1DNSSEC-DSFROMKEY(1)                 BIND 9                 DNSSEC-DSFROMKEY(1)
2
3
4

NAME

6       dnssec-dsfromkey - DNSSEC DS RR generation tool
7

SYNOPSIS

9       dnssec-dsfromkey  [  -1  | -2 | -a alg ] [ -C ] [-T TTL] [-v level] [-K
10       directory] {keyfile}
11
12       dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C ] [-T TTL]  [-v  level]  [-c
13       class] [-A] {-f file} [dnsname]
14
15       dnssec-dsfromkey  [  -1  | -2 | -a alg ] [ -C ] [-T TTL] [-v level] [-c
16       class] [-K directory] {-s} {dnsname}
17
18       dnssec-dsfromkey [ -h | -V ]
19

DESCRIPTION

21       The dnssec-dsfromkey command outputs DS  (Delegation  Signer)  resource
22       records (RRs), or CDS (Child DS) RRs with the -C option.
23
24       By  default,  only  KSKs are converted (keys with flags = 257).  The -A
25       option includes ZSKs (flags = 256).  Revoked keys are never included.
26
27       The input keys can be specified in a number of ways:
28
29       By default, dnssec-dsfromkey reads a  key  file  named  in  the  format
30       Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.
31
32       With  the  -f file option, dnssec-dsfromkey reads keys from a zone file
33       or partial zone file (which can contain just the DNSKEY records).
34
35       With the -s option, dnssec-dsfromkey reads a keyset- file, as generated
36       by dnssec-keygen -C.
37

OPTIONS

39       -1     This option is an abbreviation for -a SHA1.
40
41       -2     This option is an abbreviation for -a SHA-256.
42
43       -a algorithm
44              This  option specifies a digest algorithm to use when converting
45              DNSKEY records to DS records. This option can  be  repeated,  so
46              that multiple DS records are created for each DNSKEY record.
47
48              The  algorithm  must be one of SHA-1, SHA-256, or SHA-384. These
49              values are case-insensitive, and the hyphen may be  omitted.  If
50              no algorithm is specified, the default is SHA-256.
51
52       -A     This option indicates that ZSKs are to be included when generat‐
53              ing DS records. Without this option, only keys  which  have  the
54              KSK  flag  set are converted to DS records and printed. This op‐
55              tion is only useful in -f zone file mode.
56
57       -c class
58              This option specifies the DNS class; the default is IN. This op‐
59              tion is only useful in -s keyset or -f zone file mode.
60
61       -C     This option generates CDS records rather than DS records.
62
63       -f file
64              This  option sets zone file mode, in which the final dnsname ar‐
65              gument of dnssec-dsfromkey is the DNS  domain  name  of  a  zone
66              whose master file can be read from file. If the zone name is the
67              same as file, then it may be omitted.
68
69              If file is -, then the zone data is read from the  standard  in‐
70              put. This makes it possible to use the output of the dig command
71              as input, as in:
72
73              dig dnskey example.com | dnssec-dsfromkey -f - example.com
74
75       -h     This option prints usage information.
76
77       -K directory
78              This option tells BIND 9 to look for key files or keyset-  files
79              in directory.
80
81       -s     This  option enables keyset mode, in which the final dnsname ar‐
82              gument from dnssec-dsfromkey is the DNS domain name used to  lo‐
83              cate a keyset- file.
84
85       -T TTL This  option specifies the TTL of the DS records. By default the
86              TTL is omitted.
87
88       -v level
89              This option sets the debugging level.
90
91       -V     This option prints version information.
92

EXAMPLE

94       To build the SHA-256 DS RR from  the  Kexample.com.+003+26160  keyfile,
95       issue the following command:
96
97       dnssec-dsfromkey -2 Kexample.com.+003+26160
98
99       The command returns something similar to:
100
101       example.com.          IN          DS          26160         5         2
102       3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94
103

FILES

105       The keyfile can be designated by the key identification  Knnnn.+aaa+ii‐
106       iii  or  the  full  file  name  Knnnn.+aaa+iiiii.key,  as  generated by
107       dnssec-keygen.
108
109       The keyset file name is built from the directory, the  string  keyset-,
110       and the dnsname.
111

CAVEAT

113       A keyfile error may return "file not found," even if the file exists.
114

SEE ALSO

116       dnssec-keygen(8),  dnssec-signzone(8),  BIND  9 Administrator Reference
117       Manual, RFC 3658 (DS RRs), RFC 4509 (SHA-256  for  DS  RRs),  RFC  6605
118       (SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs).
119

AUTHOR

121       Internet Systems Consortium
122
124       2023, Internet Systems Consortium
125
126
127
128
1299.18.11                                                    DNSSEC-DSFROMKEY(1)
Impressum