contrib/bind9/bin/dnssec/dnssec-dsfromkey.docbook

   1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
   2                "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
   3                [<!ENTITY mdash "&#8212;">]>
   4 <!--
   5  - Copyright (C) 2008-2012, 2014, 2015  Internet Systems Consortium, Inc. ("ISC")
   6  -
   7  - Permission to use, copy, modify, and/or distribute this software for any
   8  - purpose with or without fee is hereby granted, provided that the above
   9  - copyright notice and this permission notice appear in all copies.
  10  -
  11  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  12  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  13  - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  14  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  15  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  16  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  17  - PERFORMANCE OF THIS SOFTWARE.
  18 -->
  19
  20 <refentry id="man.dnssec-dsfromkey">
  21   <refentryinfo>
  22     <date>May 17, 2012</date>
  23   </refentryinfo>
  24
  25   <refmeta>
  26     <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
  27     <manvolnum>8</manvolnum>
  28     <refmiscinfo>BIND9</refmiscinfo>
  29   </refmeta>
  30
  31   <refnamediv>
  32     <refname><application>dnssec-dsfromkey</application></refname>
  33     <refpurpose>DNSSEC DS RR generation tool</refpurpose>
  34   </refnamediv>
  35
  36   <docinfo>
  37     <copyright>
  38       <year>2008</year>
  39       <year>2009</year>
  40       <year>2010</year>
  41       <year>2011</year>
  42       <year>2012</year>
  43       <year>2014</year>
  44       <year>2015</year>
  45       <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
  46     </copyright>
  47   </docinfo>
  48
  49   <refsynopsisdiv>
  50     <cmdsynopsis>
  51       <command>dnssec-dsfromkey</command>
  52       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
  53       <arg><option>-1</option></arg>
  54       <arg><option>-2</option></arg>
  55       <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
  56       <arg><option>-C</option></arg>
  57       <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
  58       <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
  59       <arg choice="req">keyfile</arg>
  60     </cmdsynopsis>
  61     <cmdsynopsis>
  62       <command>dnssec-dsfromkey</command>
  63       <arg choice="req">-s</arg>
  64       <arg><option>-1</option></arg>
  65       <arg><option>-2</option></arg>
  66       <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
  67       <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
  68       <arg><option>-l <replaceable class="parameter">domain</replaceable></option></arg>
  69       <arg><option>-s</option></arg>
  70       <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
  71       <arg><option>-T <replaceable class="parameter">TTL</replaceable></option></arg>
  72       <arg><option>-f <replaceable class="parameter">file</replaceable></option></arg>
  73       <arg><option>-A</option></arg>
  74       <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
  75       <arg choice="req">dnsname</arg>
  76    </cmdsynopsis>
  77     <cmdsynopsis>
  78       <command>dnssec-dsfromkey</command>
  79       <arg><option>-h</option></arg>
  80       <arg><option>-V</option></arg>
  81    </cmdsynopsis>
  82   </refsynopsisdiv>
  83
  84   <refsect1>
  85     <title>DESCRIPTION</title>
  86     <para><command>dnssec-dsfromkey</command>
  87       outputs the Delegation Signer (DS) resource record (RR), as defined in
  88       RFC 3658 and RFC 4509, for the given key(s).
  89     </para>
  90   </refsect1>
  91
  92   <refsect1>
  93     <title>OPTIONS</title>
  94
  95     <variablelist>
  96       <varlistentry>
  97         <term>-1</term>
  98         <listitem>
  99           <para>
 100             Use SHA-1 as the digest algorithm (the default is to use
 101             both SHA-1 and SHA-256).
 102           </para>
 103         </listitem>
 104       </varlistentry>
 105
 106       <varlistentry>
 107         <term>-2</term>
 108         <listitem>
 109           <para>
 110             Use SHA-256 as the digest algorithm.
 111           </para>
 112         </listitem>
 113       </varlistentry>
 114
 115       <varlistentry>
 116         <term>-a <replaceable class="parameter">algorithm</replaceable></term>
 117         <listitem>
 118           <para>
 119             Select the digest algorithm. The value of
 120             <option>algorithm</option> must be one of SHA-1 (SHA1),
 121             SHA-256 (SHA256), GOST or SHA-384 (SHA384).
 122             These values are case insensitive.
 123           </para>
 124         </listitem>
 125       </varlistentry>
 126
 127       <varlistentry>
 128         <term>-C</term>
 129         <listitem>
 130           <para>
 131             Generate CDS records rather than DS records.  This is mutually
 132             exclusive with generating lookaside records.
 133           </para>
 134         </listitem>
 135       </varlistentry>
 136
 137       <varlistentry>
 138         <term>-T <replaceable class="parameter">TTL</replaceable></term>
 139         <listitem>
 140           <para>
 141             Specifies the TTL of the DS records.
 142           </para>
 143           </listitem>
 144       </varlistentry>
 145
 146       <varlistentry>
 147         <term>-K <replaceable class="parameter">directory</replaceable></term>
 148         <listitem>
 149           <para>
 150             Look for key files (or, in keyset mode,
 151             <filename>keyset-</filename> files) in
 152             <option>directory</option>.
