DNSSEC-DSFROMKEY(8) BIND 9 DNSSEC-DSFROMKEY(8)
NAME
dnssec-dsfromkey - DNSSEC DS RR generation tool
SYNOPSIS
dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C ] [-T TTL] [-v level] [-K
directory] {keyfile}
dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C ] [-T TTL] [-v level] [-c
class] [-A] {-f file} [dnsname]
dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C ] [-T TTL] [-v level] [-c
class] [-K directory] {-s} {dnsname}
dnssec-dsfromkey [ -h | -V ]
DESCRIPTION
The dnssec-dsfromkey command outputs DS (Delegation Signer) resource
records (RRs), or CDS (Child DS) RRs with the -C option.
The input keys can be specified in a number of ways:
By default, dnssec-dsfromkey reads a key file named like Knnnn.+aaa+ii-
iii.key, as generated by dnssec-keygen.
With the -f file option, dnssec-dsfromkey reads keys from a zone file
or partial zone file (which can contain just the DNSKEY records).
With the -s option, dnssec-dsfromkey reads a keyset- file, as generated
by dnssec-keygen -C.
OPTIONS
-1 An abbreviation for -a SHA1
-2 An abbreviation for -a SHA-256
-a algorithm
Specify a digest algorithm to use when converting DNSKEY records
to DS records. This option can be repeated, so that multiple DS
records are created for each DNSKEY record.
The algorithm must be one of SHA-1, SHA-256, or SHA-384. These
values are case insensitive, and the hyphen may be omitted. If
no algorithm is specified, the default is SHA-256.
-A Include ZSKs when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
records and printed. Useful only in -f zone file mode.
-c class
Specifies the DNS class (default is IN). Useful only in -s key-
set or -f zone file mode.
-C Generate CDS records rather than DS records.
-f file
Zone file mode: dnssec-dsfromkey's final dnsname argument is the
DNS domain name of a zone whose master file can be read from
file. If the zone name is the same as file, then it may be omit-
ted.
If file is "-", then the zone data is read from the standard in-
put. This makes it possible to use the output of the dig command
as input, as in:
dig dnskey example.com | dnssec-dsfromkey -f - example.com
-h Prints usage information.
-K directory
Look for key files or keyset- files in directory.
-s Keyset mode: dnssec-dsfromkey's final dnsname argument is the
DNS domain name used to locate a keyset- file.
-T TTL Specifies the TTL of the DS records. By default the TTL is omit-
ted.
-v level
Sets the debugging level.
-V Prints version information.
EXAMPLE
To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile
name, you can issue the following command:
dnssec-dsfromkey -2 Kexample.com.+003+26160
The command would print something like:
example.com. IN DS 26160 5 2
3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94
FILES
The keyfile can be designated by the key identification Knnnn.+aaa+ii-
iii or the full file name Knnnn.+aaa+iiiii.key as generated by
dnssec-keygen8.
The keyset file name is built from the directory, the string keyset-
and the dnsname.
CAVEAT
A keyfile error can give a "file not found" even if the file exists.
SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
Manual, RFC 3658 (DS RRs), RFC 4509 (SHA-256 for DS RRs), RFC 6605
(SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs).
AUTHOR
Internet Systems Consortium
COPYRIGHT
2020, Internet Systems Consortium
9.16.8-Debian 2020-10-13 DNSSEC-DSFROMKEY(8)