (DLV) RR is described
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers in RFC 4431.
a660c63c551b88136ac6176855b5907cc533e848Kay Sievers Keyset mode: in place of the keyfile name, the argument is
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers the DNS domain name of a keyset file.
01d183ddae6fb3445c4519cf1d90c6575f17292eKay Sievers<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers Specifies the DNS class (default is IN). Useful only
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers in keyset or zone file mode.
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers Sets the debugging level.
137661d87525a3c339afd2804e577532d58d3fbcKay Sievers To build the SHA-256 DS RR from the
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
de892aea1c486b59e04884268b612081d1660514Kay Sievers keyfile name, the following command would be issued:
0260944060426d54d9ecb40930baad985cbd02a1Kay Sievers<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
de892aea1c486b59e04884268b612081d1660514Kay Sievers The command would print something like:
de892aea1c486b59e04884268b612081d1660514Kay Sievers<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong>
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers The keyfile can be designed by the key identification
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
de892aea1c486b59e04884268b612081d1660514Kay Sievers <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
3c123e0899b56c0587db36420da5e049c56d9e19Lukas Nykryn <span class="refentrytitle">dnssec-keygen</span>(8).
de892aea1c486b59e04884268b612081d1660514Kay Sievers The keyset file name is built from the <code class="option">directory</code>,
de892aea1c486b59e04884268b612081d1660514Kay Sievers the string <code class="filename">keyset-</code> and the
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers A keyfile error can give a "file not found" even if the file exists.
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers<p><span class="corpauthor">Internet Systems Consortium</span>
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers<a accesskey="p" href="man.host.html">Prev</a>�</td>
d5a89d7dc17a5ba5cf4fc71f82963c5c94a31c3dKay Sievers<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
1328f66ad16b5afeb5684858c27e121a46c1959eKay Sievers<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-keyfromlabel.html">Next</a>
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers<td width="40%" align="left" valign="top">host�</td>
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0035597a30d120f70df2dd7da3d6128fb8ba6051Kay Sievers<td width="40%" align="right" valign="top">�<span class="application">dnssec-keyfromlabel</span>