diff options
Diffstat (limited to 'bin/dnssec/dnssec-dsfromkey.rst')
-rw-r--r-- | bin/dnssec/dnssec-dsfromkey.rst | 159 |
1 files changed, 159 insertions, 0 deletions
diff --git a/bin/dnssec/dnssec-dsfromkey.rst b/bin/dnssec/dnssec-dsfromkey.rst new file mode 100644 index 0000000..9ca025a --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.rst @@ -0,0 +1,159 @@ +.. Copyright (C) Internet Systems Consortium, Inc. ("ISC") +.. +.. SPDX-License-Identifier: MPL-2.0 +.. +.. This Source Code Form is subject to the terms of the Mozilla Public +.. License, v. 2.0. If a copy of the MPL was not distributed with this +.. file, you can obtain one at https://mozilla.org/MPL/2.0/. +.. +.. See the COPYRIGHT file distributed with this work for additional +.. information regarding copyright ownership. + +.. highlight: console + +.. iscman:: dnssec-dsfromkey +.. program:: dnssec-dsfromkey +.. _man_dnssec-dsfromkey: + +dnssec-dsfromkey - DNSSEC DS RR generation tool +----------------------------------------------- + +Synopsis +~~~~~~~~ + +:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-K** directory] {keyfile} + +:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-A**] {**-f** file} [dnsname] + +:program:`dnssec-dsfromkey` [ **-1** | **-2** | **-a** alg ] [ **-C** ] [**-T** TTL] [**-v** level] [**-c** class] [**-K** directory] {**-s**} {dnsname} + +:program:`dnssec-dsfromkey` [ **-h** | **-V** ] + +Description +~~~~~~~~~~~ + +The :program:`dnssec-dsfromkey` command outputs DS (Delegation Signer) resource records +(RRs), or CDS (Child DS) RRs with the :option:`-C` option. + +By default, only KSKs are converted (keys with flags = 257). The +:option:`-A` option includes ZSKs (flags = 256). Revoked keys are never +included. + +The input keys can be specified in a number of ways: + +By default, :program:`dnssec-dsfromkey` reads a key file named in the format +``Knnnn.+aaa+iiiii.key``, as generated by :iscman:`dnssec-keygen`. + +With the :option:`-f file <-f>` option, :program:`dnssec-dsfromkey` reads keys from a zone +file or partial zone file (which can contain just the DNSKEY records). + +With the :option:`-s` option, :program:`dnssec-dsfromkey` reads a ``keyset-`` file, +as generated by :iscman:`dnssec-keygen` :option:`-C`. + +Options +~~~~~~~ + +.. option:: -1 + + This option is an abbreviation for :option:`-a SHA1 <-a>`. + +.. option:: -2 + + This option is an abbreviation for :option:`-a SHA-256 <-a>`. + +.. option:: -a algorithm + + This option specifies a digest algorithm to use when converting DNSKEY records to + DS records. This option can be repeated, so that multiple DS records + are created for each DNSKEY record. + + The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values + are case-insensitive, and the hyphen may be omitted. If no algorithm + is specified, the default is SHA-256. + +.. option:: -A + + This option indicates that ZSKs are to be included when generating DS records. Without this option, only + keys which have the KSK flag set are converted to DS records and + printed. This option is only useful in :option:`-f` zone file mode. + +.. option:: -c class + + This option specifies the DNS class; the default is IN. This option is only useful in :option:`-s` keyset + or :option:`-f` zone file mode. + +.. option:: -C + + This option generates CDS records rather than DS records. + +.. option:: -f file + + This option sets zone file mode, in which the final dnsname argument of :program:`dnssec-dsfromkey` is the + DNS domain name of a zone whose master file can be read from + ``file``. If the zone name is the same as ``file``, then it may be + omitted. + + If ``file`` is ``-``, then the zone data is read from the standard + input. This makes it possible to use the output of the :iscman:`dig` + command as input, as in: + + ``dig dnskey example.com | dnssec-dsfromkey -f - example.com`` + +.. option:: -h + + This option prints usage information. + +.. option:: -K directory + + This option tells BIND 9 to look for key files or ``keyset-`` files in ``directory``. + +.. option:: -s + + This option enables keyset mode, in which the final dnsname argument from :program:`dnssec-dsfromkey` is the DNS + domain name used to locate a ``keyset-`` file. + +.. option:: -T TTL + + This option specifies the TTL of the DS records. By default the TTL is omitted. + +.. option:: -v level + + This option sets the debugging level. + +.. option:: -V + + This option prints version information. + +Example +~~~~~~~ + +To build the SHA-256 DS RR from the ``Kexample.com.+003+26160`` keyfile, +issue the following command: + +``dnssec-dsfromkey -2 Kexample.com.+003+26160`` + +The command returns something similar to: + +``example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94`` + +Files +~~~~~ + +The keyfile can be designated by the key identification +``Knnnn.+aaa+iiiii`` or the full file name ``Knnnn.+aaa+iiiii.key``, as +generated by :iscman:`dnssec-keygen`. + +The keyset file name is built from the ``directory``, the string +``keyset-``, and the ``dnsname``. + +Caveat +~~~~~~ + +A keyfile error may return "file not found," even if the file exists. + +See Also +~~~~~~~~ + +:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual, +:rfc:`3658` (DS RRs), :rfc:`4509` (SHA-256 for DS RRs), +:rfc:`6605` (SHA-384 for DS RRs), :rfc:`7344` (CDS and CDNSKEY RRs). |