 153           </para>
 154         </listitem>
 155       </varlistentry>
 156
 157       <varlistentry>
 158         <term>-f <replaceable class="parameter">file</replaceable></term>
 159         <listitem>
 160           <para>
 161             Zone file mode: in place of the keyfile name, the argument is
 162             the DNS domain name of a zone master file, which can be read
 163             from <option>file</option>.  If the zone name is the same as
 164             <option>file</option>, then it may be omitted.
 165           </para>
 166           <para>
 167             If <option>file</option> is set to <literal>"-"</literal>, then
 168             the zone data is read from the standard input.  This makes it
 169             possible to use the output of the <command>dig</command>
 170             command as input, as in:
 171           </para>
 172           <para>
 173             <userinput>dig dnskey example.com | dnssec-dsfromkey -f - example.com</userinput>
 174           </para>
 175         </listitem>
 176       </varlistentry>
 177
 178       <varlistentry>
 179         <term>-A</term>
 180         <listitem>
 181           <para>
 182             Include ZSK's when generating DS records.  Without this option,
 183             only keys which have the KSK flag set will be converted to DS
 184             records and printed.  Useful only in zone file mode.
 185           </para>
 186         </listitem>
 187       </varlistentry>
 188
 189       <varlistentry>
 190         <term>-l <replaceable class="parameter">domain</replaceable></term>
 191         <listitem>
 192           <para>
 193             Generate a DLV set instead of a DS set.  The specified
 194             <option>domain</option> is appended to the name for each
 195             record in the set.
 196             The DNSSEC Lookaside Validation (DLV) RR is described
 197             in RFC 4431.  This is mutually exclusive with generating
 198             CDS records.
 199           </para>
 200         </listitem>
 201       </varlistentry>
 202
 203       <varlistentry>
 204         <term>-s</term>
 205         <listitem>
 206           <para>
 207             Keyset mode: in place of the keyfile name, the argument is
 208             the DNS domain name of a keyset file.
 209           </para>
 210         </listitem>
 211       </varlistentry>
 212
 213       <varlistentry>
 214         <term>-c <replaceable class="parameter">class</replaceable></term>
 215         <listitem>
 216           <para>
 217             Specifies the DNS class (default is IN).  Useful only
 218             in keyset or zone file mode.
 219           </para>
 220           </listitem>
 221       </varlistentry>
 222
 223       <varlistentry>
 224         <term>-v <replaceable class="parameter">level</replaceable></term>
 225         <listitem>
 226           <para>
 227             Sets the debugging level.
 228           </para>
 229         </listitem>
 230       </varlistentry>
 231
 232       <varlistentry>
 233         <term>-h</term>
 234         <listitem>
 235           <para>
 236             Prints usage information.
 237           </para>
 238         </listitem>
 239       </varlistentry>
 240
 241       <varlistentry>
 242         <term>-V</term>
 243         <listitem>
 244           <para>
 245             Prints version information.
 246           </para>
 247         </listitem>
 248       </varlistentry>
 249     </variablelist>
 250   </refsect1>
 251
 252   <refsect1>
 253     <title>EXAMPLE</title>
 254     <para>
 255       To build the SHA-256 DS RR from the
 256       <userinput>Kexample.com.+003+26160</userinput>
 257       keyfile name, the following command would be issued:
 258     </para>
 259     <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
 260     </para>
 261     <para>
 262       The command would print something like:
 263     </para>
 264     <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
 265     </para>
 266   </refsect1>
 267
 268   <refsect1>
 269     <title>FILES</title>
 270     <para>
 271       The keyfile can be designed by the key identification
 272       <filename>Knnnn.+aaa+iiiii</filename> or the full file name
 273       <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
 274       <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
 275     </para>
 276     <para>
 277       The keyset file name is built from the <option>directory</option>,
 278       the string <filename>keyset-</filename> and the
 279       <option>dnsname</option>.
 280     </para>
 281   </refsect1>
 282
 283   <refsect1>
 284     <title>CAVEAT</title>
 285     <para>
 286       A keyfile error can give a "file not found" even if the file exists.
 287     </para>
 288   </refsect1>
 289
 290   <refsect1>
 291     <title>SEE ALSO</title>
 292     <para><citerefentry>
 293         <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
 294       </citerefentry>,
 295       <citerefentry>
 296         <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
 297       </citerefentry>,
 298       <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
 299       <citetitle>RFC 3658</citetitle>,
 300       <citetitle>RFC 4431</citetitle>.
 301       <citetitle>RFC 4509</citetitle>.
 302     </para>
 303   </refsect1>
 304
 305   <refsect1>
 306     <title>AUTHOR</title>
 307     <para><corpauthor>Internet Systems Consortium</corpauthor>
 308     </para>
 309   </refsect1>
 310
 311 </refentry><!--
 312  - Local variables:
 313  - mode: sgml
 314  - End:
 315 -->