summaryrefslogtreecommitdiffstats
path: root/doc/man/dnssec-dsfromkey.8in
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/man/dnssec-dsfromkey.8in153
1 files changed, 153 insertions, 0 deletions
diff --git a/doc/man/dnssec-dsfromkey.8in b/doc/man/dnssec-dsfromkey.8in
new file mode 100644
index 0000000..83f6a7a
--- /dev/null
+++ b/doc/man/dnssec-dsfromkey.8in
@@ -0,0 +1,153 @@
+.\" Man page generated from reStructuredText.
+.
+.
+.nr rst2man-indent-level 0
+.
+.de1 rstReportMargin
+\\$1 \\n[an-margin]
+level \\n[rst2man-indent-level]
+level margin: \\n[rst2man-indent\\n[rst2man-indent-level]]
+-
+\\n[rst2man-indent0]
+\\n[rst2man-indent1]
+\\n[rst2man-indent2]
+..
+.de1 INDENT
+.\" .rstReportMargin pre:
+. RS \\$1
+. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin]
+. nr rst2man-indent-level +1
+.\" .rstReportMargin post:
+..
+.de UNINDENT
+. RE
+.\" indent \\n[an-margin]
+.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.nr rst2man-indent-level -1
+.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]]
+.in \\n[rst2man-indent\\n[rst2man-indent-level]]u
+..
+.TH "DNSSEC-DSFROMKEY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9"
+.SH NAME
+dnssec-dsfromkey \- DNSSEC DS RR generation tool
+.SH SYNOPSIS
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-K\fP directory] {keyfile}
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-A\fP] {\fB\-f\fP file} [dnsname]
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-K\fP directory] {\fB\-s\fP} {dnsname}
+.sp
+\fBdnssec\-dsfromkey\fP [ \fB\-h\fP | \fB\-V\fP ]
+.SH DESCRIPTION
+.sp
+The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records
+(RRs), or CDS (Child DS) RRs with the \fB\-C\fP option.
+.sp
+By default, only KSKs are converted (keys with flags = 257). The
+\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never
+included.
+.sp
+The input keys can be specified in a number of ways:
+.sp
+By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format
+\fBKnnnn.+aaa+iiiii.key\fP, as generated by \fBdnssec\-keygen\fP\&.
+.sp
+With the \fB\-f file\fP option, \fBdnssec\-dsfromkey\fP reads keys from a zone
+file or partial zone file (which can contain just the DNSKEY records).
+.sp
+With the \fB\-s\fP option, \fBdnssec\-dsfromkey\fP reads a \fBkeyset\-\fP file,
+as generated by \fBdnssec\-keygen\fP \fB\-C\fP\&.
+.SH OPTIONS
+.INDENT 0.0
+.TP
+.B \fB\-1\fP
+This option is an abbreviation for \fB\-a SHA1\fP\&.
+.TP
+.B \fB\-2\fP
+This option is an abbreviation for \fB\-a SHA\-256\fP\&.
+.TP
+.B \fB\-a algorithm\fP
+This option specifies a digest algorithm to use when converting DNSKEY records to
+DS records. This option can be repeated, so that multiple DS records
+are created for each DNSKEY record.
+.sp
+The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values
+are case\-insensitive, and the hyphen may be omitted. If no algorithm
+is specified, the default is SHA\-256.
+.TP
+.B \fB\-A\fP
+This option indicates that ZSKs are to be included when generating DS records. Without this option, only
+keys which have the KSK flag set are converted to DS records and
+printed. This option is only useful in \fB\-f\fP zone file mode.
+.TP
+.B \fB\-c class\fP
+This option specifies the DNS class; the default is IN. This option is only useful in \fB\-s\fP keyset
+or \fB\-f\fP zone file mode.
+.TP
+.B \fB\-C\fP
+This option generates CDS records rather than DS records.
+.TP
+.B \fB\-f file\fP
+This option sets zone file mode, in which the final dnsname argument of \fBdnssec\-dsfromkey\fP is the
+DNS domain name of a zone whose master file can be read from
+\fBfile\fP\&. If the zone name is the same as \fBfile\fP, then it may be
+omitted.
+.sp
+If \fBfile\fP is \fB\-\fP, then the zone data is read from the standard
+input. This makes it possible to use the output of the \fBdig\fP
+command as input, as in:
+.sp
+\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fP
+.TP
+.B \fB\-h\fP
+This option prints usage information.
+.TP
+.B \fB\-K directory\fP
+This option tells BIND 9 to look for key files or \fBkeyset\-\fP files in \fBdirectory\fP\&.
+.TP
+.B \fB\-s\fP
+This option enables keyset mode, in which the final dnsname argument from \fBdnssec\-dsfromkey\fP is the DNS
+domain name used to locate a \fBkeyset\-\fP file.
+.TP
+.B \fB\-T TTL\fP
+This option specifies the TTL of the DS records. By default the TTL is omitted.
+.TP
+.B \fB\-v level\fP
+This option sets the debugging level.
+.TP
+.B \fB\-V\fP
+This option prints version information.
+.UNINDENT
+.SH EXAMPLE
+.sp
+To build the SHA\-256 DS RR from the \fBKexample.com.+003+26160\fP keyfile,
+issue the following command:
+.sp
+\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fP
+.sp
+The command returns something similar to:
+.sp
+\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fP
+.SH FILES
+.sp
+The keyfile can be designated by the key identification
+\fBKnnnn.+aaa+iiiii\fP or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as
+generated by \fBdnssec\-keygen\fP\&.
+.sp
+The keyset file name is built from the \fBdirectory\fP, the string
+\fBkeyset\-\fP, and the \fBdnsname\fP\&.
+.SH CAVEAT
+.sp
+A keyfile error may return \(dqfile not found,\(dq even if the file exists.
+.SH SEE ALSO
+.sp
+\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual,
+\fI\%RFC 3658\fP (DS RRs), \fI\%RFC 4509\fP (SHA\-256 for DS RRs),
+\fI\%RFC 6605\fP (SHA\-384 for DS RRs), \fI\%RFC 7344\fP (CDS and CDNSKEY RRs).
+.SH AUTHOR
+Internet Systems Consortium
+.SH COPYRIGHT
+2023, Internet Systems Consortium
+.\" Generated by docutils manpage writer.
+.