dnssec-dsfromkey.8 6.5 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1
.\" Copyright (C) 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
Automatic Updater committed
2
.\" 
Tinderbox User's avatar
Tinderbox User committed
3 4 5
.\" This Source Code Form is subject to the terms of the Mozilla Public
.\" License, v. 2.0. If a copy of the MPL was not distributed with this
.\" file, You can obtain one at http://mozilla.org/MPL/2.0/.
6 7 8
.\"
.hy 0
.ad l
Tinderbox User's avatar
Tinderbox User committed
9 10
'\" t
.\"     Title: dnssec-dsfromkey
Automatic Updater's avatar
regen  
Automatic Updater committed
11
.\"    Author: 
Tinderbox User's avatar
Tinderbox User committed
12
.\" Generator: DocBook XSL Stylesheets v1.78.1 <http://docbook.sf.net/>
Tinderbox User's avatar
Tinderbox User committed
13
.\"      Date: 2012-05-02
Automatic Updater's avatar
regen  
Automatic Updater committed
14
.\"    Manual: BIND9
Tinderbox User's avatar
Tinderbox User committed
15 16
.\"    Source: ISC
.\"  Language: English
Automatic Updater's avatar
regen  
Automatic Updater committed
17
.\"
Tinderbox User's avatar
Tinderbox User committed
18 19 20 21 22 23 24 25 26 27 28 29 30
.TH "DNSSEC\-DSFROMKEY" "8" "2012\-05\-02" "ISC" "BIND9"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el       .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
31 32 33 34
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
Tinderbox User's avatar
Tinderbox User committed
35 36 37
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
Automatic Updater's avatar
regen  
Automatic Updater committed
38
.SH "NAME"
Tinderbox User's avatar
Tinderbox User committed
39
dnssec-dsfromkey \- DNSSEC DS RR generation tool
40
.SH "SYNOPSIS"
Tinderbox User's avatar
Tinderbox User committed
41
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
42
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {keyfile}
Tinderbox User's avatar
Tinderbox User committed
43
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
44
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-A\fR] {\fB\-f\ \fR\fB\fIfile\fR\fR} [dnsname]
Tinderbox User's avatar
Tinderbox User committed
45
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
Tinderbox User's avatar
Tinderbox User committed
46 47 48
\fBdnssec\-dsfromkey\fR [\fB\-1\fR | \fB\-2\fR | \fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-C\fR | \fB\-l\ \fR\fB\fIdomain\fR\fR] [\fB\-T\ \fR\fB\fITTL\fR\fR] [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-K\ \fR\fB\fIdirectory\fR\fR] {\-s} {dnsname}
.HP \w'\fBdnssec\-dsfromkey\fR\ 'u
\fBdnssec\-dsfromkey\fR [\fB\-h\fR | \fB\-V\fR]
49 50
.SH "DESCRIPTION"
.PP
Tinderbox User's avatar
Tinderbox User committed
51
The
Automatic Updater's avatar
regen  
Automatic Updater committed
52
\fBdnssec\-dsfromkey\fR
Tinderbox User's avatar
Tinderbox User committed
53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80
command outputs DS (Delegation Signer) resource records (RRs) and other similarly\-constructed RRs: with the
\fB\-l\fR
option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the
\fB\-C\fR
it outputs CDS (Child DS) RRs\&.
.PP
The input keys can be specified in a number of ways:
.PP
By default,
\fBdnssec\-dsfromkey\fR
reads a key file named like
Knnnn\&.+aaa+iiiii\&.key, as generated by
\fBdnssec\-keygen\fR\&.
.PP
With the
\fB\-f \fR\fB\fIfile\fR\fR
option,
\fBdnssec\-dsfromkey\fR
reads keys from a zone file or partial zone file (which can contain just the DNSKEY records)\&.
.PP
With the
\fB\-s\fR
option,
\fBdnssec\-dsfromkey\fR
reads a
keyset\-
file, as generated by
\fBdnssec\-keygen\fR\fB\-C\fR\&.
