1*00b67f09SDavid van Moolenbroek<!-- 2*00b67f09SDavid van Moolenbroek - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC") 3*00b67f09SDavid van Moolenbroek - 4*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 5*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 6*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 7*00b67f09SDavid van Moolenbroek - 8*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 9*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 10*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 11*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 12*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 13*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 14*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 15*00b67f09SDavid van Moolenbroek--> 16*00b67f09SDavid van Moolenbroek<!-- Id --> 17*00b67f09SDavid van Moolenbroek<html> 18*00b67f09SDavid van Moolenbroek<head> 19*00b67f09SDavid van Moolenbroek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 20*00b67f09SDavid van Moolenbroek<title>dnssec-dsfromkey</title> 21*00b67f09SDavid van Moolenbroek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 22*00b67f09SDavid van Moolenbroek</head> 23*00b67f09SDavid van Moolenbroek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en"> 24*00b67f09SDavid van Moolenbroek<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div> 25*00b67f09SDavid van Moolenbroek<div class="refnamediv"> 26*00b67f09SDavid van Moolenbroek<h2>Name</h2> 27*00b67f09SDavid van Moolenbroek<p><span class="application">dnssec-dsfromkey</span> — DNSSEC DS RR generation tool</p> 28*00b67f09SDavid van Moolenbroek</div> 29*00b67f09SDavid van Moolenbroek<div class="refsynopsisdiv"> 30*00b67f09SDavid van Moolenbroek<h2>Synopsis</h2> 31*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] {keyfile}</p></div> 32*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> {-s} [<code class="option">-1</code>] [<code class="option">-2</code>] [<code class="option">-a <em class="replaceable"><code>alg</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-l <em class="replaceable"><code>domain</code></em></code>] [<code class="option">-s</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>] [<code class="option">-f <em class="replaceable"><code>file</code></em></code>] [<code class="option">-A</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {dnsname}</p></div> 33*00b67f09SDavid van Moolenbroek<div class="cmdsynopsis"><p><code class="command">dnssec-dsfromkey</code> [<code class="option">-h</code>] [<code class="option">-V</code>]</p></div> 34*00b67f09SDavid van Moolenbroek</div> 35*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 36*00b67f09SDavid van Moolenbroek<a name="id2543514"></a><h2>DESCRIPTION</h2> 37*00b67f09SDavid van Moolenbroek<p><span><strong class="command">dnssec-dsfromkey</strong></span> 38*00b67f09SDavid van Moolenbroek outputs the Delegation Signer (DS) resource record (RR), as defined in 39*00b67f09SDavid van Moolenbroek RFC 3658 and RFC 4509, for the given key(s). 40*00b67f09SDavid van Moolenbroek </p> 41*00b67f09SDavid van Moolenbroek</div> 42*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 43*00b67f09SDavid van Moolenbroek<a name="id2543526"></a><h2>OPTIONS</h2> 44*00b67f09SDavid van Moolenbroek<div class="variablelist"><dl> 45*00b67f09SDavid van Moolenbroek<dt><span class="term">-1</span></dt> 46*00b67f09SDavid van Moolenbroek<dd><p> 47*00b67f09SDavid van Moolenbroek Use SHA-1 as the digest algorithm (the default is to use 48*00b67f09SDavid van Moolenbroek both SHA-1 and SHA-256). 49*00b67f09SDavid van Moolenbroek </p></dd> 50*00b67f09SDavid van Moolenbroek<dt><span class="term">-2</span></dt> 51*00b67f09SDavid van Moolenbroek<dd><p> 52*00b67f09SDavid van Moolenbroek Use SHA-256 as the digest algorithm. 53*00b67f09SDavid van Moolenbroek </p></dd> 54*00b67f09SDavid van Moolenbroek<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt> 55*00b67f09SDavid van Moolenbroek<dd><p> 56*00b67f09SDavid van Moolenbroek Select the digest algorithm. The value of 57*00b67f09SDavid van Moolenbroek <code class="option">algorithm</code> must be one of SHA-1 (SHA1), 58*00b67f09SDavid van Moolenbroek SHA-256 (SHA256), GOST or SHA-384 (SHA384). 59*00b67f09SDavid van Moolenbroek These values are case insensitive. 60*00b67f09SDavid van Moolenbroek </p></dd> 61*00b67f09SDavid van Moolenbroek<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt> 62*00b67f09SDavid van Moolenbroek<dd><p> 63*00b67f09SDavid van Moolenbroek Specifies the TTL of the DS records. 64*00b67f09SDavid van Moolenbroek </p></dd> 65*00b67f09SDavid van Moolenbroek<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt> 66*00b67f09SDavid van Moolenbroek<dd><p> 67*00b67f09SDavid van Moolenbroek Look for key files (or, in keyset mode, 68*00b67f09SDavid van Moolenbroek <code class="filename">keyset-</code> files) in 69*00b67f09SDavid van Moolenbroek <code class="option">directory</code>. 70*00b67f09SDavid van Moolenbroek </p></dd> 71*00b67f09SDavid van Moolenbroek<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt> 72*00b67f09SDavid van Moolenbroek<dd> 73*00b67f09SDavid van Moolenbroek<p> 74*00b67f09SDavid van Moolenbroek Zone file mode: in place of the keyfile name, the argument is 75*00b67f09SDavid van Moolenbroek the DNS domain name of a zone master file, which can be read 76*00b67f09SDavid van Moolenbroek from <code class="option">file</code>. If the zone name is the same as 77*00b67f09SDavid van Moolenbroek <code class="option">file</code>, then it may be omitted. 78*00b67f09SDavid van Moolenbroek </p> 79*00b67f09SDavid van Moolenbroek<p> 80*00b67f09SDavid van Moolenbroek If <code class="option">file</code> is set to <code class="literal">"-"</code>, then 81*00b67f09SDavid van Moolenbroek the zone data is read from the standard input. This makes it 82*00b67f09SDavid van Moolenbroek possible to use the output of the <span><strong class="command">dig</strong></span> 83*00b67f09SDavid van Moolenbroek command as input, as in: 84*00b67f09SDavid van Moolenbroek </p> 85*00b67f09SDavid van Moolenbroek<p> 86*00b67f09SDavid van Moolenbroek <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong> 87*00b67f09SDavid van Moolenbroek </p> 88*00b67f09SDavid van Moolenbroek</dd> 89*00b67f09SDavid van Moolenbroek<dt><span class="term">-A</span></dt> 90*00b67f09SDavid van Moolenbroek<dd><p> 91*00b67f09SDavid van Moolenbroek Include ZSK's when generating DS records. Without this option, 92*00b67f09SDavid van Moolenbroek only keys which have the KSK flag set will be converted to DS 93*00b67f09SDavid van Moolenbroek records and printed. Useful only in zone file mode. 94*00b67f09SDavid van Moolenbroek </p></dd> 95*00b67f09SDavid van Moolenbroek<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt> 96*00b67f09SDavid van Moolenbroek<dd><p> 97*00b67f09SDavid van Moolenbroek Generate a DLV set instead of a DS set. The specified 98*00b67f09SDavid van Moolenbroek <code class="option">domain</code> is appended to the name for each 99*00b67f09SDavid van Moolenbroek record in the set. 100*00b67f09SDavid van Moolenbroek The DNSSEC Lookaside Validation (DLV) RR is described 101*00b67f09SDavid van Moolenbroek in RFC 4431. 102*00b67f09SDavid van Moolenbroek </p></dd> 103*00b67f09SDavid van Moolenbroek<dt><span class="term">-s</span></dt> 104*00b67f09SDavid van Moolenbroek<dd><p> 105*00b67f09SDavid van Moolenbroek Keyset mode: in place of the keyfile name, the argument is 106*00b67f09SDavid van Moolenbroek the DNS domain name of a keyset file. 107*00b67f09SDavid van Moolenbroek </p></dd> 108*00b67f09SDavid van Moolenbroek<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt> 109*00b67f09SDavid van Moolenbroek<dd><p> 110*00b67f09SDavid van Moolenbroek Specifies the DNS class (default is IN). Useful only 111*00b67f09SDavid van Moolenbroek in keyset or zone file mode. 112*00b67f09SDavid van Moolenbroek </p></dd> 113*00b67f09SDavid van Moolenbroek<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt> 114*00b67f09SDavid van Moolenbroek<dd><p> 115*00b67f09SDavid van Moolenbroek Sets the debugging level. 