dnssec-dsfromkey.8 5.82 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1
.\" Copyright (C) 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
Automatic Updater committed
2
.\" 
Automatic Updater's avatar
regen  
Automatic Updater committed
3
.\" Permission to use, copy, modify, and/or distribute this software for any
4 5
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies.
Automatic Updater's avatar
Automatic Updater committed
6
.\" 
7 8
.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
Automatic Updater's avatar
Automatic Updater committed
9
.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
10 11 12 13 14 15 16
.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
.\" PERFORMANCE OF THIS SOFTWARE.
.\"
.hy 0
.ad l
Tinderbox User's avatar
Tinderbox User committed
17 18
'\" t
.\"     Title: dnssec-dsfromkey
Automatic Updater's avatar
regen  
Automatic Updater committed
19
.\"    Author: 
Tinderbox User's avatar
Tinderbox User committed
20
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
Tinderbox User's avatar
Tinderbox User committed
21
.\"      Date: 2012-05-02
Automatic Updater's avatar
regen  
Automatic Updater committed
22
.\"    Manual: BIND9
Tinderbox User's avatar
Tinderbox User committed
23 24
.\"    Source: ISC
.\"  Language: English
Automatic Updater's avatar
regen  
Automatic Updater committed
25
.\"
Tinderbox User's avatar
Tinderbox User committed
26 27 28 29 30 31 32 33 34 35 36 37 38
.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
39 40 41 42
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
Tinderbox User's avatar
Tinderbox User committed
43 44 45
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
46
.SH "NAME"
Tinderbox User's avatar
Tinderbox User committed
47
dnssec-dsfromkey \- DNSSEC DS RR generation tool
48
.SH "SYNOPSIS"
Tinderbox User's avatar
Tinderbox User committed
49
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
50
\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] {keyfile}
Tinderbox User's avatar
Tinderbox User committed
51
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
Automatic Updater's avatar
Automatic Updater committed
52
\fBdnssec\-dsfromkey\fR {\-s} [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] [\fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-s\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-f\ \fR\fB\fIfile\fR\fR] [\fB\-A\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] {dnsname}
Tinderbox User's avatar
Tinderbox User committed
53
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
54
\fBdnssec\-dsfromkey\fR [\fB\-h\fR] [\fB\-V\fR]
55 56
.SH "DESCRIPTION"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
57
\fBdnssec\-dsfromkey\fR
Tinderbox User's avatar
Tinderbox User committed
58
outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s)\&.
59
.SH "OPTIONS"
Automatic Updater's avatar
regen  
Automatic Updater committed
60
.PP
61
\-1
Automatic Updater's avatar
regen  
Automatic Updater committed
62
.RS 4
Tinderbox User's avatar
Tinderbox User committed
63
Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
64 65
.RE
.PP
66
\-2
Automatic Updater's avatar
regen  
Automatic Updater committed
67
.RS 4
Tinderbox User's avatar
Tinderbox User committed
68
Use SHA\-256 as the digest algorithm\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
69 70
.RE
.PP
71
\-a \fIalgorithm\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
72
.RS 4
Tinderbox User's avatar
Tinderbox User committed
73
Select the digest algorithm\&. The value of
Automatic Updater's avatar
regen  
Automatic Updater committed
74
\fBalgorithm\fR
Tinderbox User's avatar
Tinderbox User committed
75
must be one of SHA\-1 (SHA1), SHA\-256 (SHA256), GOST or SHA\-384 (SHA384)\&. These values are case insensitive\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
76 77
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
78 79
\-C
.RS 4
Tinderbox User's avatar
Tinderbox User committed
80
Generate CDS records rather than DS records\&. This is mutually exclusive with generating lookaside records\&.
Tinderbox User's avatar
Tinderbox User committed
81 82
.RE
.PP
Automatic Updater's avatar
Automatic Updater committed
83 84
\-T \fITTL\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
85
Specifies the TTL of the DS records\&.
Automatic Updater's avatar
Automatic Updater committed
86 87
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
88
\-K \fIdirectory\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
89
.RS 4
Automatic Updater's avatar
regen  
Automatic Updater committed
90
Look for key files (or, in keyset mode,
Tinderbox User's avatar
Tinderbox User committed
91
keyset\-
Automatic Updater's avatar
regen  
Automatic Updater committed
92
files) in
Tinderbox User's avatar
Tinderbox User committed
93
\fBdirectory\fR\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
94 95 96 97 98
.RE
.PP
\-f \fIfile\fR
.RS 4
Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
Tinderbox User's avatar
Tinderbox User committed
99 100
\fBfile\fR\&. If the zone name is the same as
\fBfile\fR, then it may be omitted\&.
