151 lines
4.8 KiB
ReStructuredText
151 lines
4.8 KiB
ReStructuredText
..
|
|
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
|
|
See the COPYRIGHT file distributed with this work for additional
|
|
information regarding copyright ownership.
|
|
|
|
..
|
|
Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
|
|
This Source Code Form is subject to the terms of the Mozilla Public
|
|
License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
file, You can obtain one at http://mozilla.org/MPL/2.0/.
|
|
|
|
See the COPYRIGHT file distributed with this work for additional
|
|
information regarding copyright ownership.
|
|
|
|
|
|
.. highlight: console
|
|
|
|
.. _man_dnssec-dsfromkey:
|
|
|
|
dnssec-dsfromkey - DNSSEC DS RR generation tool
|
|
-----------------------------------------------
|
|
|
|
Synopsis
|
|
~~~~~~~~
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
|
|
|
|
:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
|
|
|
|
Description
|
|
~~~~~~~~~~~
|
|
|
|
The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
|
|
(RRs), or CDS (Child DS) RRs with the ``-C`` option.
|
|
|
|
The input keys can be specified in a number of ways:
|
|
|
|
By default, ``dnssec-dsfromkey`` reads a key file named in the format
|
|
``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
|
|
|
|
With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
|
|
file or partial zone file (which can contain just the DNSKEY records).
|
|
|
|
With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
|
|
as generated by ``dnssec-keygen`` ``-C``.
|
|
|
|
Options
|
|
~~~~~~~
|
|
|
|
``-1``
|
|
This option is an abbreviation for ``-a SHA1``.
|
|
|
|
``-2``
|
|
This option is an abbreviation for ``-a SHA-256``.
|
|
|
|
``-a algorithm``
|
|
This option specifies a digest algorithm to use when converting DNSKEY records to
|
|
DS records. This option can be repeated, so that multiple DS records
|
|
are created for each DNSKEY record.
|
|
|
|
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
|
|
are case-insensitive, and the hyphen may be omitted. If no algorithm
|
|
is specified, the default is SHA-256.
|
|
|
|
``-A``
|
|
This option indicates that ZSKs are to be included when generating DS records. Without this option, only
|
|
keys which have the KSK flag set are converted to DS records and
|
|
printed. This option is only useful in ``-f`` zone file mode.
|
|
|
|
``-c class``
|
|
This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
|
|
or ``-f`` zone file mode.
|
|
|
|
``-C``
|
|
This option generates CDS records rather than DS records.
|
|
|
|
``-f file``
|
|
This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
|
|
DNS domain name of a zone whose master file can be read from
|
|
``file``. If the zone name is the same as ``file``, then it may be
|
|
omitted.
|
|
|
|
If ``file`` is ``-``, then the zone data is read from the standard
|
|
input. This makes it possible to use the output of the ``dig``
|
|
command as input, as in:
|
|
|
|
``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
|
|
|
|
``-h``
|
|
This option prints usage information.
|
|
|
|
``-K directory``
|
|
This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
|
|
|
|
``-s``
|
|
This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
|
|
domain name used to locate a ``keyset-`` file.
|
|
|
|
``-T TTL``
|
|
This option specifies the TTL of the DS records. By default the TTL is omitted.
|
|
|
|
``-v level``
|
|
This option sets the debugging level.
|
|
|
|
``-V``
|
|
This option prints version information.
|
|
|
|
Example
|
|
~~~~~~~
|
|
|
|
To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
|
|
issue the following command:
|
|
|
|
``dnssec-dsfromkey -2 Kexample.com.+003+26160``
|
|
|
|
The command returns something similar to:
|
|
|
|
``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
|
|
|
|
Files
|
|
~~~~~
|
|
|
|
The keyfile can be designated by the key identification
|
|
``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
|
|
generated by ``dnssec-keygen``.
|
|
|
|
The keyset file name is built from the ``directory``, the string
|
|
``keyset-``, and the ``dnsname``.
|
|
|
|
Caveat
|
|
~~~~~~
|
|
|
|
A keyfile error may return "file not found," even if the file exists.
|
|
|
|
See Also
|
|
~~~~~~~~
|
|
|
|
:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
|
|
:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
|
|
:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).
|