xref: /netbsd-src/external/mpl/bind/dist/bin/dnssec/dnssec-dsfromkey.rst (revision 73d56d5b0be8704e4f0a7e8221a2c7309572c9a1) 
1..
2   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3
4   This Source Code Form is subject to the terms of the Mozilla Public
5   License, v. 2.0. If a copy of the MPL was not distributed with this
6   file, You can obtain one at http://mozilla.org/MPL/2.0/.
7
8   See the COPYRIGHT file distributed with this work for additional
9   information regarding copyright ownership.
10
11..
12   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
13
14   This Source Code Form is subject to the terms of the Mozilla Public
15   License, v. 2.0. If a copy of the MPL was not distributed with this
16   file, You can obtain one at http://mozilla.org/MPL/2.0/.
17
18   See the COPYRIGHT file distributed with this work for additional
19   information regarding copyright ownership.
20
21
22.. highlight: console
23
24.. _man_dnssec-dsfromkey:
25
26dnssec-dsfromkey - DNSSEC DS RR generation tool
27-----------------------------------------------
28
29Synopsis
30~~~~~~~~
31
32:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
33
34:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
35
36:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
37
38:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
39
40Description
41~~~~~~~~~~~
42
43The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
44(RRs), or CDS (Child DS) RRs with the ``-C`` option.
45
46The input keys can be specified in a number of ways:
47
48By default, ``dnssec-dsfromkey`` reads a key file named like
49``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
50
51With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
52file or partial zone file (which can contain just the DNSKEY records).
53
54With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
55as generated by ``dnssec-keygen`` ``-C``.
56
57Options
58~~~~~~~
59
60**-1**
61   An abbreviation for ``-a SHA1``
62
63**-2**
64   An abbreviation for ``-a SHA-256``
65
66**-a** algorithm
67   Specify a digest algorithm to use when converting DNSKEY records to
68   DS records. This option can be repeated, so that multiple DS records
69   are created for each DNSKEY record.
70
71   The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
72   are case insensitive, and the hyphen may be omitted. If no algorithm
73   is specified, the default is SHA-256.
74
75**-A**
76   Include ZSKs when generating DS records. Without this option, only
77   keys which have the KSK flag set will be converted to DS records and
78   printed. Useful only in ``-f`` zone file mode.
79
80**-c** class
81   Specifies the DNS class (default is IN). Useful only in ``-s`` keyset
82   or ``-f`` zone file mode.
83
84**-C**
85   Generate CDS records rather than DS records.
86
87**-f** file
88   Zone file mode: ``dnssec-dsfromkey``'s final dnsname argument is the
89   DNS domain name of a zone whose master file can be read from
90   ``file``. If the zone name is the same as ``file``, then it may be
91   omitted.
92
93   If file is ``"-"``, then the zone data is read from the standard
94   input. This makes it possible to use the output of the ``dig``
95   command as input, as in:
96
97   ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
98
99**-h**
100   Prints usage information.
101
102**-K** directory
103   Look for key files or ``keyset-`` files in ``directory``.
104
105**-s**
106   Keyset mode: ``dnssec-dsfromkey``'s final dnsname argument is the DNS
107   domain name used to locate a ``keyset-`` file.
108
109**-T** TTL
110   Specifies the TTL of the DS records. By default the TTL is omitted.
111
112**-v** level
113   Sets the debugging level.
114
115**-V**
116   Prints version information.
117
118Example
119~~~~~~~
120
121To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile
122name, you can issue the following command:
123
124``dnssec-dsfromkey -2 Kexample.com.+003+26160``
125
126The command would print something like:
127
128``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
129
130Files
131~~~~~
132
133The keyfile can be designated by the key identification
134``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key`` as
135generated by dnssec-keygen8.
136
137The keyset file name is built from the ``directory``, the string
138``keyset-`` and the ``dnsname``.
139
140Caveat
141~~~~~~
142
143A keyfile error can give a "file not found" even if the file exists.
144
145See Also
146~~~~~~~~
147
148:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
149:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
150:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).
151