81
.SH "OPTIONS"
Automatic Updater's avatar
regen  
Automatic Updater committed
82
.PP
83
\-1
Automatic Updater's avatar
regen  
Automatic Updater committed
84
.RS 4
Tinderbox User's avatar
Tinderbox User committed
85 86
An abbreviation for
\fB\-a SHA1\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
87 88
.RE
.PP
89
\-2
Automatic Updater's avatar
regen  
Automatic Updater committed
90
.RS 4
Tinderbox User's avatar
Tinderbox User committed
91 92
An abbreviation for
\fB\-a SHA\-256\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
93 94
.RE
.PP
95
\-a \fIalgorithm\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
96
.RS 4
Tinderbox User's avatar
Tinderbox User committed
97 98 99 100 101
Specify a digest algorithm to use when converting DNSKEY records to DS records\&. This option can be repeated, so that multiple DS records are created for each DNSKEY record\&.
.sp
The
\fIalgorithm\fR
must be one of SHA\-1, SHA\-256, or SHA\-384\&. These values are case insensitive, and the hyphen may be omitted\&. If no algorithm is specified, the default is SHA\-256\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
102 103
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
104
\-A
Tinderbox User's avatar
Tinderbox User committed
105
.RS 4
Tinderbox User's avatar
Tinderbox User committed
106 107 108
Include ZSKs when generating DS records\&. Without this option, only keys which have the KSK flag set will be converted to DS records and printed\&. Useful only in
\fB\-f\fR
zone file mode\&.
Tinderbox User's avatar
Tinderbox User committed
109 110
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
111
\-c \fIclass\fR
Automatic Updater's avatar
Automatic Updater committed
112
.RS 4
Tinderbox User's avatar
Tinderbox User committed
113 114 115 116 117
Specifies the DNS class (default is IN)\&. Useful only in
\fB\-s\fR
keyset or
\fB\-f\fR
zone file mode\&.
Automatic Updater's avatar
Automatic Updater committed
118 119
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
120
\-C
Automatic Updater's avatar
regen  
Automatic Updater committed
121
.RS 4
Tinderbox User's avatar
Tinderbox User committed
122 123 124
Generate CDS records rather than DS records\&. This is mutually exclusive with the
\fB\-l\fR
option for generating DLV records\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
125 126 127 128
.RE
.PP
\-f \fIfile\fR
.RS 4
Tinderbox User's avatar
Tinderbox User committed
129 130 131 132
Zone file mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name of a zone whose master file can be read from
Tinderbox User's avatar
Tinderbox User committed
133 134
\fBfile\fR\&. If the zone name is the same as
\fBfile\fR, then it may be omitted\&.
Automatic Updater's avatar
Automatic Updater committed
135 136
.sp
If
Tinderbox User's avatar
Tinderbox User committed
137 138
\fIfile\fR
is
Tinderbox User's avatar
Tinderbox User committed
139
"\-", then the zone data is read from the standard input\&. This makes it possible to use the output of the
Automatic Updater's avatar
Automatic Updater committed
140 141 142
\fBdig\fR
command as input, as in:
.sp
Tinderbox User's avatar
Tinderbox User committed
143
\fBdig dnskey example\&.com | dnssec\-dsfromkey \-f \- example\&.com\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
144 145
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
146
\-h
Automatic Updater's avatar
regen  
Automatic Updater committed
147
.RS 4
Tinderbox User's avatar
Tinderbox User committed
148 149 150 151 152 153 154 155 156
Prints usage information\&.
.RE
.PP
\-K \fIdirectory\fR
.RS 4
Look for key files or
keyset\-
files in
\fBdirectory\fR\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
157 158
.RE
.PP
159
\-l \fIdomain\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
160
.RS 4
Tinderbox User's avatar
Tinderbox User committed
161
Generate a DLV set instead of a DS set\&. The specified
Tinderbox User's avatar
Tinderbox User committed
162 163 164 165
\fIdomain\fR
is appended to the name for each record in the set\&. This is mutually exclusive with the
\fB\-C\fR
option for generating CDS records\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
166 167
.RE
.PP
168
\-s
Automatic Updater's avatar
regen  
Automatic Updater committed
169
.RS 4
Tinderbox User's avatar
Tinderbox User committed
170 171 172 173 174 175
Keyset mode:
\fBdnssec\-dsfromkey\fR\*(Aqs final
\fIdnsname\fR
argument is the DNS domain name used to locate a
keyset\-
file\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
176 177
.RE
.PP
Tinderbox User's avatar
Tinderbox User committed
178
\-T \fITTL\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
179
.RS 4
Tinderbox User's avatar
Tinderbox User committed
180
Specifies the TTL of the DS records\&. By default the TTL is omitted\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
181 182
.RE
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
183
\-v \fIlevel\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
184
.RS 4
Tinderbox User's avatar
Tinderbox User committed
185
Sets the debugging level\&.
