xref: /netbsd-src/external/mpl/bind/dist/bin/dnssec/dnssec-dsfromkey.rst (revision 4b004442778f1201b2161e87fd65ba87aae6601a) 
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12.. highlight: console
13
14.. _man_dnssec-dsfromkey:
15
16dnssec-dsfromkey - DNSSEC DS RR generation tool
17-----------------------------------------------
18
19Synopsis
20~~~~~~~~
21
22:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
23
24:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
25
26:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
27
28:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
29
30Description
31~~~~~~~~~~~
32
33The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
34(RRs), or CDS (Child DS) RRs with the ``-C`` option.
35
36By default, only KSKs are converted (keys with flags = 257).  The
37``-A`` option includes ZSKs (flags = 256).  Revoked keys are never
38included.
39
40The input keys can be specified in a number of ways:
41
42By default, ``dnssec-dsfromkey`` reads a key file named in the format
43``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
44
45With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
46file or partial zone file (which can contain just the DNSKEY records).
47
48With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
49as generated by ``dnssec-keygen`` ``-C``.
50
51Options
52~~~~~~~
53
54``-1``
55   This option is an abbreviation for ``-a SHA1``.
56
57``-2``
58   This option is an abbreviation for ``-a SHA-256``.
59
60``-a algorithm``
61   This option specifies a digest algorithm to use when converting DNSKEY records to
62   DS records. This option can be repeated, so that multiple DS records
63   are created for each DNSKEY record.
64
65   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
66   are case-insensitive, and the hyphen may be omitted. If no algorithm
67   is specified, the default is SHA-256.
68
69``-A``
70   This option indicates that ZSKs are to be included when generating DS records. Without this option, only
71   keys which have the KSK flag set are converted to DS records and
72   printed. This option is only useful in ``-f`` zone file mode.
73
74``-c class``
75   This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
76   or ``-f`` zone file mode.
77
78``-C``
79   This option generates CDS records rather than DS records.
80
81``-f file``
82   This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
83   DNS domain name of a zone whose master file can be read from
84   ``file``. If the zone name is the same as ``file``, then it may be
85   omitted.
86
87   If ``file`` is ``-``, then the zone data is read from the standard
88   input. This makes it possible to use the output of the ``dig``
89   command as input, as in:
90
91   ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
92
93``-h``
94   This option prints usage information.
95
96``-K directory``
97   This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
98
99``-s``
100   This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
101   domain name used to locate a ``keyset-`` file.
102
103``-T TTL``
104   This option specifies the TTL of the DS records. By default the TTL is omitted.
105
106``-v level``
107   This option sets the debugging level.
108
109``-V``
110   This option prints version information.
111
112Example
113~~~~~~~
114
115To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
116issue the following command:
117
118``dnssec-dsfromkey -2 Kexample.com.+003+26160``
119
120The command returns something similar to:
121
122``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
123
124Files
125~~~~~
126
127The keyfile can be designated by the key identification
128``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
129generated by ``dnssec-keygen``.
130
131The keyset file name is built from the ``directory``, the string
132``keyset-``, and the ``dnsname``.
133
134Caveat
135~~~~~~
136
137A keyfile error may return "file not found," even if the file exists.
138
139See Also
140~~~~~~~~
141
142:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
143:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
144:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).
145