From 582f8b9a8d170a80ef67475bddb8ad5cf7cd7cad Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Fri, 7 Nov 2008 02:28:49 +0000 Subject: [PATCH] 2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records from keyset and .key files. [RT #18694] --- CHANGES | 3 + bin/dnssec/Makefile.in | 19 +- bin/dnssec/dnssec-dsfromkey.8 | 123 ++++++++ bin/dnssec/dnssec-dsfromkey.c | 388 ++++++++++++++++++++++++ bin/dnssec/dnssec-dsfromkey.docbook | 426 +++++++++++++++++++++++++++ bin/dnssec/dnssec-dsfromkey.html | 262 ++++++++++++++++ doc/arm/Bv9ARM-book.xml | 3 +- doc/arm/man.dnssec-dsfromkey.html | 169 +++++++++++ doc/arm/man.dnssec-keyfromlabel.html | 8 +- doc/arm/man.host.html | 10 +- 10 files changed, 1394 insertions(+), 17 deletions(-) create mode 100644 bin/dnssec/dnssec-dsfromkey.8 create mode 100644 bin/dnssec/dnssec-dsfromkey.c create mode 100644 bin/dnssec/dnssec-dsfromkey.docbook create mode 100644 bin/dnssec/dnssec-dsfromkey.html create mode 100644 doc/arm/man.dnssec-dsfromkey.html diff --git a/CHANGES b/CHANGES index 65bd5e7fcd..639d837dd1 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +2488. [func] Added a tool, dnssec-dsfromkey, to generate DS records + from keyset and .key files. [RT #18694] + 2487. [bug] Give TCP connections longer to complete. [RT #18675] 2486. [func] The default locations for named.pid and lwresd.pid diff --git a/bin/dnssec/Makefile.in b/bin/dnssec/Makefile.in index fe3edb4988..d59a38fb11 100644 --- a/bin/dnssec/Makefile.in +++ b/bin/dnssec/Makefile.in @@ -13,7 +13,7 @@ # OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR # PERFORMANCE OF THIS SOFTWARE. -# $Id: Makefile.in,v 1.34 2008/04/01 23:47:10 tbox Exp $ +# $Id: Makefile.in,v 1.35 2008/11/07 02:28:49 marka Exp $ srcdir = @srcdir@ VPATH = @srcdir@ @@ -40,22 +40,27 @@ LIBS = ${DNSLIBS} ${ISCLIBS} @LIBS@ # Alphabetically TARGETS = dnssec-keygen@EXEEXT@ dnssec-signzone@EXEEXT@ \ - dnssec-keyfromlabel@EXEEXT@ + dnssec-keyfromlabel@EXEEXT@ dnssec-dsfromkey@EXEEXT@ OBJS = dnssectool.@O@ -SRCS = dnssec-keyfromlabel.c dnssec-keygen.c dnssec-signzone.c \ - dnssectool.c +SRCS = dnssec-dsfromkey.c dnssec-keyfromlabel.c dnssec-keygen.c \ + dnssec-signzone.c dnssectool.c -MANPAGES = dnssec-keyfromlabel.8 dnssec-keygen.8 dnssec-signzone.8 +MANPAGES = dnssec-dsfromkey.8 dnssec-keyfromlabel.8 dnssec-keygen.8 \ + dnssec-signzone.8 -HTMLPAGES = dnssec-keyfromlabel.html dnssec-keygen.html \ - dnssec-signzone.html +HTMLPAGES = dnssec-dsfromkey.html dnssec-keyfromlabel.html \ + dnssec-keygen.html dnssec-signzone.html MANOBJS = ${MANPAGES} ${HTMLPAGES} @BIND9_MAKE_RULES@ +dnssec-dsfromkey@EXEEXT@: dnssec-dsfromkey.@O@ ${OBJS} ${DEPLIBS} + ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ + dnssec-dsfromkey.@O@ ${OBJS} ${LIBS} + dnssec-keyfromlabel@EXEEXT@: dnssec-keyfromlabel.@O@ ${OBJS} ${DEPLIBS} ${LIBTOOL_MODE_LINK} ${PURIFY} ${CC} ${CFLAGS} ${LDFLAGS} -o $@ \ dnssec-keyfromlabel.@O@ ${OBJS} ${LIBS} diff --git a/bin/dnssec/dnssec-dsfromkey.8 b/bin/dnssec/dnssec-dsfromkey.8 new file mode 100644 index 0000000000..19425d1d84 --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.8 @@ -0,0 +1,123 @@ +.\" Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") +.\" +.\" Permission to use, copy, modify, and distribute this software for any +.