summaryrefslogtreecommitdiffstats
path: root/bin/dnssec/dnssec-dsfromkey.rst
diff options
context:
space:
mode:
Diffstat (limited to 'bin/dnssec/dnssec-dsfromkey.rst')
-rw-r--r--bin/dnssec/dnssec-dsfromkey.rst144
1 files changed, 144 insertions, 0 deletions
diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst
new file mode 100644
index 0000000..6396733
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.rst
@@ -0,0 +1,144 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. _man_dnssec-dsfromkey:
+
+dnssec-dsfromkey - DNSSEC DS RR generation tool
+-----------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
+
+:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
+
+Description
+~~~~~~~~~~~
+
+The ``dnssec-dsfromkey`` command outputs DS (Delegation Signer) resource records
+(RRs), or CDS (Child DS) RRs with the ``-C`` option.
+
+By default, only KSKs are converted (keys with flags = 257). The
+``-A`` option includes ZSKs (flags = 256). Revoked keys are never
+included.
+
+The input keys can be specified in a number of ways:
+
+By default, ``dnssec-dsfromkey`` reads a key file named in the format
+``Knnnn.+aaa+iiiii.key``, as generated by ``dnssec-keygen``.
+
+With the ``-f file`` option, ``dnssec-dsfromkey`` reads keys from a zone
+file or partial zone file (which can contain just the DNSKEY records).
+
+With the ``-s`` option, ``dnssec-dsfromkey`` reads a ``keyset-`` file,
+as generated by ``dnssec-keygen`` ``-C``.
+
+Options
+~~~~~~~
+
+``-1``
+ This option is an abbreviation for ``-a SHA1``.
+
+``-2``
+ This option is an abbreviation for ``-a SHA-256``.
+
+``-a algorithm``
+ This option specifies a digest algorithm to use when converting DNSKEY records to
+ DS records. This option can be repeated, so that multiple DS records
+ are created for each DNSKEY record.
+
+ The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
+ are case-insensitive, and the hyphen may be omitted. If no algorithm
+ is specified, the default is SHA-256.
+
+``-A``
+ This option indicates that ZSKs are to be included when generating DS records. Without this option, only
+ keys which have the KSK flag set are converted to DS records and
+ printed. This option is only useful in ``-f`` zone file mode.
+
+``-c class``
+ This option specifies the DNS class; the default is IN. This option is only useful in ``-s`` keyset
+ or ``-f`` zone file mode.
+
+``-C``
+ This option generates CDS records rather than DS records.
+
+``-f file``
+ This option sets zone file mode, in which the final dnsname argument of ``dnssec-dsfromkey`` is the
+ DNS domain name of a zone whose master file can be read from
+ ``file``. If the zone name is the same as ``file``, then it may be
+ omitted.
+
+ If ``file`` is ``-``, then the zone data is read from the standard
+ input. This makes it possible to use the output of the ``dig``
+ command as input, as in:
+
+ ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
+
+``-h``
+ This option prints usage information.
+
+``-K directory``
+ This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
+
+``-s``
+ This option enables keyset mode, in which the final dnsname argument from ``dnssec-dsfromkey`` is the DNS
+ domain name used to locate a ``keyset-`` file.
+
+``-T TTL``
+ This option specifies the TTL of the DS records. By default the TTL is omitted.
+
+``-v level``
+ This option sets the debugging level.
+
+``-V``
+ This option prints version information.
+
+Example
+~~~~~~~
+
+To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
+issue the following command:
+
+``dnssec-dsfromkey -2 Kexample.com.+003+26160``
+
+The command returns something similar to:
+
+``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
+
+Files
+~~~~~
+
+The keyfile can be designated by the key identification
+``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
+generated by ``dnssec-keygen``.
+
+The keyset file name is built from the ``directory``, the string
+``keyset-``, and the ``dnsname``.
+
+Caveat
+~~~~~~
+
+A keyfile error may return "file not found," even if the file exists.
+
+See Also
+~~~~~~~~
+
+:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
+:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
+:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).