.\" Copyright (C) 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC") .\" .\" This Source Code Form is subject to the terms of the Mozilla Public .\" License, v. 2.0. If a copy of the MPL was not distributed with this .\" file, You can obtain one at http://mozilla.org/MPL/2.0/. .\" .hy 0 .ad l '\" t .\" Title: dnssec-dsfromkey .\" Author: .\" Generator: DocBook XSL Stylesheets v1.78.1 .\" Date: 2012-05-02 .\" Manual: BIND9 .\" Source: ISC .\" Language: English .\" .TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .\" http://bugs.debian.org/507673 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ .ie \n(.g .ds Aq \(aq .el .ds Aq ' .\" ----------------------------------------------------------------- .\" * set default formatting .\" ----------------------------------------------------------------- .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) .ad l .\" ----------------------------------------------------------------- .\" * MAIN CONTENT STARTS HERE * .\" ----------------------------------------------------------------- .SH "NAME" dnssec-dsfromkey \- DNSSEC DS RR generation tool .SH "SYNOPSIS" .HP \w'\fBdnssec\-dsfromkey\fR\ 'u \fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile} .HP \w'\fBdnssec\-dsfromkey\fR\ 'u \fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname] .HP \w'\fBdnssec\-dsfromkey\fR\ 'u \fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname} .HP \w'\fBdnssec\-dsfromkey\fR\ 'u \fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR] .SH "DESCRIPTION" .PP The \fBdnssec\-dsfromkey\fR command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the \fB\-l\fR option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the \fB\-C\fR it outputs CDS (Child DS) RRs\&. .PP The input keys can be specified in a number of ways: .PP By default, \fBdnssec\-dsfromkey\fR reads a key file named like Knnnn\&.+aaa+iiiii\&.key, as generated by \fBdnssec\-keygen\fR\&. .PP With the \fB\-f \fR\fB\fIfile\fR\fR option, \fBdnssec\-dsfromkey\fR reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&. .PP With the \fB\-s\fR option, \fBdnssec\-dsfromkey\fR reads a keyset\- file, as generated by \fBdnssec\-keygen\fR\fB\-C\fR\&. .SH "OPTIONS" .PP \-1 .RS 4 An abbreviation for \fB\-a SHA1\fR .RE .PP \-2 .RS 4 An abbreviation for \fB\-a SHA\-256\fR .RE .PP \-a \fIalgorithm\fR .RS 4 Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&. .sp The \fIalgorithm\fR must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is to use both SHA\-1 and SHA\-256\&. .RE .PP \-A .RS 4 Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in \fB\-f\fR zone file mode\&. .RE .PP \-c \fIclass\fR .RS 4 Specifies the DNS class (default is IN)\&. Useful only in \fB\-s\fR keyset or \fB\-f\fR zone file mode\&. .RE .PP \-C .RS 4 Generate CDS records rather than DS records\&. This is mutually exclusive with the \fB\-l\fR option for generating DLV records\&. .RE .PP \-f \fIfile\fR .RS 4 Zone file mode: \fBdnssec\-dsfromkey\fR\*(Aqs final \fIdnsname\fR argument is the DNS domain name of a zone whose master file can be read from \fBfile\fR\&. If the zone name is the same as \fBfile\fR, then it may be omitted\&. .sp If \fIfile\fR is "\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the \fBdig\fR command as input, as in: .sp \fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR .RE .PP \-h .RS 4 Prints usage information\&. .RE .PP \-K \fIdirectory\fR .RS 4 Look for key files or keyset\- files in \fBdirectory\fR\&. .RE .PP \-l \fIdomain\fR .RS 4 Generate a DLV set instead of a DS set\&. The specified \fIdomain\fR is appended to the name for each record in the set\&. This is mutually exclusive with the \fB\-C\fR option for generating CDS records\&. .RE .PP \-s .RS 4 Keyset mode: \fBdnssec\-dsfromkey\fR\*(Aqs final \fIdnsname\fR argument is the DNS domain name used to locate a keyset\- file\&. .RE .PP \-T \fITTL\fR .RS 4 Specifies the TTL of the DS records\&. By default the TTL is omitted\&. .RE .PP \-v \fIlevel\fR .RS 4 Sets the debugging level\&. .RE .PP \-V .RS 4 Prints version information\&. .RE .SH "EXAMPLE" .PP To build the SHA\-256 DS RR from the \fBKexample\&.com\&.+003+26160\fR keyfile name, you can issue the following command: .PP \fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR .PP The command would print something like: .PP \fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR .SH "FILES" .PP The keyfile can be designated by the key identification Knnnn\&.+aaa+iiiii or the full file name Knnnn\&.+aaa+iiiii\&.key as generated by dnssec\-keygen(8)\&. .PP The keyset file name is built from the \fBdirectory\fR, the string keyset\- and the \fBdnsname\fR\&. .SH "CAVEAT" .PP A keyfile error can give a "file not found" even if the file exists\&. .SH "SEE ALSO" .PP \fBdnssec-keygen\fR(8), \fBdnssec-signzone\fR(8), BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), RFC 4431 (DLV RRs), RFC 4509 (SHA\-256 for DS RRs), RFC 6605 (SHA\-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs)\&. .SH "AUTHOR" .PP \fBInternet Systems Consortium, Inc\&.\fR .SH "COPYRIGHT" .br Copyright \(co 2008-2012, 2014-2016, 2018-2020 Internet Systems Consortium, Inc. ("ISC") .br