\" purpose with or without fee is hereby granted, provided that the above +.\" copyright notice and this permission notice appear in all copies. +.\" +.\" THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH +.\" REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY +.\" AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, +.\" INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM +.\" LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE +.\" OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR +.\" PERFORMANCE OF THIS SOFTWARE. +.\" +.\" $Id: dnssec-dsfromkey.8,v 1.2 2008/11/07 02:28:49 marka Exp $ +.\" +.hy 0 +.ad l +.\" Title: dnssec-dsfromkey +.\" Author: +.\" Generator: DocBook XSL Stylesheets v1.73.2 +.\" Date: november 29, 2008 +.\" Manual: BIND9 +.\" Source: BIND9 +.\" +.TH "DNSSEC\-DSFROMKEY" "8" "november 29, 2008" "BIND9" "BIND9" +.\" disable hyphenation +.nh +.\" disable justification (adjust text to left margin only) +.ad l +.SH "NAME" +dnssec-dsfromkey - DNSSEC DS RR generation tool +.SH "SYNOPSIS" +.HP 17 +\fBdnssec\-dsfromkey\fR [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] {keyfile} +.HP 17 +\fBdnssec\-dsfromkey\fR {\-s} [\fB\-v\ \fR\fB\fIlevel\fR\fR] [\fB\-1\fR] [\fB\-2\fR] [\fB\-a\ \fR\fB\fIalg\fR\fR] [\fB\-c\ \fR\fB\fIclass\fR\fR] [\fB\-d\ \fR\fB\fIdir\fR\fR] {dnsname} +.SH "DESCRIPTION" +.PP +\fBdnssec\-dsfromkey\fR +outputs the DS RR for the given key(s) as defined in RFC 3658 and RFC 4509\. +.SH "OPTIONS" +.PP +\-1 +.RS 4 +Use SHA\-1 as the digest algorithm (the default is to use both SHA\-1 and SHA\-256)\. +.RE +.PP +\-2 +.RS 4 +Use SHA\-256 as the digest algorithm\. +.RE +.PP +\-a \fIalgorithm\fR +.RS 4 +Select the digest algorithm\. The value of +\fBalgorithm\fR +must be one of SHA\-1 (SHA1) or SHA\-256 (SHA256)\. These values are case insensitive\. +.RE +.PP +\-v \fIlevel\fR +.RS 4 +Sets the debugging level\. +.RE +.PP +\-s +.RS 4 +Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file\. Following options make sense only in this mode\. +.RE +.PP +\-c \fIclass\fR +.RS 4 +Specifies the DNS class (default is IN), useful only in the keyset mode\. +.RE +.PP +\-d \fIdirectory\fR +.RS 4 +Look for +\fIkeyset\fR +files in +\fBdirectory\fR +as the directory, ignored when not in the keyset mode\. +.RE +.SH "EXAMPLE" +.PP +To build the SHA\-256 DS RR from the +\fBKexample\.com\.+003+26160\fR +keyfile name, the following command would be issued: +.PP +\fBdnssec\-dsfromkey \-2 Kexample\.com\.+003+26160\fR +.PP +The command would print something like: +.PP +\fBexample\.com\. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94\fR +.SH "FILES" +.PP +The keyfile can be designed by the key identification +\fIKnnnn\.+aaa+iiiii\fR +or the full file name +\fIKnnnn\.