dnssec-dsfromkey Command

Edit online

Purpose

Generates resource records (RRs).

Syntax

dnssec-dsfromkey [ -1 | -2 | -a algorithm ] [ -C ] [-T ttl] [-v level] [-K directory] {keyfile}

dnssec-dsfromkey [ -1 | -2 | -a algorithm ] [ -C ] [-T ttl] [-v level] [-c class] [-A] {-f file} [dnsname]

dnssec-dsfromkey [ -1 | -2 | -a algorithm ] [ -C ] [-T ttl] [-v level] [-c class] [-K directory] {-s} {dnsname}

dnssec-dsfromkey [-h | -V ]

Description

The -C option of the dnssec-dsfromkey command displays delegation signer (DS) resource record signature (RRs) or child delegation signer (CDS) RRs. By default, only key-signing keys (KSKs), that are the keys with 257 flags are converted into DS records. The -A option includes zone-signing keys (ZSKs) that are the keys with 256 flags, for conversion into DS records. Revoked keys are not included for conversion into DS records. The input keys can be specified by using the following methods:
  • By default, the dnssec-dsfromkey command reads a key file that has a file name in the format Knnnn.+aaa+iiiii.key, as generated by the dnssec-keygen command.
  • With the -f option, the dnssec-dsfromkey command reads keys from a zone file or of a partial zone file, which can contain only the DNSKEY records.
  • With the -s option, the dnssec-dsfromkey command reads a keyset- file, as generated by the dnssec-keygen -C command.

Flags

-1
This option is an abbreviation for -a SHA1 algorithm value.
-2
This option is an abbreviation for -a SHA-256 algorithm value.
-a algorithm

Specifies the digest algorithm that must be used for converting DNSKEY records to DS records. This option can be used multiple times to create multiple DS records for each DNSKEY record.

The value of algorithm must be SHA-1, SHA-256, or SHA-384. These values are case-insensitive, and the hyphen can be omitted. The default value is SHA-256.

-A
Indicates that ZSKs must be included for generating DS records. Without this option, only keys for which the KSK flag is set are converted to DS records and printed. This flag is useful only when the -f flag is also used.
-c class
Specifies the Domain Name System (DNS) class. The default value is IN. This flag is useful only when the -f flag or the -s flag is also used.
-C
Generates CDS instead of the DS records.
-f file

Sets zone file mode, in which the final dnsname argument of the dnssec-dsfromkey command is the DNS domain name of a zone from which the primary file can be read. If the zone name is the same as the file argument value, the file argument can be omitted.

If the value of the file argument is - (hyphen), then the zone data is read from the standard input. You can then use the output of the dig command as an input. For example:
dig dnskey example.com | dnssec-dsfromkey -f - example.com
-h
Prints the usage information.
-K directory
Specifies BIND 9 to look for key files or keyset- files in the specified directory.
-s
Enables keyset mode, in which the final dnsname argument from the dnssec-dsfromkey command is the DNS domain name that is used to locate a keyset- file.
-T ttl
Specifies the time-to-live (TTL) for DS records. By default, the TTL is omitted.
-v level
Sets the debugging level.
-V
Prints the version information.

Example

To build the SHA-256 DS RR from the Kexample.com.+003+26160 key file, enter the following command:
dnssec-dsfromkey -2 Kexample.com.+003+26160
An output similar to the following example is displayed:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94

Files

The key file can be designated by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key, as generated by the dnssec-keygen command.

The name of the key set is built from the directory name, the string keyset-, and the dnsname.

Note: A key file might return an error file not found, even if the file exists.