151 lines
4.6 KiB
ReStructuredText
151 lines
4.6 KiB
ReStructuredText
..
|
|
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
See the COPYRIGHT file distributed with this work for additional
|
|
information regarding copyright ownership.
|
|
|
|
..
|
|
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
See the COPYRIGHT file distributed with this work for additional
|
|
information regarding copyright ownership.
|
|
|
|
|
|
.. highlight: console
|
|
|
|
.. _man_dnssec-dsfromkey:
|
|
|
|
dnssec-dsfromkey - DNSSEC DS RR generation tool
|
|
-----------------------------------------------
|
|
|
|
Synopsis
|
|
~~~~~~~~
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
|
|
|
|
:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
|
|
|
|
Description
|
|
~~~~~~~~~~~
|
|
|
|
The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
|
|
(RRs), or CDS (Child DS) RRs with the ``-C`` option.
|
|
|
|
The input keys can be specified in a number of ways:
|
|
|
|
By default, ``dnssec-dsfromkey`` reads a key file named like
|
|
``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
|
|
|
|
With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
|
|
file or partial zone file (which can contain just the DNSKEY records).
|
|
|
|
With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
|
|
as generated by ``dnssec-keygen`` ``-C``.
|
|
|
|
Options
|
|
~~~~~~~
|
|
|
|
**-1**
|
|
An abbreviation for ``-a SHA1``
|
|
|
|
**-2**
|
|
An abbreviation for ``-a SHA-256``
|
|
|
|
**-a** algorithm
|
|
Specify a digest algorithm to use when converting DNSKEY records to
|
|
DS records. This option can be repeated, so that multiple DS records
|
|
are created for each DNSKEY record.
|
|
|
|
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
|
|
are case insensitive, and the hyphen may be omitted. If no algorithm
|
|
is specified, the default is SHA-256.
|
|
|
|
**-A**
|
|
Include ZSKs when generating DS records. Without this option, only
|
|
keys which have the KSK flag set will be converted to DS records and
|
|
printed. Useful only in ``-f`` zone file mode.
|
|
|
|
**-c** class
|
|
Specifies the DNS class (default is IN). Useful only in ``-s`` keyset
|
|
or ``-f`` zone file mode.
|
|
|
|
**-C**
|
|
Generate CDS records rather than DS records.
|
|
|
|
**-f** file
|
|
Zone file mode: ``dnssec-dsfromkey``'s final dnsname argument is the
|
|
DNS domain name of a zone whose master file can be read from
|
|
``file``. If the zone name is the same as ``file``, then it may be
|
|
omitted.
|
|
|
|
If file is ``"-"``, then the zone data is read from the standard
|
|
input. This makes it possible to use the output of the ``dig``
|
|
command as input, as in:
|
|
|
|
``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
|
|
|
|
**-h**
|
|
Prints usage information.
|
|
|
|
**-K** directory
|
|
Look for key files or ``keyset-`` files in ``directory``.
|
|
|
|
**-s**
|
|
Keyset mode: ``dnssec-dsfromkey``'s final dnsname argument is the DNS
|
|
domain name used to locate a ``keyset-`` file.
|
|
|
|
**-T** TTL
|
|
Specifies the TTL of the DS records. By default the TTL is omitted.
|
|
|
|
**-v** level
|
|
Sets the debugging level.
|
|
|
|
**-V**
|
|
Prints version information.
|
|
|
|
Example
|
|
~~~~~~~
|
|
|
|
To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile
|
|
name, you can issue the following command:
|
|
|
|
``dnssec-dsfromkey -2 Kexample.com.+003+26160``
|
|
|
|
The command would print something like:
|
|
|
|
``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
|
|
|
|
Files
|
|
~~~~~
|
|
|
|
The keyfile can be designated by the key identification
|
|
``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key`` as
|
|
generated by dnssec-keygen8.
|
|
|
|
The keyset file name is built from the ``directory``, the string
|
|
``keyset-`` and the ``dnsname``.
|
|
|
|
Caveat
|
|
~~~~~~
|
|
|
|
A keyfile error can give a "file not found" even if the file exists.
|
|
|
|
See Also
|
|
~~~~~~~~
|
|
|
|
:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
|
|
:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
|
|
:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).
|