1DNSSEC-DSFROMKEY(8)                  BIND9                 DNSSEC-DSFROMKEY(8)
2
3
4

NAME

6       dnssec-dsfromkey - DNSSEC DS RR generation tool
7

SYNOPSIS

9       dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] [-l domain] {keyfile}
10
11       dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain]
12                        [-s] [-c class] [-f file] [-A] [-v level] {dnsname}
13

DESCRIPTION

15       dnssec-dsfromkey outputs the Delegation Signer (DS) resource record
16       (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
17

OPTIONS

19       -1
20           Use SHA-1 as the digest algorithm (the default is to use both SHA-1
21           and SHA-256).
22
23       -2
24           Use SHA-256 as the digest algorithm.
25
26       -a algorithm
27           Select the digest algorithm. The value of algorithm must be one of
28           SHA-1 (SHA1), SHA-256 (SHA256) or GOST. These values are case
29           insensitive.
30
31       -K directory
32           Look for key files (or, in keyset mode, keyset- files) in
33           directory.
34
35       -f file
36           Zone file mode: in place of the keyfile name, the argument is the
37           DNS domain name of a zone master file, which can be read from file.
38           If the zone name is the same as file, then it may be omitted.
39
40       -A
41           Include ZSK's when generating DS records. Without this option, only
42           keys which have the KSK flag set will be converted to DS records
43           and printed. Useful only in zone file mode.
44
45       -l domain
46           Generate a DLV set instead of a DS set. The specified domain is
47           appended to the name for each record in the set. The DNSSEC
48           Lookaside Validation (DLV) RR is described in RFC 4431.
49
50       -s
51           Keyset mode: in place of the keyfile name, the argument is the DNS
52           domain name of a keyset file.
53
54       -c class
55           Specifies the DNS class (default is IN). Useful only in keyset or
56           zone file mode.
57
58       -v level
59           Sets the debugging level.
60

EXAMPLE

62       To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile
63       name, the following command would be issued:
64
65       dnssec-dsfromkey -2 Kexample.com.+003+26160
66
67       The command would print something like:
68
69       example.com. IN DS 26160 5 2
70       3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94
71

FILES

73       The keyfile can be designed by the key identification Knnnn.+aaa+iiiii
74       or the full file name Knnnn.+aaa+iiiii.key as generated by
75       dnssec-keygen(8).
76
77       The keyset file name is built from the directory, the string keyset-
78       and the dnsname.
79

CAVEAT

81       A keyfile error can give a "file not found" even if the file exists.
82

SEE ALSO

84       dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
85       Manual, RFC 3658, RFC 4431.  RFC 4509.
86

AUTHOR

88       Internet Systems Consortium
89

COPYRIGHT

91       Copyright © 2008-2010 Internet Systems Consortium, Inc. ("ISC")
92
93
94
95BIND9                           August 26, 2009            DNSSEC-DSFROMKEY(8)