dnssec-dsfromkey - DNSSEC DS RR generation tool
dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] keyfile
dnssec-dsfromkey -s [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] keyfile
The following options are supported:
Use SHA-1 as the digest algorithm. The default is to use both SHA-1 and SHA-256.
Use SHA-256 as the digest algorithm.
Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1) or SHA-256 (SHA256). These values are case-insensitive.
Sets the debugging level.
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. The –c and –d options have meaning only in this mode.
Specifies the DNS class (default is IN); useful only in the keyset mode.
Look for keyset files in directory as the directory; ignored when not in the keyset mode.
To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, use a command such as the following:
# dnssec-dsfromkey -2 Kexample.com.+003+26160
This command would produce output similar to the following:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94
The keyfile can be designated by the key identification Knnnn.+aaa+iiiii, or the full file name Knnnn.+aaa+iiiii.key , as generated by dnssec-keygen(1M).
The keyset file name is built from the directory, the string keyset- and the dnsname.
See attributes(5) for descriptions of the following attributes:
RFC 3658, RFC 4509
See the BIND 9 Administrator's Reference Manual. As of the date of publication of this man page, this document is available at https://kb.isc.org/article/AA-01031https://kb.isc.org/article/AA-01031 .
A keyfile error can produce a “file not found” message, even if the file exists.