Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_15_...
[ipreg/bind9.git] / bin / dnssec / dnssec-dsfromkey.html
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2 <!--
3 - Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
4 -
5 - This Source Code Form is subject to the terms of the Mozilla Public
6 - License, v. 2.0. If a copy of the MPL was not distributed with this
7 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 -->
9 <html lang="en">
10 <head>
11 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12 <title>dnssec-dsfromkey</title>
13 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14 </head>
15 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
16 <a name="man.dnssec-dsfromkey"></a><div class="titlepage"></div>
17
18
19
20
21
22 <div class="refnamediv">
23 <h2>Name</h2>
24 <p>
25 <span class="application">dnssec-dsfromkey</span>
26 &#8212; DNSSEC DS RR generation tool
27 </p>
28 </div>
29
30
31
32 <div class="refsynopsisdiv">
33 <h2>Synopsis</h2>
34 <div class="cmdsynopsis"><p>
35 <code class="command">dnssec-dsfromkey</code>
36 [
37 <code class="option">-1</code>
38 | <code class="option">-2</code>
39 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
40 ]
41 [
42 <code class="option">-C</code>
43 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
44 ]
45 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
46 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
47 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
48 {keyfile}
49 </p></div>
50 <div class="cmdsynopsis"><p>
51 <code class="command">dnssec-dsfromkey</code>
52 [
53 <code class="option">-1</code>
54 | <code class="option">-2</code>
55 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
56 ]
57 [
58 <code class="option">-C</code>
59 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
60 ]
61 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
62 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
63 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
64 [<code class="option">-A</code>]
65 {<code class="option">-f <em class="replaceable"><code>file</code></em></code>}
66 [dnsname]
67 </p></div>
68 <div class="cmdsynopsis"><p>
69 <code class="command">dnssec-dsfromkey</code>
70 [
71 <code class="option">-1</code>
72 | <code class="option">-2</code>
73 | <code class="option">-a <em class="replaceable"><code>alg</code></em></code>
74 ]
75 [
76 <code class="option">-C</code>
77 | <code class="option">-l <em class="replaceable"><code>domain</code></em></code>
78 ]
79 [<code class="option">-T <em class="replaceable"><code>TTL</code></em></code>]
80 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
81 [<code class="option">-c <em class="replaceable"><code>class</code></em></code>]
82 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
83 {-s}
84 {dnsname}
85 </p></div>
86 <div class="cmdsynopsis"><p>
87 <code class="command">dnssec-dsfromkey</code>
88 [
89 <code class="option">-h</code>
90 | <code class="option">-V</code>
91 ]
92 </p></div>
93 </div>
94
95 <div class="refsection">
96 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
97
98 <p>
99 The <span class="command"><strong>dnssec-dsfromkey</strong></span> command outputs DS (Delegation
100 Signer) resource records (RRs) and other similarly-constructed RRs:
101 with the <code class="option">-l</code> option it outputs DLV (DNSSEC Lookaside
102 Validation) RRs; or with the <code class="option">-C</code> it outputs CDS (Child
103 DS) RRs.
104 </p>
105
106 <p>
107 The input keys can be specified in a number of ways:
108 </p>
109
110 <p>
111 By default, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads a key file
112 named like <code class="filename">Knnnn.+aaa+iiiii.key</code>, as generated
113 by <span class="command"><strong>dnssec-keygen</strong></span>.
114 </p>
115
116 <p>
117 With the <code class="option">-f <em class="replaceable"><code>file</code></em></code>
118 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads keys from a zone file
119 or partial zone file (which can contain just the DNSKEY records).
120 </p>
121
122 <p>
123 With the <code class="option">-s</code>
124 option, <span class="command"><strong>dnssec-dsfromkey</strong></span> reads
125 a <code class="filename">keyset-</code> file, as generated
126 by <span class="command"><strong>dnssec-keygen</strong></span> <code class="option">-C</code>.
127 </p>
128
129 </div>
130
131 <div class="refsection">
132 <a name="id-1.8"></a><h2>OPTIONS</h2>
133
134 <div class="variablelist"><dl class="variablelist">
135 <dt><span class="term">-1</span></dt>
136 <dd>
137 <p>
138 An abbreviation for <code class="option">-a SHA-1</code>.
139 (Note: The SHA-1 algorithm is no longer recommended for use
140 when generating new DS and CDS records.)
141 </p>
142 </dd>
143 <dt><span class="term">-2</span></dt>
144 <dd>
145 <p>
146 An abbreviation for <code class="option">-a SHA-256</code>.
147 </p>
148 </dd>
149 <dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
150 <dd>
151 <p>
152 Specify a digest algorithm to use when converting DNSKEY
153 records to DS records. This option can be repeated, so
154 that multiple DS records are created for each DNSKEY
155 record.
156 </p>
157 <p>
158 The <em class="replaceable"><code>algorithm</code></em> must be one of
159 SHA-1, SHA-256, or SHA-384. These values are case insensitive,
160 and the hyphen may be omitted. If no algorithm is specified,
161 the default is SHA-256.
162 (Note: The SHA-1 algorithm is no longer recommended for use
163 when generating new DS and CDS records.)
