dnssec-dsfromkey — DNSSEC DS RR generation tool
dnssec-dsfromkey
[-v
] [level
-1
] [-2
] [-a
] {keyfile}alg
dnssec-dsfromkey
{-s} [-v
] [level
-1
] [-2
] [-a
] [alg
-c
] [class
-d
] {dnsname}dir
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).
Use SHA-256 as the digest algorithm.
algorithm
Select the digest algorithm. The value of
algorithm
must be one of SHA-1 (SHA1) or
SHA-256 (SHA256). These values are case insensitive.
level
Sets the debugging level.
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
class
Specifies the DNS class (default is IN), useful only in the keyset mode.
directory
Look for keyset
files in
directory
as the directory, ignored when
not in the keyset mode.
To build the SHA-256 DS RR from the
Kexample.com.+003+26160
keyfile name, the following command would be issued:
dnssec-dsfromkey -2 Kexample.com.+003+26160
The command would print something like:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94
The keyfile can be designed by the key identification
Knnnn.+aaa+iiiii
or the full file name
Knnnn.+aaa+iiiii.key
as generated by
dnssec-keygen(8).
The keyset file name is built from the directory
,
the string keyset-
and the
dnsname
.