Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-dsfromkey.html
CommitLineData
63fe88e8 1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
582f8b9a 2<!--
b4d3f782 3 - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
bef75d63 4 -
6807a2dc
TU
5 - This Source Code Form is subject to the terms of the Mozilla Public
6 - License, v. 2.0. If a copy of the MPL was not distributed with this
7 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
582f8b9a 8-->
63fe88e8 9<html lang="en">
582f8b9a
MA
10<head>
11<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12<title>dnssec-dsfromkey</title>
fd2597f7 13<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
582f8b9a 14</head>
fd2597f7 15<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
582f8b9a 16<a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
16fde7f0
TU
17
18
19
20
21
22 <div class="refnamediv">
582f8b9a 23<h2>Name</h2>
16fde7f0
TU
24<p>
25 <span class="application">dnssec-dsfromkey</span>
26 &#8212; DNSSEC DS RR generation tool
27 </p>
582f8b9a 28</div>
16fde7f0
TU
29
30
31
32 <div class="refsynopsisdiv">
582f8b9a 33<h2>Synopsis</h2>
16fde7f0
TU
34 <div class="cmdsynopsis"><p>
35 <code class="command">dnssec-dsfromkey</code>
b4d3f782
TU
36 [
37 <code class="option">-1</code>
38 | <code class="option">-2</code>
39 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
40 ]
41 [
42 <code class="option">-C</code>
43 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
44 ]
16fde7f0 45 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
b4d3f782
TU
46 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
47 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
16fde7f0
TU
48 {keyfile}
49 </p></div>
50 <div class="cmdsynopsis"><p>
51 <code class="command">dnssec-dsfromkey</code>
b4d3f782
TU
52 [
53 <code class="option">-1</code>
54 | <code class="option">-2</code>
55 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
56 ]
57 [
58 <code class="option">-C</code>
59 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
60 ]
16fde7f0 61 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
b4d3f782
TU
62 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
63 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
16fde7f0 64 [<code class="option">-A</code>]
b4d3f782
TU
65 {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
66 [dnsname]
67 </p></div>
68 <div class="cmdsynopsis"><p>
69 <code class="command">dnssec-dsfromkey</code>
70 [
71 <code class="option">-1</code>
72 | <code class="option">-2</code>
73 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
74 ]
75 [
76 <code class="option">-C</code>
77 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
78 ]
79 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
16fde7f0 80 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
b4d3f782
TU
81 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
82 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
83 {-s}
16fde7f0 84 {dnsname}
b4d3f782 85 </p></div>
16fde7f0
TU
86 <div class="cmdsynopsis"><p>
87 <code class="command">dnssec-dsfromkey</code>
b4d3f782
TU
88 [
89 <code class="option">-h</code>
90 | <code class="option">-V</code>
91 ]
92 </p></div>
16fde7f0
TU
93 </div>
94
95 <div class="refsection">
fd2597f7 96<a name="id-1.7"></a><h2>DESCRIPTION</h2>
16fde7f0 97
b4d3f782
TU
98 <p>
99 The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
100 Signer) resource records (RRs) and other similarly-constructed RRs:
101 with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
102 Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
103 DS) RRs.
104 </p>
105
106 <p>
107 The input keys can be specified in a number of ways:
108 </p>
109
110 <p>
111 By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
112 named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
113 by <span class="command"><strong>dnssec-keygen</strong></span>.
114 </p>
115
116 <p>
117 With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
118 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
119 or partial zone file (which can contain just the DNSKEY records).
120 </p>
121
122 <p>
123 With the <code class="option">-s</code>
124 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
125 a <code class="filename">keyset-</code> file, as generated
126 by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
582f8b9a 127 </p>
b4d3f782 128
16fde7f0
TU
129 </div>
130
131 <div class="refsection">
fd2597f7 132<a name="id-1.8"></a><h2>OPTIONS</h2>
16fde7f0 133
16fde7f0 134 <div class="variablelist"><dl class="variablelist">
582f8b9a 135<dt><span class="term">-1</span></dt>
16fde7f0
TU
136<dd>
137 <p>
b4d3f782 138 An abbreviation for <code class="option">-a SHA1</code>
16fde7f0
TU
139 </p>
140 </dd>
582f8b9a 141<dt><span class="term">-2</span></dt>
16fde7f0
TU
142<dd>
143 <p>
b4d3f782 144 An abbreviation for <code class="option">-a SHA-256</code>
16fde7f0
TU
145 </p>
146 </dd>
582f8b9a 147<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
16fde7f0
TU
148<dd>
149 <p>
b4d3f782
TU
150 Specify a digest algorithm to use when converting DNSKEY
151 records to DS records. This option can be repeated, so
152 that multiple DS records are created for each DNSKEY
153 record.
154 </p>
155 <p>
156 The <em class="replaceable"><code>algorithm</code></em> must be one of
157 SHA-1, SHA-256, or SHA-384. These values are case insensitive,
158 and the hyphen may be omitted. If no algorithm is specified,
159 the default is SHA-256.
16fde7f0
TU
160 </p>
161 </dd>
b4d3f782 162<dt><span class="term">-A</span></dt>
16fde7f0 163<dd>
b4d3f782
TU
164 <p>
165 Include ZSKs when generating DS records. Without this option, only
166 keys which have the KSK flag set will be converted to DS records
167 and printed. Useful only in <code class="option">-f</code> zone file mode.
168 </p>
169 </dd>
170<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
16fde7f0
TU
171<dd>
172 <p>
b4d3f782
TU
173 Specifies the DNS class (default is IN). Useful only
174 in <code class="option">-s</code> keyset or <code class="option">-f</code>
175 zone file mode.
