Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-dsfromkey.html
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2 <!--
3 - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
4 -
5 - This Source Code Form is subject to the terms of the Mozilla Public
6 - License, v. 2.0. If a copy of the MPL was not distributed with this
7 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 -->
9 <html lang="en">
10 <head>
11 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12 <title>dnssec-dsfromkey</title>
13 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14 </head>
15 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
16 <a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
17
18
19
20
21
22 <div class="refnamediv">
23 <h2>Name</h2>
24 <p>
25 <span class="application">dnssec-dsfromkey</span>
26 &#8212; DNSSEC DS RR generation tool
27 </p>
28 </div>
29
30
31
32 <div class="refsynopsisdiv">
33 <h2>Synopsis</h2>
34 <div class="cmdsynopsis"><p>
35 <code class="command">dnssec-dsfromkey</code>
36 [
37 <code class="option">-1</code>
38 | <code class="option">-2</code>
39 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
40 ]
41 [
42 <code class="option">-C</code>
43 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
44 ]
45 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
46 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
47 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
48 {keyfile}
49 </p></div>
50 <div class="cmdsynopsis"><p>
51 <code class="command">dnssec-dsfromkey</code>
52 [
53 <code class="option">-1</code>
54 | <code class="option">-2</code>
55 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
56 ]
57 [
58 <code class="option">-C</code>
59 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
60 ]
61 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
62 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
63 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
64 [<code class="option">-A</code>]
65 {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
66 [dnsname]
67 </p></div>
68 <div class="cmdsynopsis"><p>
69 <code class="command">dnssec-dsfromkey</code>
70 [
71 <code class="option">-1</code>
72 | <code class="option">-2</code>
73 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
74 ]
75 [
76 <code class="option">-C</code>
77 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
78 ]
79 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
80 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
81 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
82 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
83 {-s}
84 {dnsname}
85 </p></div>
86 <div class="cmdsynopsis"><p>
87 <code class="command">dnssec-dsfromkey</code>
88 [
89 <code class="option">-h</code>
90 | <code class="option">-V</code>
91 ]
92 </p></div>
93 </div>
94
95 <div class="refsection">
96 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
97
98 <p>
99 The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
100 Signer) resource records (RRs) and other similarly-constructed RRs:
101 with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
102 Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
103 DS) RRs.
104 </p>
105
106 <p>
107 The input keys can be specified in a number of ways:
108 </p>
109
110 <p>
111 By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
112 named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
113 by <span class="command"><strong>dnssec-keygen</strong></span>.
114 </p>
115
116 <p>
117 With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
118 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
119 or partial zone file (which can contain just the DNSKEY records).
120 </p>
121
122 <p>
123 With the <code class="option">-s</code>
124 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
125 a <code class="filename">keyset-</code> file, as generated
126 by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
127 </p>
128
129 </div>
130
131 <div class="refsection">
132 <a name="id-1.8"></a><h2>OPTIONS</h2>
133
134 <div class="variablelist"><dl class="variablelist">
135 <dt><span class="term">-1</span></dt>
136 <dd>
137 <p>
138 An abbreviation for <code class="option">-a SHA1</code>
139 </p>
140 </dd>
141 <dt><span class="term">-2</span></dt>
142 <dd>
143 <p>
144 An abbreviation for <code class="option">-a SHA-256</code>
145 </p>
146 </dd>
147 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
148 <dd>
149 <p>
150 Specify a digest algorithm to use when converting DNSKEY
151 records to DS records. This option can be repeated, so
152 that multiple DS records are created for each DNSKEY
153 record.
154 </p>
155 <p>
156 The <em class="replaceable"><code>algorithm</code></em> must be one of
157 SHA-1, SHA-256, or SHA-384. These values are case insensitive,
158 and the hyphen may be omitted. If no algorithm is specified,
159 the default is SHA-256.
160 </p>
161 </dd>
162 <dt><span class="term">-A</span></dt>
163 <dd>
164 <p>
165 Include ZSKs when generating DS records. Without this option, only
166 keys which have the KSK flag set will be converted to DS records
167 and printed. Useful only in <code class="option">-f</code> zone file mode.