+aaa+iiiii\.key\fR\. +.PP +The keyset file name is built from the +\fBdirectory\fR, the string +\fIkeyset\-\fR +and the +\fBdnsname\fR +with a trailing dot\. +.SH "CAVEAT" +.PP +A keyfile error can give a "file not found" even the file exists\. +.SH "SEE ALSO" +.PP +\fBdnssec-keygen\fR(8), +\fBdnssec-signzone\fR(8), +BIND 9 Administrator Reference Manual, +RFC 3658, +RFC 4509\. +.SH "AUTHOR" +.PP +Internet Systems Consortium +.SH "COPYRIGHT" +Copyright \(co 2008 Internet Systems Consortium, Inc. ("ISC") +.br diff --git a/bin/dnssec/dnssec-dsfromkey.c b/bin/dnssec/dnssec-dsfromkey.c new file mode 100644 index 0000000000..d3d1d06f4e --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.c @@ -0,0 +1,388 @@ +/* + * Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC") + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH + * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY + * AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, + * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM + * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE + * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR + * PERFORMANCE OF THIS SOFTWARE. + */ + +/* $Id: dnssec-dsfromkey.c,v 1.2 2008/11/07 02:28:49 marka Exp $ */ + +/*! \file */ + +#include + +#include + +#include +#include +#include +#include +#include +#include +#include +#include + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include + +#include "dnssectool.h" + +const char *program = "dnssec-dsfromkey"; +int verbose; + +static dns_rdataclass_t rdclass; +static dns_fixedname_t fixed; +static dns_name_t *name = NULL; +static dns_db_t *db = NULL; +static dns_dbnode_t *node = NULL; +static dns_rdataset_t keyset; +static isc_mem_t *mctx = NULL; + +static void +loadkeys(char *dirname, char *setname) +{ + isc_result_t result; + char filename[1024]; + isc_buffer_t buf; + + dns_rdataset_init(&keyset); + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + + isc_buffer_init(&buf, setname, strlen(setname)); + isc_buffer_add(&buf, strlen(setname)); + result = dns_name_fromtext(name, &buf, dns_rootname, ISC_FALSE, NULL); + if (result != ISC_R_SUCCESS) + fatal("can't convert DNS name %s", setname); + + isc_buffer_init(&buf, filename, sizeof(filename)); + if (dirname != NULL) { + isc_buffer_putstr(&buf, dirname); + if (dirname[strlen(dirname) - 1] != '/') + isc_buffer_putstr(&buf, "/"); + } + isc_buffer_putstr(&buf, "keyset-"); + result = dns_name_tofilenametext(name, ISC_FALSE, &buf); + check_result(result, "dns_name_tofilenametext()"); + if (isc_buffer_availablelength(&buf) == 0) + fatal("name %s too long", setname); + isc_buffer_putuint8(&buf, 0); + + result = dns_db_create(mctx, "rbt", name, dns_dbtype_zone, + rdclass, 0, NULL, &db); + if (result != ISC_R_SUCCESS) + fatal("can't create database"); + + result = dns_db_load(db, filename); + if (result != ISC_R_SUCCESS && result != DNS_R_SEENINCLUDE) + fatal("can't load %s: %s", filename, isc_result_totext(result)); + + result = dns_db_findnode(db, name, ISC_FALSE, &node); + if (result != ISC_R_SUCCESS) + fatal("can't find %s node in %s", setname, filename); + + result = dns_db_findrdataset(db, node, NULL, dns_rdatatype_dnskey, + 0, 0, &keyset, NULL); + if (result == ISC_R_NOTFOUND) + fatal("no DNSKEY RR for %s in %s", setname, filename); + else if (result != ISC_R_SUCCESS) + fatal("dns_db_findrdataset"); +} + +static void +loadkey(char *filename, dns_rdata_t *rdata) +{ + isc_result_t result; + dst_key_t *key = NULL; + unsigned char key_buf[DST_KEY_MAXSIZE]; + isc_buffer_t keyb; + isc_region_t r; + + dns_rdataset_init(&keyset); + dns_rdata_init(rdata); + + isc_buffer_init(&keyb, key_buf, sizeof(key_buf)); + + result = dst_key_fromnamedfile(filename, DST_TYPE_PUBLIC, mctx, &key); + if (result != ISC_R_SUCCESS) + fatal("invalid keyfile name %s: %s", + filename, isc_result_totext(result)); + + if (verbose > 2) { + char keystr[KEY_FORMATSIZE]; + + key_format(key, keystr, sizeof(keystr)); + fprintf(stderr, "%s: %s\n", program, keystr); + } + + result = dst_key_todns(key, &keyb); + if (result != ISC_R_SUCCESS) + fatal("can't decode key"); + + isc_buffer_usedregion(&keyb, &r); + dns_rdata_fromregion(rdata, dst_key_class(key), + dns_rdatatype_dnskey, &r); + + rdclass = dst_key_class(key); + + dns_fixedname_init(&fixed); + name = dns_fixedname_name(&fixed); + result = dns_name_copy(dst_key_name(key), name, NULL); + if (result != ISC_R_SUCCESS) + fatal("can't copy name"); + + dst_key_free(&key); +} + +static void +logkey(dns_rdata_t *rdata) +{ + isc_result_t result; + dst_key_t *key = NULL; + isc_buffer_t buf; + char keystr[KEY_FORMATSIZE]; + + isc_buffer_init(&buf, rdata->data, rdata->length); + isc_buffer_add(&buf, rdata->length); + result = dst_key_fromdns(name, rdclass, &buf, mctx, &key); + if (result != ISC_R_SUCCESS) + return; + + key_format(key, keystr, sizeof(keystr)); + fprintf(stderr, "%s: %s\n", program, keystr); + + dst_key_free(&key); +} + +static void +emitds(unsigned int dtype, dns_rdata_t *rdata) +{ + isc_result_t result; + unsigned char buf[DNS_DS_BUFFERSIZE]; + char text_buf[DST_KEY_MAXTEXTSIZE]; + char class_buf[10]; + isc_buffer_t textb, classb; + isc_region_t r; + dns_rdata_t ds; + + isc_buffer_init(&textb, text_buf, sizeof(text_buf)); + isc_buffer_init(&classb, class_buf, sizeof(class_buf)); + + dns_rdata_init(&ds); + + result = dns_ds_buildrdata(name, rdata, dtype, buf, &ds); + if (result != ISC_R_SUCCESS) + fatal("can't build DS"); + + result = dns_rdata_totext(&ds, (dns_name_t *) NULL, &textb); + if (result != ISC_R_SUCCESS) + fatal("can't print DS rdata"); + + result = dns_rdataclass_totext(rdclass, &classb); + if (result != ISC_R_SUCCESS) + fatal("can't print DS class"); + + result = dns_name_print(name, stdout); + if (result != ISC_R_SUCCESS) + fatal("can't print DS name"); + + putchar(' '); + + isc_buffer_usedregion(&classb, &r); + fwrite(r.base, 1, r.length, stdout); + + printf(" DS "); + + isc_buffer_usedregion(&textb, &r); + fwrite(r.base, 1, r.length, stdout); + putchar('\n'); +} + +static void +usage(void) { + fprintf(stderr, "Usage:\n"); + fprintf(stderr, " %s options keyfile\n\n", program); + fprintf(stderr, " %s options [-c class] [-d dir] -s dnsname\n\n", + program); + fprintf(stderr, "Version: %s\n", VERSION); + fprintf(stderr, "Options:\n"); + fprintf(stderr, " -v \n"); + fprintf(stderr, " -1: use SHA-1\n"); + fprintf(stderr, " -2: use SHA-256\n"); + fprintf(stderr, " -a algorithm: use algorithm\n"); + fprintf(stderr, "Keyset options:\n"); + fprintf(stderr, " -s: keyset mode\n"); + fprintf(stderr, " -c class\n"); + fprintf(stderr, " -d directory\n"); + fprintf(stderr, "Output: DS RRs\n"); + + exit (-1); +} + +int +main(int argc, char **argv) { + char *algname = NULL, *classname = NULL, *dirname = NULL; + char *endp; + int ch; + unsigned int dtype = DNS_DSDIGEST_SHA1; + isc_boolean_t both = ISC_TRUE; + isc_boolean_t usekeyset = ISC_FALSE; + isc_result_t result; + isc_log_t *log = NULL; + isc_entropy_t *ectx = NULL; + dns_rdata_t rdata; + + dns_rdata_init(&rdata); + + if (argc == 1) + usage(); + + result = isc_mem_create(0, 0, &mctx); + if (result != ISC_R_SUCCESS) + fatal("out of memory"); + + dns_result_register(); + + isc_commandline_errprint = ISC_FALSE; + + while ((ch = isc_commandline_parse(argc, argv, + "12a:c:d:sv:h")) != -1) { + switch (ch) { + case '1': + dtype = DNS_DSDIGEST_SHA1; + both = ISC_FALSE; + break; + case '2': + dtype = DNS_DSDIGEST_SHA256; + both = ISC_FALSE; + break; + case 'a': + algname = isc_commandline_argument; + both = ISC_FALSE; + break; + case 'c': + classname = isc_commandline_argument; + break; + case 'd': + dirname = isc_commandline_argument; + break; + case 's': + usekeyset = ISC_TRUE; + break; + case 'v': + verbose = strtol(isc_commandline_argument, &endp, 0); + if (*endp != '\0') + fatal("-v must be followed by a number"); + break; + case '?': + if (isc_commandline_option != '?') + fprintf(stderr, "%s: invalid argument -%c\n", + program, isc_commandline_option); + /* Falls into */ + case 'h': + usage(); + + default: + fprintf(stderr, "%s: unhandled option -%c\n", + program, isc_commandline_option); + exit(1); + } + } + + if (algname != NULL) { + if (strcasecmp(algname, "SHA1") == 0 || + strcasecmp(algname, "SHA-1") == 0) + dtype = DNS_DSDIGEST_SHA1; + else if (strcasecmp(algname, "SHA256") == 0 || + strcasecmp(algname, "SHA-256") == 0) + dtype = DNS_DSDIGEST_SHA256; + else + fatal("unknown algorithm %s", algname); + } + + rdclass = strtoclass(classname); + + if (argc < isc_commandline_index + 1) + fatal("the key file name was not specified"); + if (argc > isc_commandline_index + 1) + fatal("extraneous arguments"); + + if (ectx == NULL) + setup_entropy(mctx, NULL, &ectx); + result = isc_hash_create(mctx, ectx, DNS_NAME_MAXWIRE); + if (result != ISC_R_SUCCESS) + fatal("could not initialize hash"); + result = dst_lib_init(mctx, ectx, + ISC_ENTROPY_BLOCKING | ISC_ENTROPY_GOODONLY); + if (result != ISC_R_SUCCESS) + fatal("could not initialize dst"); + isc_entropy_stopcallbacksources(ectx); + + setup_logging(verbose, mctx, &log); + + if (usekeyset) { + loadkeys(dirname, argv[isc_commandline_index]); + + for (result = dns_rdataset_first(&keyset); + result == ISC_R_SUCCESS; + result = dns_rdataset_next(&keyset)) { + dns_rdata_init(&rdata); + dns_rdataset_current(&keyset, &rdata); + + if (verbose > 2) + logkey(&rdata); + + if (both) { + emitds(DNS_DSDIGEST_SHA1, &rdata); + emitds(DNS_DSDIGEST_SHA256, &rdata); + } else + emitds(dtype, &rdata); + } + } else { + loadkey(argv[isc_commandline_index], &rdata); + + if (both) { + emitds(DNS_DSDIGEST_SHA1, &rdata); + emitds(DNS_DSDIGEST_SHA256, &rdata); + } else + emitds(dtype, &rdata); + } + + if (dns_rdataset_isassociated(&keyset)) + dns_rdataset_disassociate(&keyset); + if (node != NULL) + dns_db_detachnode(db, &node); + if (db != NULL) + dns_db_detach(&db); + cleanup_logging(&log); + dst_lib_destroy(); + isc_hash_destroy(); + cleanup_entropy(&ectx); + dns_name_destroy(); + if (verbose > 10) + isc_mem_stats(mctx, stdout); + isc_mem_destroy(&mctx); + + return (0); +} diff --git a/bin/dnssec/dnssec-dsfromkey.docbook b/bin/dnssec/dnssec-dsfromkey.docbook new file mode 100644 index 