Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-dsfromkey.8
1 .\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
2 .\"
3 .\" This Source Code Form is subject to the terms of the Mozilla Public
4 .\" License, v. 2.0. If a copy of the MPL was not distributed with this
5 .\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 .\"
7 .hy 0
8 .ad l
9 '\" t
10 .\" Title: dnssec-dsfromkey
11 .\" Author:
12 .\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
13 .\" Date: 2012-05-02
14 .\" Manual: BIND9
15 .\" Source: ISC
16 .\" Language: English
17 .\"
18 .TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
19 .\" -----------------------------------------------------------------
20 .\" * Define some portability stuff
21 .\" -----------------------------------------------------------------
22 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
23 .\" http://bugs.debian.org/507673
24 .\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
25 .\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
26 .ie \n(.g .ds Aq \(aq
27 .el .ds Aq '
28 .\" -----------------------------------------------------------------
29 .\" * set default formatting
30 .\" -----------------------------------------------------------------
31 .\" disable hyphenation
32 .nh
33 .\" disable justification (adjust text to left margin only)
34 .ad l
35 .\" -----------------------------------------------------------------
36 .\" * MAIN CONTENT STARTS HERE *
37 .\" -----------------------------------------------------------------
38 .SH "NAME"
39 dnssec-dsfromkey \- DNSSEC DS RR generation tool
40 .SH "SYNOPSIS"
41 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
42 \fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
43 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
44 \fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
45 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
46 \fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
47 .HP \w'\fBdnssec\-dsfromkey\fR\ 'u
48 \fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
49 .SH "DESCRIPTION"
50 .PP
51 The
52 \fBdnssec\-dsfromkey\fR
53 command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
54 \fB\-l\fR
55 option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
56 \fB\-C\fR
57 it outputs CDS (Child DS) RRs\&.
58 .PP
59 The input keys can be specified in a number of ways:
60 .PP
61 By default,
62 \fBdnssec\-dsfromkey\fR
63 reads a key file named like
64 Knnnn\&.+aaa+iiiii\&.key, as generated by
65 \fBdnssec\-keygen\fR\&.
66 .PP
67 With the
68 \fB\-f \fR\fB\fIfile\fR\fR
69 option,
70 \fBdnssec\-dsfromkey\fR
71 reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
72 .PP
73 With the
74 \fB\-s\fR
75 option,
76 \fBdnssec\-dsfromkey\fR
77 reads a
78 keyset\-
79 file, as generated by
80 \fBdnssec\-keygen\fR\fB\-C\fR\&.
81 .SH "OPTIONS"
82 .PP
83 \-1
84 .RS 4
85 An abbreviation for
86 \fB\-a SHA1\fR
87 .RE
88 .PP
89 \-2
90 .RS 4
91 An abbreviation for
92 \fB\-a SHA\-256\fR
93 .RE
94 .PP
95 \-a \fIalgorithm\fR
96 .RS 4
97 Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
98 .sp
99 The
100 \fIalgorithm\fR
101 must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
102 .RE
103 .PP
104 \-A
105 .RS 4
106 Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
107 \fB\-f\fR
108 zone file mode\&.
109 .RE
110 .PP
111 \-c \fIclass\fR
112 .RS 4
113 Specifies the DNS class (default is IN)\&. Useful only in
114 \fB\-s\fR
115 keyset or
116 \fB\-f\fR
117 zone file mode\&.
118 .RE
119 .PP
120 \-C
121 .RS 4
122 Generate CDS records rather than DS records\&. This is mutually exclusive with the
123 \fB\-l\fR
124 option for generating DLV records\&.
125 .RE
126 .PP
127 \-f \fIfile\fR
128 .RS 4
129 Zone file mode:
130 \fBdnssec\-dsfromkey\fR\*(Aqs final
131 \fIdnsname\fR
132 argument is the DNS domain name of a zone whose master file can be read from
133 \fBfile\fR\&. If the zone name is the same as
134 \fBfile\fR, then it may be omitted\&.
135 .sp
136 If
137 \fIfile\fR
138 is
139 "\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
140 \fBdig\fR
141 command as input, as in:
142 .sp
143 \fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
144 .RE
145 .PP
146 \-h
147 .RS 4
148 Prints usage information\&.
149 .RE
150 .PP
151 \-K \fIdirectory\fR
152 .RS 4
153 Look for key files or
154 keyset\-
155 files in
156 \fBdirectory\fR\&.
157 .RE
158 .PP
159 \-l \fIdomain\fR
160 .RS 4
161 Generate a DLV set instead of a DS set\&. The specified
162 \fIdomain\fR
163 is appended to the name for each record in the set\&. This is mutually exclusive with the
164 \fB\-C\fR
165 option for generating CDS records\&.
166 .RE
167 .PP
168 \-s
169 .RS 4
170 Keyset mode:
171 \fBdnssec\-dsfromkey\fR\*(Aqs final
172 \fIdnsname\fR
173 argument is the DNS domain name used to locate a
174 keyset\-
175 file\&.
176 .RE
177 .PP
178 \-T \fITTL\fR
179 .RS 4
180 Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
181 .RE
182 .PP
183 \-v \fIlevel\fR
184 .RS 4
185 Sets the debugging level\&.
186 .RE
187 .PP
188 \-V
189 .RS 4
190 Prints version information\&.
191 .RE
192 .SH "EXAMPLE"
193 .PP
194 To build the SHA\-256 DS RR from the
195 \fBKexample\&.com\&.+003+26160\fR
196 keyfile name, you can issue the following command:
197 .PP
198 \fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
199 .PP
200 The command would print something like:
201 .PP
202 \fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
203 .SH "FILES"
204 .PP
205 The keyfile can be designated by the key identification
206 Knnnn\&.+aaa+iiiii
207 or the full file name
208 Knnnn\&.+aaa+iiiii\&.key
209 as generated by
210 dnssec\-keygen(8)\&.
211 .PP
212 The keyset file name is built from the
213 \fBdirectory\fR, the string
214 keyset\-
215 and the
216 \fBdnsname\fR\&.
217 .SH "CAVEAT"
218 .PP
219 A keyfile error can give a "file not found" even if the file exists\&.
220 .SH "SEE ALSO"
221 .PP
222 \fBdnssec-keygen\fR(8),
223 \fBdnssec-signzone\fR(8),
224 BIND 9 Administrator Reference Manual,
225 RFC 3658
226 (DS RRs),
227 RFC 4431
228 (DLV RRs),
229 RFC 4509
230 (SHA\-256 for DS RRs),
231 RFC 6605
232 (SHA\-384 for DS RRs),
233 RFC 7344
234 (CDS and CDNSKEY RRs)\&.
235 .SH "AUTHOR"
236 .PP
237 \fBInternet Systems Consortium, Inc\&.\fR
238 .SH "COPYRIGHT"
239 .br
240 Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
241 .br