"Fossies" - the Fresh Open Source Software Archive

Member "bind-9.11.23/bin/dnssec/dnssec-dsfromkey.docbook" (7 Sep 2020, 12433 Bytes) of package /linux/misc/dns/bind9/9.11.23/bind-9.11.23.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format (assuming docbook format). Alternatively you can here view or download the uninterpreted source code file. A member file download can also be achieved by clicking within a package contents listing on the according byte size field.

ISC Internet Systems Consortium, Inc. dnssec-dsfromkey 8 BIND9 dnssec-dsfromkey DNSSEC DS RR generation tool 2008 2009 2010 2011 2012 2014 2015 2016 2018 2019 2020 Internet Systems Consortium, Inc. ("ISC") dnssec-dsfromkey -1 -2 -a alg -C -l domain -T TTL -v level -K directory keyfile dnssec-dsfromkey -1 -2 -a alg -C -l domain -T TTL -v level -c class -A -f file dnsname dnssec-dsfromkey -1 -2 -a alg -C -l domain -T TTL -v level -c class -K directory -s dnsname dnssec-dsfromkey -h -V


The dnssec-dsfromkey command outputs DS (Delegation Signer) resource records (RRs) and other similarly-constructed RRs: with the -l option it outputs DLV (DNSSEC Lookaside Validation) RRs; or with the -C it outputs CDS (Child DS) RRs.

The input keys can be specified in a number of ways:

By default, dnssec-dsfromkey reads a key file named like Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.

With the -f file option, dnssec-dsfromkey reads keys from a zone file or partial zone file (which can contain just the DNSKEY records).

With the -s option, dnssec-dsfromkey reads a keyset- file, as generated by dnssec-keygen -C.



An abbreviation for -a SHA1


An abbreviation for -a SHA-256

-a <algorithm>

Specify a digest algorithm to use when converting DNSKEY records to DS records. This option can be repeated, so that multiple DS records are created for each DNSKEY record.

The <algorithm> must be one of SHA-1, SHA-256, or SHA-384. These values are case insensitive, and the hyphen may be omitted. If no algorithm is specified, the default is to use both SHA-1 and SHA-256.


Include ZSKs when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in -f zone file mode.

-c <class>

Specifies the DNS class (default is IN). Useful only in -s keyset or -f zone file mode.


Generate CDS records rather than DS records. This is mutually exclusive with the -l option for generating DLV records.

-f <file>

Zone file mode: dnssec-dsfromkey's final <dnsname> argument is the DNS domain name of a zone whose master file can be read from file. If the zone name is the same as file, then it may be omitted.

If <file> is "-", then the zone data is read from the standard input. This makes it possible to use the output of the dig command as input, as in:

dig dnskey example.com | dnssec-dsfromkey -f - example.com


Prints usage information.

-K <directory>

Look for key files or keyset- files in directory.

-l <domain>

Generate a DLV set instead of a DS set. The specified <domain> is appended to the name for each record in the set. This is mutually exclusive with the -C option for generating CDS records.


Keyset mode: dnssec-dsfromkey's final <dnsname> argument is the DNS domain name used to locate a keyset- file.

-T <TTL>

Specifies the TTL of the DS records. By default the TTL is omitted.

-v <level>

Sets the debugging level.


Prints version information.


To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, you can issue the following command:

dnssec-dsfromkey -2 Kexample.com.+003+26160

The command would print something like:

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94


The keyfile can be designated by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen8.

The keyset file name is built from the directory, the string keyset- and the dnsname.


A keyfile error can give a "file not found" even if the file exists.


dnssec-keygen8, dnssec-signzone8, BIND 9 Administrator Reference Manual, RFC 3658 (DS RRs), RFC 4431 (DLV RRs), RFC 4509 (SHA-256 for DS RRs), RFC 6605 (SHA-384 for DS RRs), RFC 7344 (CDS and CDNSKEY RRs).