Automatic Updater's avatar
regen  
Automatic Updater committed
186
.RE
Tinderbox User's avatar
Tinderbox User committed
187 188 189
.PP
\-V
.RS 4
Tinderbox User's avatar
Tinderbox User committed
190
Prints version information\&.
Tinderbox User's avatar
Tinderbox User committed
191
.RE
192 193
.SH "EXAMPLE"
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
194
To build the SHA\-256 DS RR from the
Tinderbox User's avatar
Tinderbox User committed
195
\fBKexample\&.com\&.+003+26160\fR
Tinderbox User's avatar
Tinderbox User committed
196
keyfile name, you can issue the following command:
197
.PP
Tinderbox User's avatar
Tinderbox User committed
198
\fBdnssec\-dsfromkey \-2 Kexample\&.com\&.+003+26160\fR
199 200 201
.PP
The command would print something like:
.PP
Tinderbox User's avatar
Tinderbox User committed
202
\fBexample\&.com\&. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94\fR
203 204
.SH "FILES"
.PP
Tinderbox User's avatar
Tinderbox User committed
205
The keyfile can be designated by the key identification
Tinderbox User's avatar
Tinderbox User committed
206
Knnnn\&.+aaa+iiiii
Automatic Updater's avatar
regen  
Automatic Updater committed
207
or the full file name
Tinderbox User's avatar
Tinderbox User committed
208
Knnnn\&.+aaa+iiiii\&.key
Automatic Updater's avatar
regen  
Automatic Updater committed
209
as generated by
Tinderbox User's avatar
Tinderbox User committed
210
dnssec\-keygen(8)\&.
211
.PP
Automatic Updater's avatar
regen  
Automatic Updater committed
212 213
The keyset file name is built from the
\fBdirectory\fR, the string
Tinderbox User's avatar
Tinderbox User committed
214
keyset\-
Automatic Updater's avatar
regen  
Automatic Updater committed
215
and the
Tinderbox User's avatar
Tinderbox User committed
216
\fBdnsname\fR\&.
217 218
.SH "CAVEAT"
.PP
Tinderbox User's avatar
Tinderbox User committed
219
A keyfile error can give a "file not found" even if the file exists\&.
220 221
.SH "SEE ALSO"
.PP
Tinderbox User's avatar
Tinderbox User committed
222 223
\fBdnssec-keygen\fR(8),
\fBdnssec-signzone\fR(8),
Automatic Updater's avatar
regen  
Automatic Updater committed
224
BIND 9 Administrator Reference Manual,
Tinderbox User's avatar
Tinderbox User committed
225 226 227 228 229 230 231 232 233 234
RFC 3658
(DS RRs),
RFC 4431
(DLV RRs),
RFC 4509
(SHA\-256 for DS RRs),
RFC 6605
(SHA\-384 for DS RRs),
RFC 7344
(CDS and CDNSKEY RRs)\&.
235 236
.SH "AUTHOR"
.PP
Tinderbox User's avatar
Tinderbox User committed
237
\fBInternet Systems Consortium, Inc\&.\fR
Automatic Updater's avatar
regen  
Automatic Updater committed
238
.SH "COPYRIGHT"
Tinderbox User's avatar
Tinderbox User committed
239
.br
Tinderbox User's avatar
Tinderbox User committed
240
Copyright \(co 2008-2012, 2014-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
Automatic Updater's avatar
regen  
Automatic Updater committed
241
.br