Automatic Updater's avatar
Automatic Updater committed
101 102 103 104
.sp
If
\fBfile\fR
is set to
Tinderbox User's avatar
Tinderbox User committed
105
"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
Automatic Updater's avatar
Automatic Updater committed
106 107 108
\fBdig\fR
command as input, as in:
.sp
Tinderbox User's avatar
Tinderbox User committed
109
\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
110 111 112 113
.RE
.PP
\-A
.RS 4
Tinderbox User's avatar
Tinderbox User committed
114
Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in zone file mode\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
115 116
.RE
.PP
117
\-l \fIdomain\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
118
.RS 4
Tinderbox User's avatar
Tinderbox User committed
119
Generate a DLV set instead of a DS set\&. The specified
Automatic Updater's avatar
regen  
Automatic Updater committed
120
\fBdomain\fR
Tinderbox User's avatar
Tinderbox User committed
121
is appended to the name for each record in the set\&. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431\&. This is mutually exclusive with generating CDS records\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
122 123
.RE
.PP
124
\-s
Automatic Updater's avatar
regen  
Automatic Updater committed
125
.RS 4
Tinderbox User's avatar
Tinderbox User committed
126
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
127 128
.RE
.PP
129
\-c \fIclass\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
130
.RS 4
Tinderbox User's avatar
Tinderbox User committed
131
Specifies the DNS class (default is IN)\&. Useful only in keyset or zone file mode\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
132 133
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
134
\-v \fIlevel\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
135
.RS 4
Tinderbox User's avatar
Tinderbox User committed
136
Sets the debugging level\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
137
.RE
Tinderbox User's avatar
Tinderbox User committed
138 139 140
.PP
\-h
.RS 4
Tinderbox User's avatar
Tinderbox User committed
141
Prints usage information\&.
Tinderbox User's avatar
Tinderbox User committed
142 143 144 145
.RE
.PP
\-V
.RS 4
Tinderbox User's avatar
Tinderbox User committed
146
Prints version information\&.
Tinderbox User's avatar
Tinderbox User committed
147
.RE
148 149
.SH "EXAMPLE"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
150
To build the SHA\-256 DS RR from the
Tinderbox User's avatar
Tinderbox User committed
151
\fBKexample\&.com\&.+003+26160\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
152
keyfile name, the following command would be issued:
153
.PP
Tinderbox User's avatar
Tinderbox User committed
154
\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
155 156 157
.PP
The command would print something like:
.PP
Tinderbox User's avatar
Tinderbox User committed
158
\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR
159 160
.SH "FILES"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
161
The keyfile can be designed by the key identification
Tinderbox User's avatar
Tinderbox User committed
162
Knnnn\&.+aaa+iiiii
Automatic Updater's avatar
regen  
Automatic Updater committed
163
or the full file name
Tinderbox User's avatar
Tinderbox User committed
164
Knnnn\&.+aaa+iiiii\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
165
as generated by
Tinderbox User's avatar
Tinderbox User committed
166
dnssec\-keygen(8)\&.
167
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
168 169
The keyset file name is built from the
\fBdirectory\fR, the string
Tinderbox User's avatar
Tinderbox User committed
170
keyset\-
Automatic Updater's avatar
regen  
Automatic Updater committed
171
and the
Tinderbox User's avatar
Tinderbox User committed
172
\fBdnsname\fR\&.
173 174
.SH "CAVEAT"
.PP
Tinderbox User's avatar
Tinderbox User committed
175
A keyfile error can give a "file not found" even if the file exists\&.
176 177
.SH "SEE ALSO"
.PP
Tinderbox User's avatar
Tinderbox User committed
178 179
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
Automatic Updater's avatar
regen  
Automatic Updater committed
180 181
BIND 9 Administrator Reference Manual,
RFC 3658,
Tinderbox User's avatar
Tinderbox User committed
182 183
RFC 4431\&.
RFC 4509\&.
184 185
.SH "AUTHOR"
.PP
Tinderbox User's avatar
Tinderbox User committed
186
\fBInternet Systems Consortium, Inc\&.\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
187
.SH "COPYRIGHT"
Tinderbox User's avatar
Tinderbox User committed
188
.br
Tinderbox User's avatar
Tinderbox User committed
189
Copyright \(co 2008-2012, 2014-2016 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
regen  
Automatic Updater committed
190
.br