Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-dsfromkey.8
CommitLineData
b4d3f782 1.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
bef75d63 2.\"
6807a2dc
TU
3.\" This Source Code Form is subject to the terms of the Mozilla Public
4.\" License, v. 2.0. If a copy of the MPL was not distributed with this
5.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
582f8b9a 6.\"
582f8b9a
MA
7.hy 0
8.ad l
2eeb74d1
TU
9'\" t
10.\" Title: dnssec-dsfromkey
ca67ebfe 11.\" Author:
26cde05d 12.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
25e416fb 13.\" Date: 2019-05-08
ca67ebfe 14.\" Manual: BIND9
2eeb74d1
TU
15.\" Source: ISC
16.\" Language: English
ca67ebfe 17.\"
25e416fb 18.TH "DNSSEC\-DSFROMKEY" "8" "2019\-05\-08" "ISC" "BIND9"
2eeb74d1
TU
19.\" -----------------------------------------------------------------
20.\" * Define some portability stuff
21.\" -----------------------------------------------------------------
22.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23.\" http://bugs.debian.org/507673
24.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
25.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26.ie \n(.g .ds Aq \(aq
27.el .ds Aq '
28.\" -----------------------------------------------------------------
29.\" * set default formatting
30.\" -----------------------------------------------------------------
ca67ebfe
AU
31.\" disable hyphenation
32.nh
33.\" disable justification (adjust text to left margin only)
34.ad l
2eeb74d1
TU
35.\" -----------------------------------------------------------------
36.\" * MAIN CONTENT STARTS HERE *
37.\" -----------------------------------------------------------------
ca67ebfe 38.SH "NAME"
2eeb74d1 39dnssec-dsfromkey \- DNSSEC DS RR generation tool
582f8b9a 40.SH "SYNOPSIS"
26cde05d 41.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
b4d3f782 42\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
26cde05d 43.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
b4d3f782 44\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
26cde05d 45.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
b4d3f782
TU
46\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
47.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
48\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
582f8b9a
MA
49.SH "DESCRIPTION"
50.PP
b4d3f782 51The
ca67ebfe 52\fBdnssec\-dsfromkey\fR
b4d3f782
TU
53command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
54\fB\-l\fR
55option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
56\fB\-C\fR
57it outputs CDS (Child DS) RRs\&.
58.PP
59The input keys can be specified in a number of ways:
60.PP
61By default,
62\fBdnssec\-dsfromkey\fR
63reads a key file named like
64Knnnn\&.+aaa+iiiii\&.key, as generated by
65\fBdnssec\-keygen\fR\&.
66.PP
67With the
68\fB\-f \fR\fB\fIfile\fR\fR
69option,
70\fBdnssec\-dsfromkey\fR
71reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
72.PP
73With the
74\fB\-s\fR
75option,
76\fBdnssec\-dsfromkey\fR
77reads a
78keyset\-
79file, as generated by
80\fBdnssec\-keygen\fR\fB\-C\fR\&.
582f8b9a 81.SH "OPTIONS"
ca67ebfe 82.PP
582f8b9a 83\-1
ca67ebfe 84.RS 4
b4d3f782 85An abbreviation for
25e416fb 86\fB\-a SHA\-1\fR\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
ca67ebfe
AU
87.RE
88.PP
582f8b9a 89\-2
ca67ebfe 90.RS 4
b4d3f782 91An abbreviation for
25e416fb 92\fB\-a SHA\-256\fR\&.
ca67ebfe
AU
93.RE
94.PP
582f8b9a 95\-a \fIalgorithm\fR
ca67ebfe 96.RS 4
b4d3f782
TU
97Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
98.sp
99The
100\fIalgorithm\fR
25e416fb 101must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&. (Note: The SHA\-1 algorithm is no longer recommended for use when generating new DS and CDS records\&.)
ca67ebfe
AU
102.RE
103.PP
b4d3f782 104\-A
481870b9 105.RS 4
b4d3f782
TU
106Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
107\fB\-f\fR
108zone file mode\&.
481870b9
TU
109.RE
110.PP
b4d3f782 111\-c \fIclass\fR
e839bf13 112.RS 4
b4d3f782
TU
113Specifies the DNS class (default is IN)\&. Useful only in
114\fB\-s\fR
115keyset or
116\fB\-f\fR
117zone file mode\&.
e839bf13
AU
118.RE
119.PP
b4d3f782 120\-C
ca67ebfe 121.RS 4
b4d3f782
TU
122Generate CDS records rather than DS records\&. This is mutually exclusive with the
123\fB\-l\fR
124option for generating DLV records\&.