168 </p>
169 </dd>
170 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
171 <dd>
172 <p>
173 Specifies the DNS class (default is IN). Useful only
174 in <code class="option">-s</code> keyset or <code class="option">-f</code>
175 zone file mode.
176 </p>
177 </dd>
178 <dt><span class="term">-C</span></dt>
179 <dd>
180 <p>
181 Generate CDS records rather than DS records. This is mutually
182 exclusive with the <code class="option">-l</code> option for generating DLV
183 records.
184 </p>
185 </dd>
186 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
187 <dd>
188 <p>
189 Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
190 final <em class="replaceable"><code>dnsname</code></em> argument is
191 the DNS domain name of a zone whose master file can be read
192 from <code class="option">file</code>. If the zone name is the same as
193 <code class="option">file</code>, then it may be omitted.
194 </p>
195 <p>
196 If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
197 the zone data is read from the standard input. This makes it
198 possible to use the output of the <span class="command"><strong>dig</strong></span>
199 command as input, as in:
200 </p>
201 <p>
202 <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
203 </p>
204 </dd>
205 <dt><span class="term">-h</span></dt>
206 <dd>
207 <p>
208 Prints usage information.
209 </p>
210 </dd>
211 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
212 <dd>
213 <p>
214 Look for key files or <code class="filename">keyset-</code> files in
215 <code class="option">directory</code>.
216 </p>
217 </dd>
218 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
219 <dd>
220 <p>
221 Generate a DLV set instead of a DS set. The specified
222 <em class="replaceable"><code>domain</code></em> is appended to the name for each
223 record in the set.
224 This is mutually exclusive with the <code class="option">-C</code> option
225 for generating CDS records.
226 </p>
227 </dd>
228 <dt><span class="term">-s</span></dt>
229 <dd>
230 <p>
231 Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
232 final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
233 domain name used to locate a <code class="filename">keyset-</code> file.
234 </p>
235 </dd>
236 <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
237 <dd>
238 <p>
239 Specifies the TTL of the DS records. By default the TTL is omitted.
240 </p>
241 </dd>
242 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
243 <dd>
244 <p>
245 Sets the debugging level.
246 </p>
247 </dd>
248 <dt><span class="term">-V</span></dt>
249 <dd>
250 <p>
251 Prints version information.
252 </p>
253 </dd>
254 </dl></div>
255 </div>
256
257 <div class="refsection">
258 <a name="id-1.9"></a><h2>EXAMPLE</h2>
259
260 <p>
261 To build the SHA-256 DS RR from the
262 <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
263 keyfile name, you can issue the following command:
264 </p>
265 <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
266 </p>
267 <p>
268 The command would print something like:
269 </p>
270 <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
271 </p>
272
273 </div>
274
275 <div class="refsection">
276 <a name="id-1.10"></a><h2>FILES</h2>
277
278 <p>
279 The keyfile can be designated by the key identification
280 <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
281 <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
282 <span class="refentrytitle">dnssec-keygen</span>(8).
283 </p>
284 <p>
285 The keyset file name is built from the <code class="option">directory</code>,
286 the string <code class="filename">keyset-</code> and the
287 <code class="option">dnsname</code>.
288 </p>
289 </div>
290
291 <div class="refsection">
292 <a name="id-1.11"></a><h2>CAVEAT</h2>
293
294 <p>
295 A keyfile error can give a "file not found" even if the file exists.
296 </p>
297 </div>
298
299 <div class="refsection">
300 <a name="id-1.12"></a><h2>SEE ALSO</h2>
301
302 <p><span class="citerefentry">
303 <span class="refentrytitle">dnssec-keygen</span>(8)
304 </span>,
305 <span class="citerefentry">
306 <span class="refentrytitle">dnssec-signzone</span>(8)
307 </span>,
308 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
309 <em class="citetitle">RFC 3658</em> (DS RRs),
310 <em class="citetitle">RFC 4431</em> (DLV RRs),
311 <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
312 <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
313 <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
314 </p>
315 </div>
316
317 </div></body>
318 </html>