16fde7f0
TU
176 </p>
177 </dd>
b4d3f782 178<dt><span class="term">-C</span></dt>
16fde7f0
TU
179<dd>
180 <p>
b4d3f782
TU
181 Generate CDS records rather than DS records. This is mutually
182 exclusive with the <code class="option">-l</code> option for generating DLV
183 records.
16fde7f0
TU
184 </p>
185 </dd>
0a7ed886 186<dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
795a316e 187<dd>
16fde7f0 188 <p>
b4d3f782
TU
189 Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
190 final <em class="replaceable"><code>dnsname</code></em> argument is
191 the DNS domain name of a zone whose master file can be read
e62b9c9c
TU
192 from <code class="option">file</code>. If the zone name is the same as
193 <code class="option">file</code>, then it may be omitted.
194 </p>
16fde7f0 195 <p>
b4d3f782 196 If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
e62b9c9c
TU
197 the zone data is read from the standard input. This makes it
198 possible to use the output of the <span class="command"><strong>dig</strong></span>
199 command as input, as in:
200 </p>
16fde7f0 201 <p>
e62b9c9c
TU
202 <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
203 </p>
16fde7f0 204 </dd>
b4d3f782 205<dt><span class="term">-h</span></dt>
16fde7f0 206<dd>
b4d3f782
TU
207 <p>
208 Prints usage information.
209 </p>
210 </dd>
211<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
212<dd>
213 <p>
214 Look for key files or <code class="filename">keyset-</code> files in
215 <code class="option">directory</code>.
216 </p>
217 </dd>
b272d38c 218<dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
16fde7f0
TU
219<dd>
220 <p>
b4d3f782
TU
221 Generate a DLV set instead of a DS set. The specified
222 <em class="replaceable"><code>domain</code></em> is appended to the name for each
e62b9c9c 223 record in the set.
b4d3f782
TU
224 This is mutually exclusive with the <code class="option">-C</code> option
225 for generating CDS records.
16fde7f0
TU
226 </p>
227 </dd>
582f8b9a 228<dt><span class="term">-s</span></dt>
16fde7f0
TU
229<dd>
230 <p>
b4d3f782
TU
231 Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
232 final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
233 domain name used to locate a <code class="filename">keyset-</code> file.
16fde7f0
TU
234 </p>
235 </dd>
b4d3f782 236<dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
16fde7f0
TU
237<dd>
238 <p>
b4d3f782 239 Specifies the TTL of the DS records. By default the TTL is omitted.
16fde7f0
TU
240 </p>
241 </dd>
0a7ed886 242<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
16fde7f0
TU
243<dd>
244 <p>
e62b9c9c 245 Sets the debugging level.
16fde7f0
TU
246 </p>
247 </dd>
6f120589 248<dt><span class="term">-V</span></dt>
16fde7f0
TU
249<dd>
250 <p>
e62b9c9c 251 Prints version information.
16fde7f0
TU
252 </p>
253 </dd>
582f8b9a 254</dl></div>
16fde7f0
TU
255 </div>
256
257 <div class="refsection">
fd2597f7 258<a name="id-1.9"></a><h2>EXAMPLE</h2>
16fde7f0
TU
259
260 <p>
582f8b9a
MA
261 To build the SHA-256 DS RR from the
262 <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
b4d3f782 263 keyfile name, you can issue the following command:
582f8b9a 264 </p>
16fde7f0 265 <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
582f8b9a 266 </p>
16fde7f0 267 <p>
582f8b9a
MA
268 The command would print something like:
269 </p>
b4d3f782 270 <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
582f8b9a 271 </p>
b4d3f782 272
16fde7f0
TU
273 </div>
274
275 <div class="refsection">
fd2597f7 276<a name="id-1.10"></a><h2>FILES</h2>
16fde7f0
TU
277
278 <p>
b4d3f782 279 The keyfile can be designated by the key identification
582f8b9a 280 <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
b27ce68b 281 <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
92231247 282 <span class="refentrytitle">dnssec-keygen</span>(8).
582f8b9a 283 </p>
16fde7f0 284 <p>
582f8b9a
MA
285 The keyset file name is built from the <code class="option">directory</code>,
286 the string <code class="filename">keyset-</code> and the
92231247 287 <code class="option">dnsname</code>.
582f8b9a 288 </p>
16fde7f0
TU
289 </div>
290
291 <div class="refsection">
fd2597f7 292<a name="id-1.11"></a><h2>CAVEAT</h2>
16fde7f0
TU
293
294 <p>
92231247 295 A keyfile error can give a "file not found" even if the file exists.
582f8b9a 296 </p>
16fde7f0
TU
297 </div>
298
299 <div class="refsection">
fd2597f7 300<a name="id-1.12"></a><h2>SEE ALSO</h2>
16fde7f0
TU
301
302 <p><span class="citerefentry">
303 <span class="refentrytitle">dnssec-keygen</span>(8)
304 </span>,
305 <span class="citerefentry">
306 <span class="refentrytitle">dnssec-signzone</span>(8)
307 </span>,
582f8b9a 308 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
b4d3f782
TU
309 <em class="citetitle">RFC 3658</em> (DS RRs),
310 <em class="citetitle">RFC 4431</em> (DLV RRs),
311 <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
312 <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
313 <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
582f8b9a 314 </p>
16fde7f0
TU
315 </div>
316
582f8b9a
MA
317</div></body>
318</html>