diff options
Diffstat (limited to 'doc/man/dnssec-dsfromkey.1in')
-rw-r--r-- | doc/man/dnssec-dsfromkey.1in | 177 |
1 files changed, 177 insertions, 0 deletions
diff --git a/doc/man/dnssec-dsfromkey.1in b/doc/man/dnssec-dsfromkey.1in new file mode 100644 index 0000000..5a76afa --- /dev/null +++ b/doc/man/dnssec-dsfromkey.1in @@ -0,0 +1,177 @@ +.\" Man page generated from reStructuredText. +. +. +.nr rst2man-indent-level 0 +. +.de1 rstReportMargin +\\$1 \\n[an-margin] +level \\n[rst2man-indent-level] +level margin: \\n[rst2man-indent\\n[rst2man-indent-level]] +- +\\n[rst2man-indent0] +\\n[rst2man-indent1] +\\n[rst2man-indent2] +.. +.de1 INDENT +.\" .rstReportMargin pre: +. RS \\$1 +. nr rst2man-indent\\n[rst2man-indent-level] \\n[an-margin] +. nr rst2man-indent-level +1 +.\" .rstReportMargin post: +.. +.de UNINDENT +. RE +.\" indent \\n[an-margin] +.\" old: \\n[rst2man-indent\\n[rst2man-indent-level]] +.nr rst2man-indent-level -1 +.\" new: \\n[rst2man-indent\\n[rst2man-indent-level]] +.in \\n[rst2man-indent\\n[rst2man-indent-level]]u +.. +.TH "DNSSEC-DSFROMKEY" "1" "@RELEASE_DATE@" "@PACKAGE_VERSION@" "BIND 9" +.SH NAME +dnssec-dsfromkey \- DNSSEC DS RR generation tool +.SH SYNOPSIS +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-K\fP directory] {keyfile} +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-A\fP] {\fB\-f\fP file} [dnsname] +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-1\fP | \fB\-2\fP | \fB\-a\fP alg ] [ \fB\-C\fP ] [\fB\-T\fP TTL] [\fB\-v\fP level] [\fB\-c\fP class] [\fB\-K\fP directory] {\fB\-s\fP} {dnsname} +.sp +\fBdnssec\-dsfromkey\fP [ \fB\-h\fP | \fB\-V\fP ] +.SH DESCRIPTION +.sp +The \fBdnssec\-dsfromkey\fP command outputs DS (Delegation Signer) resource records +(RRs), or CDS (Child DS) RRs with the \fI\%\-C\fP option. +.sp +By default, only KSKs are converted (keys with flags = 257). The +\fI\%\-A\fP option includes ZSKs (flags = 256). Revoked keys are never +included. +.sp +The input keys can be specified in a number of ways: +.sp +By default, \fBdnssec\-dsfromkey\fP reads a key file named in the format +\fBKnnnn.+aaa+iiiii.key\fP, as generated by \fI\%dnssec\-keygen\fP\&. +.sp +With the \fI\%\-f file\fP option, \fBdnssec\-dsfromkey\fP reads keys from a zone +file or partial zone file (which can contain just the DNSKEY records). +.sp +With the \fI\%\-s\fP option, \fBdnssec\-dsfromkey\fP reads a \fBkeyset\-\fP file, +as generated by \fI\%dnssec\-keygen\fP \fI\%\-C\fP\&. +.SH OPTIONS +.INDENT 0.0 +.TP +.B \-1 +This option is an abbreviation for \fI\%\-a SHA1\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-2 +This option is an abbreviation for \fI\%\-a SHA\-256\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-a algorithm +This option specifies a digest algorithm to use when converting DNSKEY records to +DS records. This option can be repeated, so that multiple DS records +are created for each DNSKEY record. +.sp +The algorithm must be one of SHA\-1, SHA\-256, or SHA\-384. These values +are case\-insensitive, and the hyphen may be omitted. If no algorithm +is specified, the default is SHA\-256. +.UNINDENT +.INDENT 0.0 +.TP +.B \-A +This option indicates that ZSKs are to be included when generating DS records. Without this option, only +keys which have the KSK flag set are converted to DS records and +printed. This option is only useful in \fI\%\-f\fP zone file mode. +.UNINDENT +.INDENT 0.0 +.TP +.B \-c class +This option specifies the DNS class; the default is IN. This option is only useful in \fI\%\-s\fP keyset +or \fI\%\-f\fP zone file mode. +.UNINDENT +.INDENT 0.0 +.TP +.B \-C +This option generates CDS records rather than DS records. +.UNINDENT +.INDENT 0.0 +.TP +.B \-f file +This option sets zone file mode, in which the final dnsname argument of \fBdnssec\-dsfromkey\fP is the +DNS domain name of a zone whose master file can be read from +\fBfile\fP\&. If the zone name is the same as \fBfile\fP, then it may be +omitted. +.sp +If \fBfile\fP is \fB\-\fP, then the zone data is read from the standard +input. This makes it possible to use the output of the \fI\%dig\fP +command as input, as in: +.sp +\fBdig dnskey example.com | dnssec\-dsfromkey \-f \- example.com\fP +.UNINDENT +.INDENT 0.0 +.TP +.B \-h +This option prints usage information. +.UNINDENT +.INDENT 0.0 +.TP +.B \-K directory +This option tells BIND 9 to look for key files or \fBkeyset\-\fP files in \fBdirectory\fP\&. +.UNINDENT +.INDENT 0.0 +.TP +.B \-s +This option enables keyset mode, in which the final dnsname argument from \fBdnssec\-dsfromkey\fP is the DNS +domain name used to locate a \fBkeyset\-\fP file. +.UNINDENT +.INDENT 0.0 +.TP +.B \-T TTL +This option specifies the TTL of the DS records. By default the TTL is omitted. +.UNINDENT +.INDENT 0.0 +.TP +.B \-v level +This option sets the debugging level. +.UNINDENT +.INDENT 0.0 +.TP +.B \-V +This option prints version information. +.UNINDENT +.SH EXAMPLE +.sp +To build the SHA\-256 DS RR from the \fBKexample.com.+003+26160\fP keyfile, +issue the following command: +.sp +\fBdnssec\-dsfromkey \-2 Kexample.com.+003+26160\fP +.sp +The command returns something similar to: +.sp +\fBexample.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fP +.SH FILES +.sp +The keyfile can be designated by the key identification +\fBKnnnn.+aaa+iiiii\fP or the full file name \fBKnnnn.+aaa+iiiii.key\fP, as +generated by \fI\%dnssec\-keygen\fP\&. +.sp +The keyset file name is built from the \fBdirectory\fP, the string +\fBkeyset\-\fP, and the \fBdnsname\fP\&. +.SH CAVEAT +.sp +A keyfile error may return \(dqfile not found,\(dq even if the file exists. +.SH SEE ALSO +.sp +\fI\%dnssec\-keygen(8)\fP, \fI\%dnssec\-signzone(8)\fP, BIND 9 Administrator Reference Manual, +\fI\%RFC 3658\fP (DS RRs), \fI\%RFC 4509\fP (SHA\-256 for DS RRs), +\fI\%RFC 6605\fP (SHA\-384 for DS RRs), \fI\%RFC 7344\fP (CDS and CDNSKEY RRs). +.SH AUTHOR +Internet Systems Consortium +.SH COPYRIGHT +2023, Internet Systems Consortium +.\" Generated by docutils manpage writer. +. |