dnssec−dsfromkey − DNSSEC DS RR generation tool
dnssec−dsfromkey [−v level] [−1] [−2] [−a alg] {keyfile} |
|
dnssec−dsfromkey {−s} [−v level] [−1] [−2] [−a alg] [−c class] [−d dir] {dnsname} |
dnssec−dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
−1
Use SHA−1 as the digest algorithm (the default is to use both SHA−1 and SHA−256).
−2
Use SHA−256 as the digest algorithm.
−a algorithm
Select the digest algorithm. The value of algorithm must be one of SHA−1 (SHA1) or SHA−256 (SHA256). These values are case insensitive.
−v level
Sets the debugging level.
−s
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
−c class
Specifies the DNS class (default is IN), useful only in the keyset mode.
−d directory
Look for keyset files in directory as the directory, ignored when not in the keyset mode.
To build the SHA−256 DS RR from the Kexample.com.+003+26160 keyfile name, the following command would be issued:
dnssec−dsfromkey −2 Kexample.com.+003+26160
The command would print something like:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94
The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec−keygen(8).
The keyset file name is built from the directory, the string keyset− and the dnsname.
A keyfile error can give a "file not found" even if the file exists.
dnssec−keygen(8), dnssec−signzone(8), BIND 9 Administrator Reference Manual, RFC 3658, RFC 4509.
Internet Systems Consortium
Copyright © 2008 Internet Systems Consortium, Inc. ("ISC")