159 lines
5 KiB
ReStructuredText
159 lines
5 KiB
ReStructuredText
.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
|
|
..
|
|
.. SPDX-License-Identifier: MPL-2.0
|
|
..
|
|
.. This Source Code Form is subject to the terms of the Mozilla Public
|
|
.. License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
|
|
..
|
|
.. See the COPYRIGHT file distributed with this work for additional
|
|
.. information regarding copyright ownership.
|
|
|
|
.. highlight: console
|
|
|
|
.. iscman:: dnssec-dsfromkey
|
|
.. program:: dnssec-dsfromkey
|
|
.. _man_dnssec-dsfromkey:
|
|
|
|
dnssec-dsfromkey - DNSSEC DS RR generation tool
|
|
-----------------------------------------------
|
|
|
|
Synopsis
|
|
~~~~~~~~
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
|
|
|
|
:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
|
|
|
|
:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
|
|
|
|
Description
|
|
~~~~~~~~~~~
|
|
|
|
The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records
|
|
(RRs), or CDS (Child DS) RRs with the :option:`-C` option.
|
|
|
|
By default, only KSKs are converted (keys with flags = 257). The
|
|
:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never
|
|
included.
|
|
|
|
The input keys can be specified in a number of ways:
|
|
|
|
By default, :program:`dnssec-dsfromkey` reads a key file named in the format
|
|
``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`.
|
|
|
|
With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone
|
|
file or partial zone file (which can contain just the DNSKEY records).
|
|
|
|
With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file,
|
|
as generated by :iscman:`dnssec-keygen` :option:`-C`.
|
|
|
|
Options
|
|
~~~~~~~
|
|
|
|
.. option:: -1
|
|
|
|
This option is an abbreviation for :option:`-a SHA1 <-a>`.
|
|
|
|
.. option:: -2
|
|
|
|
This option is an abbreviation for :option:`-a SHA-256 <-a>`.
|
|
|
|
.. option:: -a algorithm
|
|
|
|
This option specifies a digest algorithm to use when converting DNSKEY records to
|
|
DS records. This option can be repeated, so that multiple DS records
|
|
are created for each DNSKEY record.
|
|
|
|
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
|
|
are case-insensitive, and the hyphen may be omitted. If no algorithm
|
|
is specified, the default is SHA-256.
|
|
|
|
.. option:: -A
|
|
|
|
This option indicates that ZSKs are to be included when generating DS records. Without this option, only
|
|
keys which have the KSK flag set are converted to DS records and
|
|
printed. This option is only useful in :option:`-f` zone file mode.
|
|
|
|
.. option:: -c class
|
|
|
|
This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset
|
|
or :option:`-f` zone file mode.
|
|
|
|
.. option:: -C
|
|
|
|
This option generates CDS records rather than DS records.
|
|
|
|
.. option:: -f file
|
|
|
|
This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the
|
|
DNS domain name of a zone whose master file can be read from
|
|
``file``. If the zone name is the same as ``file``, then it may be
|
|
omitted.
|
|
|
|
If ``file`` is ``-``, then the zone data is read from the standard
|
|
input. This makes it possible to use the output of the :iscman:`dig`
|
|
command as input, as in:
|
|
|
|
``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
|
|
|
|
.. option:: -h
|
|
|
|
This option prints usage information.
|
|
|
|
.. option:: -K directory
|
|
|
|
This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
|
|
|
|
.. option:: -s
|
|
|
|
This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS
|
|
domain name used to locate a ``keyset-`` file.
|
|
|
|
.. option:: -T TTL
|
|
|
|
This option specifies the TTL of the DS records. By default the TTL is omitted.
|
|
|
|
.. option:: -v level
|
|
|
|
This option sets the debugging level.
|
|
|
|
.. option:: -V
|
|
|
|
This option prints version information.
|
|
|
|
Example
|
|
~~~~~~~
|
|
|
|
To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
|
|
issue the following command:
|
|
|
|
``dnssec-dsfromkey -2 Kexample.com.+003+26160``
|
|
|
|
The command returns something similar to:
|
|
|
|
``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
|
|
|
|
Files
|
|
~~~~~
|
|
|
|
The keyfile can be designated by the key identification
|
|
``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
|
|
generated by :iscman:`dnssec-keygen`.
|
|
|
|
The keyset file name is built from the ``directory``, the string
|
|
``keyset-``, and the ``dnsname``.
|
|
|
|
Caveat
|
|
~~~~~~
|
|
|
|
A keyfile error may return "file not found," even if the file exists.
|
|
|
|
See Also
|
|
~~~~~~~~
|
|
|
|
:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
|
|
:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
|
|
:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).
|