164 </p>
165 </dd>
166 <dt><span class="term">-A</span></dt>
167 <dd>
168 <p>
169 Include ZSKs when generating DS records. Without this option, only
170 keys which have the KSK flag set will be converted to DS records
171 and printed. Useful only in <code class="option">-f</code> zone file mode.
172 </p>
173 </dd>
174 <dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
175 <dd>
176 <p>
177 Specifies the DNS class (default is IN). Useful only
178 in <code class="option">-s</code> keyset or <code class="option">-f</code>
179 zone file mode.
180 </p>
181 </dd>
182 <dt><span class="term">-C</span></dt>
183 <dd>
184 <p>
185 Generate CDS records rather than DS records. This is mutually
186 exclusive with the <code class="option">-l</code> option for generating DLV
187 records.
188 </p>
189 </dd>
190 <dt><span class="term">-f <em class="replaceable"><code>file</code></em></span></dt>
191 <dd>
192 <p>
193 Zone file mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
194 final <em class="replaceable"><code>dnsname</code></em> argument is
195 the DNS domain name of a zone whose master file can be read
196 from <code class="option">file</code>. If the zone name is the same as
197 <code class="option">file</code>, then it may be omitted.
198 </p>
199 <p>
200 If <em class="replaceable"><code>file</code></em> is <code class="literal">"-"</code>, then
201 the zone data is read from the standard input. This makes it
202 possible to use the output of the <span class="command"><strong>dig</strong></span>
203 command as input, as in:
204 </p>
205 <p>
206 <strong class="userinput"><code>dig dnskey example.com | dnssec-dsfromkey -f - example.com</code></strong>
207 </p>
208 </dd>
209 <dt><span class="term">-h</span></dt>
210 <dd>
211 <p>
212 Prints usage information.
213 </p>
214 </dd>
215 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
216 <dd>
217 <p>
218 Look for key files or <code class="filename">keyset-</code> files in
219 <code class="option">directory</code>.
220 </p>
221 </dd>
222 <dt><span class="term">-l <em class="replaceable"><code>domain</code></em></span></dt>
223 <dd>
224 <p>
225 Generate a DLV set instead of a DS set. The specified
226 <em class="replaceable"><code>domain</code></em> is appended to the name for each
227 record in the set.
228 This is mutually exclusive with the <code class="option">-C</code> option
229 for generating CDS records.
230 </p>
231 </dd>
232 <dt><span class="term">-s</span></dt>
233 <dd>
234 <p>
235 Keyset mode: <span class="command"><strong>dnssec-dsfromkey</strong></span>'s
236 final <em class="replaceable"><code>dnsname</code></em> argument is the DNS
237 domain name used to locate a <code class="filename">keyset-</code> file.
238 </p>
239 </dd>
240 <dt><span class="term">-T <em class="replaceable"><code>TTL</code></em></span></dt>
241 <dd>
242 <p>
243 Specifies the TTL of the DS records. By default the TTL is omitted.
244 </p>
245 </dd>
246 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
247 <dd>
248 <p>
249 Sets the debugging level.
250 </p>
251 </dd>
252 <dt><span class="term">-V</span></dt>
253 <dd>
254 <p>
255 Prints version information.
256 </p>
257 </dd>
258 </dl></div>
259 </div>
260
261 <div class="refsection">
262 <a name="id-1.9"></a><h2>EXAMPLE</h2>
263
264 <p>
265 To build the SHA-256 DS RR from the
266 <strong class="userinput"><code>Kexample.com.+003+26160</code></strong>
267 keyfile name, you can issue the following command:
268 </p>
269 <p><strong class="userinput"><code>dnssec-dsfromkey -2 Kexample.com.+003+26160</code></strong>
270 </p>
271 <p>
272 The command would print something like:
273 </p>
274 <p><strong class="userinput"><code>example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94</code></strong>
275 </p>
276
277 </div>
278
279 <div class="refsection">
280 <a name="id-1.10"></a><h2>FILES</h2>
281
282 <p>
283 The keyfile can be designated by the key identification
284 <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
285 <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
286 <span class="refentrytitle">dnssec-keygen</span>(8).
287 </p>
288 <p>
289 The keyset file name is built from the <code class="option">directory</code>,
290 the string <code class="filename">keyset-</code> and the
291 <code class="option">dnsname</code>.
292 </p>
293 </div>
294
295 <div class="refsection">
296 <a name="id-1.11"></a><h2>CAVEAT</h2>
297
298 <p>
299 A keyfile error can give a "file not found" even if the file exists.
300 </p>
301 </div>
302
303 <div class="refsection">
304 <a name="id-1.12"></a><h2>SEE ALSO</h2>
305
306 <p><span class="citerefentry">
307 <span class="refentrytitle">dnssec-keygen</span>(8)
308 </span>,
309 <span class="citerefentry">
310 <span class="refentrytitle">dnssec-signzone</span>(8)
311 </span>,
312 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
313 <em class="citetitle">RFC 3658</em> (DS RRs),
314 <em class="citetitle">RFC 4431</em> (DLV RRs),
315 <em class="citetitle">RFC 4509</em> (SHA-256 for DS RRs),
316 <em class="citetitle">RFC 6605</em> (SHA-384 for DS RRs),
317 <em class="citetitle">RFC 7344</em> (CDS and CDNSKEY RRs).
318 </p>
319 </div>
320
321 </div></body>
322 </html>