$NetBSD: dnssec-dsfromkey.8,v 1.7 2014/12/10 04:37:51 christos Exp $

 Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
 
 Permission to use, copy, modify, and/or distribute this software for any
 purpose with or without fee is hereby granted, provided that the above
 copyright notice and this permission notice appear in all copies.
 
 THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
 REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
 AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
 INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
 LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
 OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
 PERFORMANCE OF THIS SOFTWARE.

 Id

 Title: dnssec-dsfromkey
 Author: 
 Generator: DocBook XSL Stylesheets v1.71.1 <http://docbook.sf.net/>
 Date: May 02, 2012
 Manual: BIND9
 Source: BIND9

 "DNSSEC-DSFROMKEY" "8" "May 02, 2012" "BIND9" "BIND9"
 disable hyphenation
 disable justification (adjust text to left margin only)
 "NAME"
dnssec-dsfromkey - DNSSEC DS RR generation tool

 "SYNOPSIS"
 17
dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] [-l domain] [-T TTL] {keyfile}

 17
dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-T TTL] [-f file] [-A] [-v level] {dnsname}

 17
dnssec-dsfromkey [-h] [-V]

 "DESCRIPTION"

dnssec-dsfromkey
outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

 "OPTIONS"

-1


Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).




-2


Use SHA-256 as the digest algorithm.




-a algorithm


Select the digest algorithm. The value of
algorithm
must be one of SHA-1 (SHA1), SHA-256 (SHA256), GOST or SHA-384 (SHA384). These values are case insensitive.




-T TTL


Specifies the TTL of the DS records.




-K directory


Look for key files (or, in keyset mode,
keyset-
files) in
directory.




-f file


Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from
file. If the zone name is the same as
file, then it may be omitted.
If
file
is set to
"-", then the zone data is read from the standard input. This makes it possible to use the output of the
dig
command as input, as in:
dig dnskey example.com | dnssec-dsfromkey -f - example.com




-A


Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.




-l domain


Generate a DLV set instead of a DS set. The specified
domain
is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.




-s


Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.




-c class


Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.




-v level


Sets the debugging level.




-h


Prints usage information.




-V


Prints version information.



 "EXAMPLE"

To build the SHA-256 DS RR from the
Kexample.com.+003+26160
keyfile name, the following command would be issued:


dnssec-dsfromkey -2 Kexample.com.+003+26160


The command would print something like:


example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94

 "FILES"

The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii
or the full file name
Knnnn.+aaa+iiiii.key
as generated by
dnssec-keygen(8).


The keyset file name is built from the
directory, the string
keyset-
and the
dnsname.

 "CAVEAT"

A keyfile error can give a "file not found" even if the file exists.

 "SEE ALSO"

dnssec-keygen(8),
dnssec-signzone(8),
BIND 9 Administrator Reference Manual,
RFC 3658,
RFC 4431.
RFC 4509.

 "AUTHOR"

Internet Systems Consortium

 "COPYRIGHT"
Copyright \(co 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")