Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-dsfromkey.html
CommitLineData
63fe88e8 1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
582f8b9a 2<!--
b4d3f782 3 - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
bef75d63 4 -
6807a2dc
TU
5 - This Source Code Form is subject to the terms of the Mozilla Public
6 - License, v. 2.0. If a copy of the MPL was not distributed with this
7 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
582f8b9a 8-->
63fe88e8 9<html lang="en">
582f8b9a
MA
10<head>
11<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12<title>dnssec-dsfromkey</title>
fd2597f7 13<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
582f8b9a 14</head>
fd2597f7 15<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
582f8b9a 16<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
16fde7f0
TU
17
18
19
20
21
22 <div class="refnamediv">
582f8b9a 23<h2>Name</h2>
16fde7f0
TU
24<p>
25 <span class="application">dnssec-dsfromkey</span>
26 &#8212; DNSSEC DS RR generation tool
27 </p>
582f8b9a 28</div>
16fde7f0
TU
29
30
31
32 <div class="refsynopsisdiv">
582f8b9a 33<h2>Synopsis</h2>
16fde7f0
TU
34 <div class="cmdsynopsis"><p>
35 <code class="command">dnssec-dsfromkey</code>
b4d3f782
TU
36 [
37 <code class="option">-1</code>
38 | <code class="option">-2</code>
39 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
40 ]
41 [
42 <code class="option">-C</code>
43 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
44 ]
16fde7f0 45 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
b4d3f782
TU
46 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
47 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
16fde7f0
TU
48 {keyfile}
49 </p></div>
50 <div class="cmdsynopsis"><p>
51 <code class="command">dnssec-dsfromkey</code>
b4d3f782
TU
52 [
53 <code class="option">-1</code>
54 | <code class="option">-2</code>
55 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
56 ]
57 [
58 <code class="option">-C</code>
59 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
60 ]
16fde7f0 61 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
b4d3f782
TU
62 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
63 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
16fde7f0 64 [<code class="option">-A</code>]
b4d3f782
TU
65 {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
66 [dnsname]
67 </p></div>
68 <div class="cmdsynopsis"><p>
69 <code class="command">dnssec-dsfromkey</code>
70 [
71 <code class="option">-1</code>
72 | <code class="option">-2</code>
73 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
74 ]
75 [
76 <code class="option">-C</code>
77 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
78 ]
79 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
16fde7f0 80 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
b4d3f782
TU
81 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
82 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
83 {-s}
16fde7f0 84 {dnsname}
b4d3f782 85 </p></div>
16fde7f0
TU
86 <div class="cmdsynopsis"><p>
87 <code class="command">dnssec-dsfromkey</code>
b4d3f782
TU
88 [
89 <code class="option">-h</code>
90 | <code class="option">-V</code>
91 ]
92 </p></div>
16fde7f0
TU
93 </div>
94
95 <div class="refsection">
fd2597f7 96<a name="id-1.7"></a><h2>DESCRIPTION</h2>
16fde7f0 97
b4d3f782
TU
98 <p>
99 The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
100 Signer) resource records (RRs) and other similarly-constructed RRs:
101 with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
102 Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
103 DS) RRs.
104 </p>
105
106 <p>
107 The input keys can be specified in a number of ways:
108 </p>
109
110 <p>
111 By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
112 named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
113 by <span class="command"><strong>dnssec-keygen</strong></span>.
114 </p>
115
116 <p>
117 With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
118 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
119 or partial zone file (which can contain just the DNSKEY records).
120 </p>
121
122 <p>
123 With the <code class="option">-s</code>
124 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
125 a <code class="filename">keyset-</code> file, as generated
126 by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
582f8b9a 127 </p>
b4d3f782 128
16fde7f0
TU
129 </div>
130
131 <div class="refsection">
fd2597f7 132<a name="id-1.8"></a><h2>OPTIONS</h2>
16fde7f0 133
16fde7f0 134 <div class="variablelist"><dl class="variablelist">
582f8b9a 135<dt><span class="term">-1</span></dt>
16fde7f0
TU
136<dd>
137 <p>
25e416fb
TU
138 An abbreviation for <code class="option">-a SHA-1</code>.
139 (Note: The SHA-1 algorithm is no longer recommended for use
140 when generating new DS and CDS records.)
16fde7f0
TU
141 </p>
142 </dd>
582f8b9a 143<dt><span class="term">-2</span></dt>
16fde7f0
TU
144<dd>
145 <p>
25e416fb 146 An abbreviation for <code class="option">-a SHA-256</code>.
16fde7f0
TU
147 </p>
148 </dd>
582f8b9a 149<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
16fde7f0
TU
150<dd>
151 <p>
b4d3f782
TU
152 Specify a digest algorithm to use when converting DNSKEY
153 records to DS records. This option can be repeated, so
154 that multiple DS records are created for each DNSKEY
155 record.
156 </p>
157 <p>
158 The <em class="replaceable"><code>algorithm</code></em> must be one of
159 SHA-1, SHA-256, or SHA-384. These values are case insensitive,
160 and the hyphen may be omitted. If no algorithm is specified,
161 the default is SHA-256.
25e416fb
TU
162 (Note: The SHA-1 algorithm is no longer recommended for use
163 when generating new DS and CDS records.)
16fde7f0
TU
164 </p>
165 </dd>
b4d3f782 166<dt><span class="term">-A</span></dt>
16fde7f0 167<dd>
b4d3f782
TU
168 <p>
169 Include ZSKs when generating DS records. Without this option, only
170 keys which have the KSK flag set will be converted to DS records
171 and printed. Useful only in <code class="option">-f</code> zone file mode.
