2. EL 7
  3. bind
  4. dnssec-dsfromkey(8)

Scroll to navigation

DNSSEC-DSFROMKEY(8) BIND9 DNSSEC-DSFROMKEY(8)

NAME

dnssec-dsfromkey - DNSSEC DS RR generation tool

SYNOPSIS

dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] [-C] [-l domain] [-T TTL] {keyfile}

dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-T TTL] [-f file] [-A] [-v level] {dnsname}

dnssec-dsfromkey [-h] [-V]

DESCRIPTION

dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).

OPTIONS

-1

Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).

-2

Use SHA-256 as the digest algorithm.

-a algorithm

Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1), SHA-256 (SHA256), GOST or SHA-384 (SHA384). These values are case insensitive.

-C

Generate CDS records rather than DS records. This is mutually exclusive with generating lookaside records.

-T TTL

Specifies the TTL of the DS records.

-K directory

Look for key files (or, in keyset mode, keyset- files) in directory.

-f file

Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from file. If the zone name is the same as file, then it may be omitted.

If file is set to "-", then the zone data is read from the standard input. This makes it possible to use the output of the dig command as input, as in:

dig dnskey example.com | dnssec-dsfromkey -f - example.com

-A

Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.

-l domain

Generate a DLV set instead of a DS set. The specified domain is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431. This is mutually exclusive with generating CDS records.

-s

Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.

-c class

Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.

-v level

Sets the debugging level.

-h

Prints usage information.

-V

Prints version information.

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, the following command would be issued:

dnssec-dsfromkey -2 Kexample.com.+003+26160

The command would print something like:

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94

FILES

The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

The keyset file name is built from the directory, the string keyset- and the dnsname.

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 3658, RFC 4431. RFC 4509.

AUTHOR

Internet Systems Consortium, Inc.

COPYRIGHT

Copyright © 2008-2012, 2014-2016, 2018 Internet Systems Consortium, Inc. ("ISC")

2012-05-02 ISC