Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help 
DNSSEC-DSFROMKEY(1)		    BIND 9		   DNSSEC-DSFROMKEY(1)

NAME
       dnssec-dsfromkey	- DNSSEC DS RR generation tool

SYNOPSIS
       dnssec-dsfromkey	 [  -1	| -2 | -a alg ]	[ -C ] [-T TTL]	[-v level] [-K
       directory] {keyfile}

       dnssec-dsfromkey	[ -1 | -2 | -a alg ] [ -C ] [-T	TTL]  [-v  level]  [-c
       class] [-A] {-f file} [dnsname]

       dnssec-dsfromkey	 [  -1	| -2 | -a alg ]	[ -C ] [-T TTL]	[-v level] [-c
       class] [-K directory] {-s} {dnsname}

       dnssec-dsfromkey	[ -h | -V ]

DESCRIPTION
       The dnssec-dsfromkey command outputs DS	(Delegation  Signer)  resource
       records (RRs), or CDS (Child DS)	RRs with the -C	option.

       By  default,  only  KSKs	are converted (keys with flags = 257).	The -A
       option includes ZSKs (flags = 256).  Revoked keys are never included.

       The input keys can be specified in a number of ways:

       By default, dnssec-dsfromkey reads a  key  file	named  in  the	format
       Knnnn.+aaa+iiiii.key, as	generated by dnssec-keygen.

       With  the  -f file option, dnssec-dsfromkey reads keys from a zone file
       or partial zone file (which can contain just the	DNSKEY records).

       With the	-s option, dnssec-dsfromkey reads a keyset- file, as generated
       by dnssec-keygen	-C.

OPTIONS
       -1     This option is an	abbreviation for -a SHA1.  This	digest is dep-
	      recated.

       -2     This option is an	abbreviation for -a SHA-256.

       -a algorithm
	      This option specifies a digest algorithm to use when  converting
	      DNSKEY  records  to  DS records. This option can be repeated, so
	      that multiple DS records are created for each DNSKEY record.

	      The algorithm must be one	of  SHA-1  (deprecated),  SHA-256,  or
	      SHA-384.	These  values are case-insensitive, and	the hyphen may
	      be omitted.  If  no  algorithm  is  specified,  the  default  is
	      SHA-256.

       -A     This option indicates that ZSKs are to be	included when generat-
	      ing  DS  records.	 Without this option, only keys	which have the
	      KSK flag set are converted to DS records and printed.  This  op-
	      tion is only useful in -f	zone file mode.

       -c class
	      This option specifies the	DNS class; the default is IN. This op-
	      tion is only useful in -s	keyset or -f zone file mode.

       -C     This option generates CDS	records	rather than DS records.

       -f file
	      This  option sets	zone file mode,	in which the final dnsname ar-
	      gument of	dnssec-dsfromkey is the	DNS  domain  name  of  a  zone
	      whose master file	can be read from file. If the zone name	is the
	      same as file, then it may	be omitted.

	      If  file	is -, then the zone data is read from the standard in-
	      put. This	makes it possible to use the output of the dig command
	      as input,	as in:

	      dig dnskey example.com | dnssec-dsfromkey	-f - example.com

       -h     This option prints usage information.

       -K directory
	      This option tells	BIND 9 to look for key files or	keyset-	 files
	      in directory.

       -s     This  option enables keyset mode,	in which the final dnsname ar-
	      gument from dnssec-dsfromkey is the DNS domain name used to  lo-
	      cate a keyset- file.

       -T TTL This  option specifies the TTL of	the DS records.	By default the
	      TTL is omitted.

       -v level
	      This option sets the debugging level.

       -V     This option prints version information.

EXAMPLE
       To build	the SHA-256 DS RR from	the  Kexample.com.+003+26160  keyfile,
       issue the following command:

       dnssec-dsfromkey	-2 Kexample.com.+003+26160

       The command returns something similar to:

       example.com.	     IN		 DS	     26160	   5	     2
       3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94

FILES
       The keyfile can be designated by	the key	identification	Knnnn.+aaa+ii-
       iii  or	the  full  file	 name  Knnnn.+aaa+iiiii.key,  as  generated by
       dnssec-keygen.

       The keyset file name is built from the directory, the  string  keyset-,
       and the dnsname.

CAVEAT
       A keyfile error may return "file	not found," even if the	file exists.

SEE ALSO
       dnssec-keygen(8),  dnssec-signzone(8),  BIND  9 Administrator Reference
       Manual, RFC 3658	(DS RRs), RFC 4509 (SHA-256  for  DS  RRs),  RFC  6605
       (SHA-384	for DS RRs), RFC 7344 (CDS and CDNSKEY RRs).

AUTHOR
       Internet	Systems	Consortium

COPYRIGHT
       2025, Internet Systems Consortium

9.20.15				  2025-10-18		   DNSSEC-DSFROMKEY(1)

Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=dnssec-dsfromkey&sektion=1&manpath=FreeBSD+Ports+15.0>

home | help