1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2.. 3.. SPDX-License-Identifier: MPL-2.0 4.. 5.. This Source Code Form is subject to the terms of the Mozilla Public 6.. License, v. 2.0. If a copy of the MPL was not distributed with this 7.. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8.. 9.. See the COPYRIGHT file distributed with this work for additional 10.. information regarding copyright ownership. 11 12.. highlight: console 13 14.. iscman:: dnssec-dsfromkey 15.. program:: dnssec-dsfromkey 16.. _man_dnssec-dsfromkey: 17 18dnssec-dsfromkey - DNSSEC DS RR generation tool 19----------------------------------------------- 20 21Synopsis 22~~~~~~~~ 23 24:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile} 25 26:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname] 27 28:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname} 29 30:program:`dnssec-dsfromkey` [ **-h** | **-V** ] 31 32Description 33~~~~~~~~~~~ 34 35The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records 36(RRs), or CDS (Child DS) RRs with the :option:`-C` option. 37 38By default, only KSKs are converted (keys with flags = 257). The 39:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never 40included. 41 42The input keys can be specified in a number of ways: 43 44By default, :program:`dnssec-dsfromkey` reads a key file named in the format 45``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`. 46 47With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone 48file or partial zone file (which can contain just the DNSKEY records). 49 50With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file, 51as generated by :iscman:`dnssec-keygen` :option:`-C`. 52 53Options 54~~~~~~~ 55 56.. option:: -1 57 58 This option is an abbreviation for :option:`-a SHA1 <-a>`. 59 60.. option:: -2 61 62 This option is an abbreviation for :option:`-a SHA-256 <-a>`. 63 64.. option:: -a algorithm 65 66 This option specifies a digest algorithm to use when converting DNSKEY records to 67 DS records. This option can be repeated, so that multiple DS records 68 are created for each DNSKEY record. 69 70 The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values 71 are case-insensitive, and the hyphen may be omitted. If no algorithm 72 is specified, the default is SHA-256. 73 74.. option:: -A 75 76 This option indicates that ZSKs are to be included when generating DS records. Without this option, only 77 keys which have the KSK flag set are converted to DS records and 78 printed. This option is only useful in :option:`-f` zone file mode. 79 80.. option:: -c class 81 82 This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset 83 or :option:`-f` zone file mode. 84 85.. option:: -C 86 87 This option generates CDS records rather than DS records. 88 89.. option:: -f file 90 91 This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the 92 DNS domain name of a zone whose master file can be read from 93 ``file``. If the zone name is the same as ``file``, then it may be 94 omitted. 95 96 If ``file`` is ``-``, then the zone data is read from the standard 97 input. This makes it possible to use the output of the :iscman:`dig` 98 command as input, as in: 99 100 ``dig dnskey example.com | dnssec-dsfromkey -f - example.com`` 101 102.. option:: -h 103 104 This option prints usage information. 105 106.. option:: -K directory 107 108 This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``. 109 110.. option:: -s 111 112 This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS 113 domain name used to locate a ``keyset-`` file. 114 115.. option:: -T TTL 116 117 This option specifies the TTL of the DS records. By default the TTL is omitted. 118 119.. option:: -v level 120 121 This option sets the debugging level. 122 123.. option:: -V 124 125 This option prints version information. 126 127Example 128~~~~~~~ 129 130To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile, 131issue the following command: 132 133``dnssec-dsfromkey -2 Kexample.com.+003+26160`` 134 135The command returns something similar to: 136 137``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94`` 138 139Files 140~~~~~ 141 142The keyfile can be designated by the key identification 143``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as 144generated by :iscman:`dnssec-keygen`. 145 146The keyset file name is built from the ``directory``, the string 147``keyset-``, and the ``dnsname``. 148 149Caveat 150~~~~~~ 151 152A keyfile error may return "file not found," even if the file exists. 153 154See Also 155~~~~~~~~ 156 157:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual, 158:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs), 159:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs). 160