diff options
Diffstat (limited to '')
-rw-r--r-- | doc/man/dnssec-dsfromkey.8in | 153 |
1 files changed, 153 insertions, 0 deletions
diff --git a/doc/man/dnssec-dsfromkey.8in b/doc/man/dnssec-dsfromkey.8in new file mode 100644 index 0000000..83f6a7a --- /dev/null +++ b/doc/man/dnssec-dsfromkey.8in @@ -0,0 +1,153 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "DNSSEC-DSFROMKEY" "8" "@RELEASE_DATE@" "@BIND9_VERSION@" "BIND 9" +.SH NAME +dnssec-dsfromkey \- DNSSEC DS RR generation tool +.SH SYNOPSIS +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-K\fP directory] {keyfile} +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-A\fP] {\fB\-f\fP file} [dnsname] +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-K\fP directory] {\fB\-s\fP} {dnsname} +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-h\fP | \fB\-V\fP ] +.SH DESCRIPTION +.sp +The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records +(RRs), or CDS (Child DS) RRs with the \fB\-C\fP option. +.sp +By default, only KSKs are converted (keys with flags = 257). The +\fB\-A\fP option includes ZSKs (flags = 256). Revoked keys are never +included. +.sp +The input keys can be specified in a number of ways: +.sp +By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format +\fBKnnnn.+aaa+iiiii.key\fP, as generated by \fBdnssec\-keygen\fP\&. +.sp +With the \fB\-f file\fP option, \fBdnssec\-dsfromkey\fP reads keys from a zone +file or partial zone file (which can contain just the DNSKEY records). +.sp +With the \fB\-s\fP option, \fBdnssec\-dsfromkey\fP reads a \fBkeyset\-\fP file, +as generated by \fBdnssec\-keygen\fP \fB\-C\fP\&. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \fB\-1\fP +This option is an abbreviation for \fB\-a SHA1\fP\&. +.TP +.B \fB\-2\fP +This option is an abbreviation for \fB\-a SHA\-256\fP\&. +.TP +.B \fB\-a algorithm\fP +This option specifies a digest algorithm to use when converting DNSKEY records to +DS records. This option can be repeated, so that multiple DS records +are created for each DNSKEY record. +.sp +The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values +are case\-insensitive, and the hyphen may be omitted. If no algorithm +is specified, the default is SHA\-256. +.TP +.B \fB\-A\fP +This option indicates that ZSKs are to be included when generating DS records. Without this option, only +keys which have the KSK flag set are converted to DS records and +printed. This option is only useful in \fB\-f\fP zone file mode. +.TP +.B \fB\-c class\fP +This option specifies the DNS class; the default is IN. This option is only useful in \fB\-s\fP keyset +or \fB\-f\fP zone file mode. +.TP +.B \fB\-C\fP +This option generates CDS records rather than DS records. +.TP +.B \fB\-f file\fP +This option sets zone file mode, in which the final dnsname argument of \fBdnssec\-dsfromkey\fP is the +DNS domain name of a zone whose master file can be read from +\fBfile\fP\&. If the zone name is the same as \fBfile\fP, then it may be +omitted. +.sp +If \fBfile\fP is \fB\-\fP, then the zone data is read from the standard +input. This makes it possible to use the output of the \fBdig\fP +command as input, as in: +.sp +\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fP +.TP +.B \fB\-h\fP +This option prints usage information. +.TP +.B \fB\-K directory\fP +This option tells BIND 9 to look for key files or \fBkeyset\-\fP files in \fBdirectory\fP\&. +.TP +.B \fB\-s\fP +This option enables keyset mode, in which the final dnsname argument from \fBdnssec\-dsfromkey\fP is the DNS +domain name used to locate a \fBkeyset\-\fP file. +.TP +.B \fB\-T TTL\fP +This option specifies the TTL of the DS records. By default the TTL is omitted. +.TP +.B \fB\-v level\fP +This option sets the debugging level. +.TP +.B \fB\-V\fP +This option prints version information. +.UNINDENT +.SH EXAMPLE +.sp +To build the SHA\-256 DS RR from the \fBKexample.com.+003+26160\fP keyfile, +issue the following command: +.sp +\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fP +.sp +The command returns something similar to: +.sp +\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fP +.SH FILES +.sp +The keyfile can be designated by the key identification +\fBKnnnn.+aaa+iiiii\fP or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as +generated by \fBdnssec\-keygen\fP\&. +.sp +The keyset file name is built from the \fBdirectory\fP, the string +\fBkeyset\-\fP, and the \fBdnsname\fP\&. +.SH CAVEAT +.sp +A keyfile error may return \(dqfile not found,\(dq even if the file exists. +.SH SEE ALSO +.sp +\fBdnssec\-keygen(8)\fP, \fBdnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, +\fI\%RFC 3658\fP (DS RRs), \fI\%RFC 4509\fP (SHA\-256 for DS RRs), +\fI\%RFC 6605\fP (SHA\-384 for DS RRs), \fI\%RFC 7344\fP (CDS and CDNSKEY RRs). +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2023, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. |