172 </p>
173 </dd>
174<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
16fde7f0
TU
175<dd>
176 <p>
b4d3f782
TU
177 Specifies the DNS class (default is IN). Useful only
178 in <code class="option">-s</code> keyset or <code class="option">-f</code>
179 zone file mode.
16fde7f0
TU
180 </p>
181 </dd>
b4d3f782 182<dt><span class="term">-C</span></dt>
16fde7f0
TU
183<dd>
184 <p>
b4d3f782
TU
185 Generate CDS records rather than DS records. This is mutually
186 exclusive with the <code class="option">-l</code> option for generating DLV
187 records.
16fde7f0
TU
188 </p>
189 </dd>
0a7ed886 190<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
795a316e 191<dd>
16fde7f0 192 <p>
b4d3f782
TU
193 Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
194 final <em class="replaceable"><code>dnsname</code></em> argument is
195 the DNS domain name of a zone whose master file can be read
e62b9c9c
TU
196 from <code class="option">file</code>. If the zone name is the same as
197 <code class="option">file</code>, then it may be omitted.
198 </p>
16fde7f0 199 <p>
b4d3f782 200 If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
e62b9c9c
TU
201 the zone data is read from the standard input. This makes it
202 possible to use the output of the <span class="command"><strong>dig</strong></span>
203 command as input, as in:
204 </p>
16fde7f0 205 <p>
e62b9c9c
TU
206 <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
207 </p>
16fde7f0 208 </dd>
b4d3f782 209<dt><span class="term">-h</span></dt>
16fde7f0 210<dd>
b4d3f782
TU
211 <p>
212 Prints usage information.
213 </p>
214 </dd>
215<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
216<dd>
217 <p>
218 Look for key files or <code class="filename">keyset-</code> files in
219 <code class="option">directory</code>.
220 </p>
221 </dd>
b272d38c 222<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
16fde7f0
TU
223<dd>
224 <p>
b4d3f782
TU
225 Generate a DLV set instead of a DS set. The specified
226 <em class="replaceable"><code>domain</code></em> is appended to the name for each
e62b9c9c 227 record in the set.
b4d3f782
TU
228 This is mutually exclusive with the <code class="option">-C</code> option
229 for generating CDS records.
16fde7f0
TU
230 </p>
231 </dd>
582f8b9a 232<dt><span class="term">-s</span></dt>
16fde7f0
TU
233<dd>
234 <p>
b4d3f782
TU
235 Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
236 final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
237 domain name used to locate a <code class="filename">keyset-</code> file.
16fde7f0
TU
238 </p>
239 </dd>
b4d3f782 240<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
16fde7f0
TU
241<dd>
242 <p>
b4d3f782 243 Specifies the TTL of the DS records. By default the TTL is omitted.
16fde7f0
TU
244 </p>
245 </dd>
0a7ed886 246<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
16fde7f0
TU
247<dd>
248 <p>
e62b9c9c 249 Sets the debugging level.
16fde7f0
TU
250 </p>
251 </dd>
6f120589 252<dt><span class="term">-V</span></dt>
16fde7f0
TU
253<dd>
254 <p>
e62b9c9c 255 Prints version information.
16fde7f0
TU
256 </p>
257 </dd>
582f8b9a 258</dl></div>
16fde7f0
TU
259 </div>
260
261 <div class="refsection">
fd2597f7 262<a name="id-1.9"></a><h2>EXAMPLE</h2>
16fde7f0
TU
263
264 <p>
582f8b9a
MA
265 To build the SHA-256 DS RR from the
266 <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
b4d3f782 267 keyfile name, you can issue the following command:
582f8b9a 268 </p>
16fde7f0 269 <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
582f8b9a 270 </p>
16fde7f0 271 <p>
582f8b9a
MA
272 The command would print something like:
273 </p>
b4d3f782 274 <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
582f8b9a 275 </p>
b4d3f782 276
16fde7f0
TU
277 </div>
278
279 <div class="refsection">
fd2597f7 280<a name="id-1.10"></a><h2>FILES</h2>
16fde7f0
TU
281
282 <p>
b4d3f782 283 The keyfile can be designated by the key identification
582f8b9a 284 <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
b27ce68b 285 <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
92231247 286 <span class="refentrytitle">dnssec-keygen</span>(8).
582f8b9a 287 </p>
16fde7f0 288 <p>
582f8b9a
MA
289 The keyset file name is built from the <code class="option">directory</code>,
290 the string <code class="filename">keyset-</code> and the
92231247 291 <code class="option">dnsname</code>.
582f8b9a 292 </p>
16fde7f0
TU
293 </div>
294
295 <div class="refsection">
fd2597f7 296<a name="id-1.11"></a><h2>CAVEAT</h2>
16fde7f0
TU
297
298 <p>
92231247 299 A keyfile error can give a "file not found" even if the file exists.
582f8b9a 300 </p>
16fde7f0
TU
301 </div>
302
303 <div class="refsection">
fd2597f7 304<a name="id-1.12"></a><h2>SEE ALSO</h2>
16fde7f0
TU
305
306 <p><span class="citerefentry">
307 <span class="refentrytitle">dnssec-keygen</span>(8)
308 </span>,
309 <span class="citerefentry">
310 <span class="refentrytitle">dnssec-signzone</span>(8)
311 </span>,
582f8b9a 312 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
b4d3f782
TU
313 <em class="citetitle">RFC 3658</em> (DS RRs),
314 <em class="citetitle">RFC 4431</em> (DLV RRs),
315 <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
316 <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
317 <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
582f8b9a 318 </p>
16fde7f0
TU
319 </div>
320
582f8b9a
MA
321</div></body>
322</html>