116*00b67f09SDavid van Moolenbroek </p></dd> 117*00b67f09SDavid van Moolenbroek<dt><span class="term">-h</span></dt> 118*00b67f09SDavid van Moolenbroek<dd><p> 119*00b67f09SDavid van Moolenbroek Prints usage information. 120*00b67f09SDavid van Moolenbroek </p></dd> 121*00b67f09SDavid van Moolenbroek<dt><span class="term">-V</span></dt> 122*00b67f09SDavid van Moolenbroek<dd><p> 123*00b67f09SDavid van Moolenbroek Prints version information. 124*00b67f09SDavid van Moolenbroek </p></dd> 125*00b67f09SDavid van Moolenbroek</dl></div> 126*00b67f09SDavid van Moolenbroek</div> 127*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 128*00b67f09SDavid van Moolenbroek<a name="id2543780"></a><h2>EXAMPLE</h2> 129*00b67f09SDavid van Moolenbroek<p> 130*00b67f09SDavid van Moolenbroek To build the SHA-256 DS RR from the 131*00b67f09SDavid van Moolenbroek <strong class="userinput"><code>Kexample.com.+003+26160</code></strong> 132*00b67f09SDavid van Moolenbroek keyfile name, the following command would be issued: 133*00b67f09SDavid van Moolenbroek </p> 134*00b67f09SDavid van Moolenbroek<p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong> 135*00b67f09SDavid van Moolenbroek </p> 136*00b67f09SDavid van Moolenbroek<p> 137*00b67f09SDavid van Moolenbroek The command would print something like: 138*00b67f09SDavid van Moolenbroek </p> 139*00b67f09SDavid van Moolenbroek<p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94</code></strong> 140*00b67f09SDavid van Moolenbroek </p> 141*00b67f09SDavid van Moolenbroek</div> 142*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 143*00b67f09SDavid van Moolenbroek<a name="id2543810"></a><h2>FILES</h2> 144*00b67f09SDavid van Moolenbroek<p> 145*00b67f09SDavid van Moolenbroek The keyfile can be designed by the key identification 146*00b67f09SDavid van Moolenbroek <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name 147*00b67f09SDavid van Moolenbroek <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by 148*00b67f09SDavid van Moolenbroek <span class="refentrytitle">dnssec-keygen</span>(8). 149*00b67f09SDavid van Moolenbroek </p> 150*00b67f09SDavid van Moolenbroek<p> 151*00b67f09SDavid van Moolenbroek The keyset file name is built from the <code class="option">directory</code>, 152*00b67f09SDavid van Moolenbroek the string <code class="filename">keyset-</code> and the 153*00b67f09SDavid van Moolenbroek <code class="option">dnsname</code>. 154*00b67f09SDavid van Moolenbroek </p> 155*00b67f09SDavid van Moolenbroek</div> 156*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 157*00b67f09SDavid van Moolenbroek<a name="id2543845"></a><h2>CAVEAT</h2> 158*00b67f09SDavid van Moolenbroek<p> 159*00b67f09SDavid van Moolenbroek A keyfile error can give a "file not found" even if the file exists. 160*00b67f09SDavid van Moolenbroek </p> 161*00b67f09SDavid van Moolenbroek</div> 162*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 163*00b67f09SDavid van Moolenbroek<a name="id2543854"></a><h2>SEE ALSO</h2> 164*00b67f09SDavid van Moolenbroek<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>, 165*00b67f09SDavid van Moolenbroek <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>, 166*00b67f09SDavid van Moolenbroek <em class="citetitle">BIND 9 Administrator Reference Manual</em>, 167*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC 3658</em>, 168*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC 4431</em>. 169*00b67f09SDavid van Moolenbroek <em class="citetitle">RFC 4509</em>. 170*00b67f09SDavid van Moolenbroek </p> 171*00b67f09SDavid van Moolenbroek</div> 172*00b67f09SDavid van Moolenbroek<div class="refsect1" lang="en"> 173*00b67f09SDavid van Moolenbroek<a name="id2543894"></a><h2>AUTHOR</h2> 174*00b67f09SDavid van Moolenbroek<p><span class="corpauthor">Internet Systems Consortium</span> 175*00b67f09SDavid van Moolenbroek </p> 176*00b67f09SDavid van Moolenbroek</div> 177*00b67f09SDavid van Moolenbroek</div></body> 178*00b67f09SDavid van Moolenbroek</html> 179