bind9/doc/man/dnssec-dsfromkey.1in

.\" Man page generated from reStructuredText.
.
.
.nr rst2man-indent-level 0
.
.de1 rstReportMargin
\\$1 \\n[an-margin]
level \\n[rst2man-indent-level]
level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
-
\\n[rst2man-indent0]
\\n[rst2man-indent1]
\\n[rst2man-indent2]
..
.de1 INDENT
.\" .rstReportMargin pre:
. RS \\$1
. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
. nr rst2man-indent-level +1
.\" .rstReportMargin post:
..
.de UNINDENT
. RE
.\" indent \\n[an-margin]
.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
.nr rst2man-indent-level -1
.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
..
.TH "DNSSEC-DSFROMKEY" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9"
.SH NAME
dnssec-dsfromkey \- DNSSEC DS RR generation tool
.SH SYNOPSIS
.sp
\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-K\fP directory] {keyfile}
.sp
\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-A\fP] {\fB\-f\fP file} [dnsname]
.sp
\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-K\fP directory] {\fB\-s\fP} {dnsname}
.sp
\fBdnssec\-dsfromkey\fP [ \fB\-h\fP | \fB\-V\fP ]
.SH DESCRIPTION
.sp
The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records
(RRs), or CDS (Child DS) RRs with the \fI\%\-C\fP option.
.sp
By default, only KSKs are converted (keys with flags = 257).  The
\fI\%\-A\fP option includes ZSKs (flags = 256).  Revoked keys are never
included.
.sp
The input keys can be specified in a number of ways:
.sp
By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format
\fBKnnnn.+aaa+iiiii.key\fP, as generated by \fI\%dnssec\-keygen\fP\&.
.sp
With the \fI\%\-f file\fP option, \fBdnssec\-dsfromkey\fP reads keys from a zone
file or partial zone file (which can contain just the DNSKEY records).
.sp
With the \fI\%\-s\fP option, \fBdnssec\-dsfromkey\fP reads a \fBkeyset\-\fP file,
as generated by \fI\%dnssec\-keygen\fP \fI\%\-C\fP\&.
.SH OPTIONS
.INDENT 0.0
.TP
.B \-1
This option is an abbreviation for \fI\%\-a SHA1\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-2
This option is an abbreviation for \fI\%\-a SHA\-256\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-a algorithm
This option specifies a digest algorithm to use when converting DNSKEY records to
DS records. This option can be repeated, so that multiple DS records
are created for each DNSKEY record.
.sp
The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values
are case\-insensitive, and the hyphen may be omitted. If no algorithm
is specified, the default is SHA\-256.
.UNINDENT
.INDENT 0.0
.TP
.B \-A
This option indicates that ZSKs are to be included when generating DS records. Without this option, only
keys which have the KSK flag set are converted to DS records and
printed. This option is only useful in \fI\%\-f\fP zone file mode.
.UNINDENT
.INDENT 0.0
.TP
.B \-c class
This option specifies the DNS class; the default is IN. This option is only useful in \fI\%\-s\fP keyset
or \fI\%\-f\fP zone file mode.
.UNINDENT
.INDENT 0.0
.TP
.B \-C
This option generates CDS records rather than DS records.
.UNINDENT
.INDENT 0.0
.TP
.B \-f file
This option sets zone file mode, in which the final dnsname argument of \fBdnssec\-dsfromkey\fP is the
DNS domain name of a zone whose master file can be read from
\fBfile\fP\&. If the zone name is the same as \fBfile\fP, then it may be
omitted.
.sp
If \fBfile\fP is \fB\-\fP, then the zone data is read from the standard
input. This makes it possible to use the output of the \fI\%dig\fP
command as input, as in:
.sp
\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fP
.UNINDENT
.INDENT 0.0
.TP
.B \-h
This option prints usage information.
.UNINDENT
.INDENT 0.0
.TP
.B \-K directory
This option tells BIND 9 to look for key files or \fBkeyset\-\fP files in \fBdirectory\fP\&.
.UNINDENT
.INDENT 0.0
.TP
.B \-s
This option enables keyset mode, in which the final dnsname argument from \fBdnssec\-dsfromkey\fP is the DNS
domain name used to locate a \fBkeyset\-\fP file.
.UNINDENT
.INDENT 0.0
.TP
.B \-T TTL
This option specifies the TTL of the DS records. By default the TTL is omitted.
.UNINDENT
.INDENT 0.0
.TP
.B \-v level
This option sets the debugging level.
.UNINDENT
.INDENT 0.0
.TP
.B \-V
This option prints version information.
.UNINDENT
.SH EXAMPLE
.sp
To build the SHA\-256 DS RR from the \fBKexample.com.+003+26160\fP keyfile,
issue the following command:
.sp
\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fP
.sp
The command returns something similar to:
.sp
\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fP
.SH FILES
.sp
The keyfile can be designated by the key identification
\fBKnnnn.+aaa+iiiii\fP or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as
generated by \fI\%dnssec\-keygen\fP\&.
.sp
The keyset file name is built from the \fBdirectory\fP, the string
\fBkeyset\-\fP, and the \fBdnsname\fP\&.
.SH CAVEAT
.sp
A keyfile error may return \(dqfile not found,\(dq even if the file exists.
.SH SEE ALSO
.sp
\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
\X'tty: link https://datatracker.ietf.org/doc/html/rfc3658.html'\fI\%RFC 3658\fP\X'tty: link' (DS RRs), \X'tty: link https://datatracker.ietf.org/doc/html/rfc4509.html'\fI\%RFC 4509\fP\X'tty: link' (SHA\-256 for DS RRs),
\X'tty: link https://datatracker.ietf.org/doc/html/rfc6605.html'\fI\%RFC 6605\fP\X'tty: link' (SHA\-384 for DS RRs), \X'tty: link https://datatracker.ietf.org/doc/html/rfc7344.html'\fI\%RFC 7344\fP\X'tty: link' (CDS and CDNSKEY RRs).
.SH AUTHOR
Internet Systems Consortium
.SH COPYRIGHT
2025, Internet Systems Consortium
.\" Generated by docutils manpage writer.
.