0a7ed886
AU
125.RE
126.PP
127\-f \fIfile\fR
128.RS 4
b4d3f782
TU
129Zone file mode:
130\fBdnssec\-dsfromkey\fR\*(Aqs final
131\fIdnsname\fR
132argument is the DNS domain name of a zone whose master file can be read from
2eeb74d1
TU
133\fBfile\fR\&. If the zone name is the same as
134\fBfile\fR, then it may be omitted\&.
795a316e
AU
135.sp
136If
b4d3f782
TU
137\fIfile\fR
138is
2eeb74d1 139"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
795a316e
AU
140\fBdig\fR
141command as input, as in:
142.sp
2eeb74d1 143\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
0a7ed886
AU
144.RE
145.PP
b4d3f782 146\-h
0a7ed886 147.RS 4
b4d3f782
TU
148Prints usage information\&.
149.RE
150.PP
151\-K \fIdirectory\fR
152.RS 4
153Look for key files or
154keyset\-
155files in
156\fBdirectory\fR\&.
ca67ebfe
AU
157.RE
158.PP
b272d38c 159\-l \fIdomain\fR
ca67ebfe 160.RS 4
2eeb74d1 161Generate a DLV set instead of a DS set\&. The specified
b4d3f782
TU
162\fIdomain\fR
163is appended to the name for each record in the set\&. This is mutually exclusive with the
164\fB\-C\fR
165option for generating CDS records\&.
ca67ebfe
AU
166.RE
167.PP
582f8b9a 168\-s
ca67ebfe 169.RS 4
b4d3f782
TU
170Keyset mode:
171\fBdnssec\-dsfromkey\fR\*(Aqs final
172\fIdnsname\fR
173argument is the DNS domain name used to locate a
174keyset\-
175file\&.
ca67ebfe
AU
176.RE
177.PP
b4d3f782 178\-T \fITTL\fR
ca67ebfe 179.RS 4
b4d3f782 180Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
ca67ebfe
AU
181.RE
182.PP
0a7ed886 183\-v \fIlevel\fR
ca67ebfe 184.RS 4
2eeb74d1 185Sets the debugging level\&.
ca67ebfe 186.RE
6f120589 187.PP
6f120589
TU
188\-V
189.RS 4
2eeb74d1 190Prints version information\&.
6f120589 191.RE
582f8b9a
MA
192.SH "EXAMPLE"
193.PP
ca67ebfe 194To build the SHA\-256 DS RR from the
2eeb74d1 195\fBKexample\&.com\&.+003+26160\fR
b4d3f782 196keyfile name, you can issue the following command:
582f8b9a 197.PP
2eeb74d1 198\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
582f8b9a
MA
199.PP
200The command would print something like:
201.PP
b4d3f782 202\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
582f8b9a
MA
203.SH "FILES"
204.PP
b4d3f782 205The keyfile can be designated by the key identification
2eeb74d1 206Knnnn\&.+aaa+iiiii
ca67ebfe 207or the full file name
2eeb74d1 208Knnnn\&.+aaa+iiiii\&.key
ca67ebfe 209as generated by
2eeb74d1 210dnssec\-keygen(8)\&.
582f8b9a 211.PP
ca67ebfe
AU
212The keyset file name is built from the
213\fBdirectory\fR, the string
2eeb74d1 214keyset\-
ca67ebfe 215and the
2eeb74d1 216\fBdnsname\fR\&.
582f8b9a
MA
217.SH "CAVEAT"
218.PP
2eeb74d1 219A keyfile error can give a "file not found" even if the file exists\&.
582f8b9a
MA
220.SH "SEE ALSO"
221.PP
2eeb74d1
TU
222\fBdnssec-keygen\fR(8),
223\fBdnssec-signzone\fR(8),
ca67ebfe 224BIND 9 Administrator Reference Manual,
b4d3f782
TU
225RFC 3658
226(DS RRs),
227RFC 4431
228(DLV RRs),
229RFC 4509
230(SHA\-256 for DS RRs),
231RFC 6605
232(SHA\-384 for DS RRs),
233RFC 7344
234(CDS and CDNSKEY RRs)\&.
582f8b9a
MA
235.SH "AUTHOR"
236.PP
2eeb74d1 237\fBInternet Systems Consortium, Inc\&.\fR
ca67ebfe 238.SH "COPYRIGHT"
2eeb74d1 239.br
b4d3f782 240Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
ca67ebfe 241.br