1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2008-2012, 2014, 2015 Internet Systems Consortium, Inc. ("ISC")
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <refentry id="man.dnssec-dsfromkey">
22 <date>May 17, 2012</date>
26 <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
27 <manvolnum>8</manvolnum>
28 <refmiscinfo>BIND9</refmiscinfo>
32 <refname><application>dnssec-dsfromkey</application></refname>
33 <refpurpose>DNSSEC DS RR generation tool</refpurpose>
45 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
51 <command>dnssec-dsfromkey</command>
52 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
53 <arg><option>-1</option></arg>
54 <arg><option>-2</option></arg>
55 <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
56 <arg><option>-C</option></arg>
57 <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
58 <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
59 <arg choice="req">keyfile</arg>
62 <command>dnssec-dsfromkey</command>
63 <arg choice="req">-s</arg>
64 <arg><option>-1</option></arg>
65 <arg><option>-2</option></arg>
66 <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
67 <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
68 <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
69 <arg><option>-s</option></arg>
70 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
71 <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
72 <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
73 <arg><option>-A</option></arg>
74 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
75 <arg choice="req">dnsname</arg>
78 <command>dnssec-dsfromkey</command>
79 <arg><option>-h</option></arg>
80 <arg><option>-V</option></arg>
85 <title>DESCRIPTION</title>
86 <para><command>dnssec-dsfromkey</command>
87 outputs the Delegation Signer (DS) resource record (RR), as defined in
88 RFC 3658 and RFC 4509, for the given key(s).
93 <title>OPTIONS</title>
100 Use SHA-1 as the digest algorithm (the default is to use
101 both SHA-1 and SHA-256).
110 Use SHA-256 as the digest algorithm.
116 <term>-a <replaceable class="parameter">algorithm</replaceable></term>
119 Select the digest algorithm. The value of
120 <option>algorithm</option> must be one of SHA-1 (SHA1),
121 SHA-256 (SHA256), GOST or SHA-384 (SHA384).
122 These values are case insensitive.
131 Generate CDS records rather than DS records. This is mutually
132 exclusive with generating lookaside records.
138 <term>-T <replaceable class="parameter">TTL</replaceable></term>
141 Specifies the TTL of the DS records.
147 <term>-K <replaceable class="parameter">directory</replaceable></term>
150 Look for key files (or, in keyset mode,
151 <filename>keyset-</filename> files) in
152 <option>directory</option>.
158 <term>-f <replaceable class="parameter">file</replaceable></term>
161 Zone file mode: in place of the keyfile name, the argument is
162 the DNS domain name of a zone master file, which can be read
163 from <option>file</option>. If the zone name is the same as
164 <option>file</option>, then it may be omitted.
167 If <option>file</option> is set to <literal>"-"</literal>, then
168 the zone data is read from the standard input. This makes it
169 possible to use the output of the <command>dig</command>
170 command as input, as in:
173 <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
182 Include ZSK's when generating DS records. Without this option,
183 only keys which have the KSK flag set will be converted to DS
184 records and printed. Useful only in zone file mode.
190 <term>-l <replaceable class="parameter">domain</replaceable></term>
193 Generate a DLV set instead of a DS set. The specified
194 <option>domain</option> is appended to the name for each
196 The DNSSEC Lookaside Validation (DLV) RR is described
197 in RFC 4431. This is mutually exclusive with generating
207 Keyset mode: in place of the keyfile name, the argument is
208 the DNS domain name of a keyset file.
214 <term>-c <replaceable class="parameter">class</replaceable></term>
217 Specifies the DNS class (default is IN). Useful only
218 in keyset or zone file mode.
224 <term>-v <replaceable class="parameter">level</replaceable></term>
227 Sets the debugging level.
236 Prints usage information.
245 Prints version information.
253 <title>EXAMPLE</title>
255 To build the SHA-256 DS RR from the
256 <userinput>Kexample.com.+003+26160</userinput>
257 keyfile name, the following command would be issued:
259 <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
262 The command would print something like:
264 <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
271 The keyfile can be designed by the key identification
272 <filename>Knnnn.+aaa+iiiii</filename> or the full file name
273 <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
274 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
277 The keyset file name is built from the <option>directory</option>,
278 the string <filename>keyset-</filename> and the
279 <option>dnsname</option>.
284 <title>CAVEAT</title>
286 A keyfile error can give a "file not found" even if the file exists.
291 <title>SEE ALSO</title>
293 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
296 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
298 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
299 <citetitle>RFC 3658</citetitle>,
300 <citetitle>RFC 4431</citetitle>.
301 <citetitle>RFC 4509</citetitle>.
306 <title>AUTHOR</title>
307 <para><corpauthor>Internet Systems Consortium</corpauthor>