Name

dnssec-dsfromkey — DNSSEC DS RR generation tool

Synopsis

dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C | -l domain ] [-T TTL] [-v level] [-K directory] {keyfile}

dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C | -l domain ] [-T TTL] [-v level] [-c class] [-A] {-f file} [dnsname]

dnssec-dsfromkey [ -1 | -2 | -a alg ] [ -C | -l domain ] [-T TTL] [-v level] [-c class] [-K directory] {-s} {dnsname}

dnssec-dsfromkey [ -h | -V ]

DESCRIPTION

The dnssec-dsfromkey command outputs DS (Delegation Signer) resource records (RRs) and other similarly-constructed RRs: with the -l option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the -C it outputs CDS (Child DS) RRs.

The input keys can be specified in a number of ways:

By default, dnssec-dsfromkey reads a key file named like Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.

With the -f file option, dnssec-dsfromkey reads keys from a zone file or partial zone file (which can contain just the DNSKEY records).

With the -s option, dnssec-dsfromkey reads a keyset- file, as generated by dnssec-keygen -C.

OPTIONS

-1

An abbreviation for -a SHA1

-2

An abbreviation for -a SHA-256

-a algorithm

Specify a digest algorithm to use when converting DNSKEY records to DS records. This option can be repeated, so that multiple DS records are created for each DNSKEY record.

The algorithm must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is to use both SHA-1 and SHA-256.

-A

Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in -f zone file mode.

-c class

Specifies the DNS class (default is IN). Useful only in -s keyset or -f zone file mode.

-C

Generate CDS records rather than DS records. This is mutually exclusive with the -l option for generating DLV records.

-f file

Zone file mode: dnssec-dsfromkey's final dnsname argument is the DNS domain name of a zone whose master file can be read from file. If the zone name is the same as file, then it may be omitted.

If file is "-", then the zone data is read from the standard input. This makes it possible to use the output of the dig command as input, as in:

dig dnskey example.com | dnssec-dsfromkey -f - example.com

-h

Prints usage information.

-K directory

Look for key files or keyset- files in directory.

-l domain

Generate a DLV set instead of a DS set. The specified domain is appended to the name for each record in the set. This is mutually exclusive with the -C option for generating CDS records.

-s

Keyset mode: dnssec-dsfromkey's final dnsname argument is the DNS domain name used to locate a keyset- file.

-T TTL

Specifies the TTL of the DS records. By default the TTL is omitted.

-v level

Sets the debugging level.

-V

Prints version information.

EXAMPLE

To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, you can issue the following command:

dnssec-dsfromkey -2 Kexample.com.+003+26160

The command would print something like:

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94

FILES

The keyfile can be designated by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

The keyset file name is built from the directory, the string keyset- and the dnsname.

CAVEAT

A keyfile error can give a "file not found" even if the file exists.

SEE ALSO

dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), RFC 4431 (DLV RRs), RFC 4509 (SHA-256 for DS RRs), RFC 6605 (SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs).

BIND 9.11.32 (Extended Support Version)