Man Pages

dnssec-dsfromkey(8) - phpMan dnssec-dsfromkey(8) - phpMan

Command: man perldoc info search(apropos)  

DNSSEC-DSFROMKEY(8)                  BIND9                 DNSSEC-DSFROMKEY(8)

       dnssec-dsfromkey - DNSSEC DS RR generation tool

       dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] [-l domain] {keyfile}

       dnssec-dsfromkey {-s} [-1] [-2] [-a alg] [-K directory] [-l domain] [-s] [-c class] [-f file] [-A] [-v level]

       dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509,
       for the given key(s).

           Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).

           Use SHA-256 as the digest algorithm.

       -a algorithm
           Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1), SHA-256 (SHA256) or GOST.
           These values are case insensitive.

       -K directory
           Look for key files (or, in keyset mode, keyset- files) in directory.

       -f file
           Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file,
           which can be read from file. If the zone name is the same as file, then it may be omitted.

           Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will
           be converted to DS records and printed. Useful only in zone file mode.

       -l domain
           Generate a DLV set instead of a DS set. The specified domain is appended to the name for each record in the
           set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.

           Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.

       -c class
           Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.

       -v level
           Sets the debugging level.

       To build the SHA-256 DS RR from the keyfile name, the following command would be

       dnssec-dsfromkey -2

       The command would print something like: IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94

       The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name
       Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).

       The keyset file name is built from the directory, the string keyset- and the dnsname.

       A keyfile error can give a "file not found" even if the file exists.

       dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 3658, RFC 4431.  RFC 4509.

       Internet Systems Consortium

       Copyright (C) 2008-2010 Internet Systems Consortium, Inc. ("ISC")

BIND9                           August 26, 2009            DNSSEC-DSFROMKEY(8)