FreeBSD Manual Pages
DS(1) General Commands Manual DS(1) NAME ds -- generate DNSSEC delegation signer record SYNOPSIS ds [-d digest] [-t ttl] [-c class] domain keyfile DESCRIPTION ds writes a DNSSEC DS record to standard output. The record is generated for the child zone domain and public key given by keyfile. The child zone should have a corresponding self-signed DNSKEY record with the Secure Entry Point (SEP) flag set. A DS record is delegates record signing for a sub-zone to a particular key, establishing a chain of trust from a parent zone to its child. It contains a signature algorithm identifier, the hash of the public key, and a "tag" used to identify the key. It indicates that the signature of the DNSKEY RRSet of the child zone may be verified with the de- scribed key. DS records are usually configured through a web form provided by the domain registrar. OPTIONS -d The digest algorithm to use. The following algorithms are sup- ported: • SHA1 (1) • SHA256 (2, default) • SHA384 (4) -a The signature algorithm to use with the key. This option can be used to disambiguate the hash used with RSA keys. Supported algorithms are the same as in dnskey(1). -t The TTL value of the record. If not specified, the TTL is omitted. -c The record class. Defaults to IN. EXAMPLES Generate a DS record for the example.com EC signing key, key.pem: $ ds example.com. key.pem example.com. IN DS 32716 13 2 ffd819c99ed62247e5fa61711a53fc0202a35970ca8ec78d874e2667556c594b SEE ALSO dnskey(1), nsec(1), rrsig(1), tlsa(1) FreeBSD ports 15.0 May 9, 2021 DS(1)
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | SEE ALSO
Want to link to this manual page? Use this URL:
<https://man.freebsd.org/cgi/man.cgi?query=ds&sektion=1&manpath=FreeBSD+Ports+15.0>