summaryrefslogtreecommitdiffstats
path: root/bin/dnssec/dnssec-dsfromkey.rst
diff options
context:
space:
mode:
Diffstat (limited to 'bin/dnssec/dnssec-dsfromkey.rst')
-rw-r--r--bin/dnssec/dnssec-dsfromkey.rst159
1 files changed, 159 insertions, 0 deletions
diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst
new file mode 100644
index 0000000..9ca025a
--- /dev/null
+++ b/bin/dnssec/dnssec-dsfromkey.rst
@@ -0,0 +1,159 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. highlight: console
+
+.. iscman:: dnssec-dsfromkey
+.. program:: dnssec-dsfromkey
+.. _man_dnssec-dsfromkey:
+
+dnssec-dsfromkey - DNSSEC DS RR generation tool
+-----------------------------------------------
+
+Synopsis
+~~~~~~~~
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile}
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname]
+
+:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname}
+
+:program:`dnssec-dsfromkey` [ **-h** | **-V** ]
+
+Description
+~~~~~~~~~~~
+
+The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records
+(RRs), or CDS (Child DS) RRs with the :option:`-C` option.
+
+By default, only KSKs are converted (keys with flags = 257). The
+:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never
+included.
+
+The input keys can be specified in a number of ways:
+
+By default, :program:`dnssec-dsfromkey` reads a key file named in the format
+``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`.
+
+With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone
+file or partial zone file (which can contain just the DNSKEY records).
+
+With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file,
+as generated by :iscman:`dnssec-keygen` :option:`-C`.
+
+Options
+~~~~~~~
+
+.. option:: -1
+
+ This option is an abbreviation for :option:`-a SHA1 <-a>`.
+
+.. option:: -2
+
+ This option is an abbreviation for :option:`-a SHA-256 <-a>`.
+
+.. option:: -a algorithm
+
+ This option specifies a digest algorithm to use when converting DNSKEY records to
+ DS records. This option can be repeated, so that multiple DS records
+ are created for each DNSKEY record.
+
+ The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values
+ are case-insensitive, and the hyphen may be omitted. If no algorithm
+ is specified, the default is SHA-256.
+
+.. option:: -A
+
+ This option indicates that ZSKs are to be included when generating DS records. Without this option, only
+ keys which have the KSK flag set are converted to DS records and
+ printed. This option is only useful in :option:`-f` zone file mode.
+
+.. option:: -c class
+
+ This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset
+ or :option:`-f` zone file mode.
+
+.. option:: -C
+
+ This option generates CDS records rather than DS records.
+
+.. option:: -f file
+
+ This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the
+ DNS domain name of a zone whose master file can be read from
+ ``file``. If the zone name is the same as ``file``, then it may be
+ omitted.
+
+ If ``file`` is ``-``, then the zone data is read from the standard
+ input. This makes it possible to use the output of the :iscman:`dig`
+ command as input, as in:
+
+ ``dig dnskey example.com | dnssec-dsfromkey -f - example.com``
+
+.. option:: -h
+
+ This option prints usage information.
+
+.. option:: -K directory
+
+ This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``.
+
+.. option:: -s
+
+ This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS
+ domain name used to locate a ``keyset-`` file.
+
+.. option:: -T TTL
+
+ This option specifies the TTL of the DS records. By default the TTL is omitted.
+
+.. option:: -v level
+
+ This option sets the debugging level.
+
+.. option:: -V
+
+ This option prints version information.
+
+Example
+~~~~~~~
+
+To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile,
+issue the following command:
+
+``dnssec-dsfromkey -2 Kexample.com.+003+26160``
+
+The command returns something similar to:
+
+``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94``
+
+Files
+~~~~~
+
+The keyfile can be designated by the key identification
+``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as
+generated by :iscman:`dnssec-keygen`.
+
+The keyset file name is built from the ``directory``, the string
+``keyset-``, and the ``dnsname``.
+
+Caveat
+~~~~~~
+
+A keyfile error may return "file not found," even if the file exists.
+
+See Also
+~~~~~~~~
+
+:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
+:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs),
+:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs).