1 <!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3 [<!ENTITY mdash "—">]>
5 - Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
20 <!-- $Id: dnssec-dsfromkey.docbook,v 1.6 2008/11/07 13:54:11 jreed Exp $ -->
21 <refentry id="man.dnssec-dsfromkey">
23 <date>November 29, 2008</date>
27 <refentrytitle><application>dnssec-dsfromkey</application></refentrytitle>
28 <manvolnum>8</manvolnum>
29 <refmiscinfo>BIND9</refmiscinfo>
33 <refname><application>dnssec-dsfromkey</application></refname>
34 <refpurpose>DNSSEC DS RR generation tool</refpurpose>
40 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
46 <command>dnssec-dsfromkey</command>
47 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
48 <arg><option>-1</option></arg>
49 <arg><option>-2</option></arg>
50 <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
51 <arg choice="req">keyfile</arg>
54 <command>dnssec-dsfromkey</command>
55 <arg choice="req">-s</arg>
56 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
57 <arg><option>-1</option></arg>
58 <arg><option>-2</option></arg>
59 <arg><option>-a <replaceable class="parameter">alg</replaceable></option></arg>
60 <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
61 <arg><option>-d <replaceable class="parameter">dir</replaceable></option></arg>
62 <arg choice="req">dnsname</arg>
67 <title>DESCRIPTION</title>
68 <para><command>dnssec-dsfromkey</command>
69 outputs the Delegation Signer (DS) resource record (RR), as defined in
70 RFC 3658 and RFC 4509, for the given key(s).
75 <title>OPTIONS</title>
82 Use SHA-1 as the digest algorithm (the default is to use
83 both SHA-1 and SHA-256).
92 Use SHA-256 as the digest algorithm.
98 <term>-a <replaceable class="parameter">algorithm</replaceable></term>
101 Select the digest algorithm. The value of
102 <option>algorithm</option> must be one of SHA-1 (SHA1) or
103 SHA-256 (SHA256). These values are case insensitive.
109 <term>-v <replaceable class="parameter">level</replaceable></term>
112 Sets the debugging level.
121 Keyset mode: in place of the keyfile name, the argument is
122 the DNS domain name of a keyset file. Following options make sense
129 <term>-c <replaceable class="parameter">class</replaceable></term>
132 Specifies the DNS class (default is IN), useful only
139 <term>-d <replaceable class="parameter">directory</replaceable></term>
142 Look for <filename>keyset</filename> files in
143 <option>directory</option> as the directory, ignored when
144 not in the keyset mode.
153 <title>EXAMPLE</title>
155 To build the SHA-256 DS RR from the
156 <userinput>Kexample.com.+003+26160</userinput>
157 keyfile name, the following command would be issued:
159 <para><userinput>dnssec-dsfromkey -2 Kexample.com.+003+26160</userinput>
162 The command would print something like:
164 <para><userinput>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</userinput>
171 The keyfile can be designed by the key identification
172 <filename>Knnnn.+aaa+iiiii</filename> or the full file name
173 <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
174 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
177 The keyset file name is built from the <option>directory</option>,
178 the string <filename>keyset-</filename> and the
179 <option>dnsname</option>.
184 <title>CAVEAT</title>
186 A keyfile error can give a "file not found" even if the file exists.
191 <title>SEE ALSO</title>
193 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
196 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
198 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
199 <citetitle>RFC 3658</citetitle>,
200 <citetitle>RFC 4509</citetitle>.
205 <title>AUTHOR</title>
206 <para><corpauthor>Internet Systems Consortium</corpauthor>