0000000000..b5e17eb003 --- /dev/null +++ b/bin/dnssec/dnssec-dsfromkey.docbook @@ -0,0 +1,426 @@ +]> + + + + + + november 29, 2008 + + + + dnssec-dsfromkey + 8 + BIND9 + + + + dnssec-dsfromkey + DNSSEC DS RR generation tool + + + + + 2008 + Internet Systems Consortium, Inc. ("ISC") + + + + + + dnssec-dsfromkey + + + + + keyfile + + + dnssec-dsfromkey + -s + + + + + + + dnsname + + + + + DESCRIPTION + dnssec-dsfromkey + outputs the Delegation Signer (DS) resource record RR, as defined in RFC 3658 + and RFC 4509, for the given key(s). + + + + + OPTIONS + + + + -1 + + + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + + + + + + -2 + + + Use SHA-256 as the digest algorithm. + + + + + + -a algorithm + + + Select the digest algorithm. The value of + must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. + + + + + + -v level + + + Sets the debugging level. + + + + + + -s + + + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. + + + + + + -c class + + + Specifies the DNS class (default is IN), useful only + in the keyset mode. + + + + + + -d directory + + + Look for keyset files in + as the directory, ignored when + not in the keyset mode. + + + + + + + + + EXAMPLE + + To build the SHA-256 DS RR from the + Kexample.com.+003+26160 + keyfile name, the following command would be issued: + + dnssec-dsfromkey -2 Kexample.com.+003+26160 + + + The command would print something like: + + example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94 + + + + + FILES + + The keyfile can be designed by the key identification + Knnnn.+aaa+iiiii or the full file name + Knnnn.+aaa+iiiii.key as generate by + dnssec-keygen8. + + + The keyset file name is built from the , + the string keyset- and the + . + + + + + CAVEAT + + A keyfile error can give a "file not found" even if the file exists. + + + + + SEE ALSO + + dnssec-keygen8 + , + + dnssec-signzone8 + , + BIND 9 Administrator Reference Manual, + RFC 3658, + RFC 4509. + + + + + AUTHOR + Internet Systems Consortium + + + + + + + + + november 29, 2008 + + + + dnssec-dsfromkey + 8 + BIND9 + + + + dnssec-dsfromkey + DNSSEC DS RR generation tool + + + + + 2008 + Internet Systems Consortium, Inc. ("ISC") + + + + + + dnssec-dsfromkey + + + + + keyfile + + + dnssec-dsfromkey + -s + + + + + + + dnsname + + + + + DESCRIPTION + dnssec-dsfromkey + outputs the Delegation Signer (DS) resource record RR, as defined in RFC 3658 + and RFC 4509, for the given key(s). + + + + + OPTIONS + + + + -1 + + + Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). + + + + + + -2 + + + Use SHA-256 as the digest algorithm. + + + + + + -a algorithm + + + Select the digest algorithm. The value of + must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. + + + + + + -v level + + + Sets the debugging level. + + + + + + -s + + + Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. + + + + + + -c class + + + Specifies the DNS class (default is IN), useful only + in the keyset mode. + + + + + + -d directory + + + Look for keyset files in + as the directory, ignored when + not in the keyset mode. + + + + + + + + + EXAMPLE + + To build the SHA-256 DS RR from the + Kexample.com.+003+26160 + keyfile name, the following command would be issued: + + dnssec-dsfromkey -2 Kexample.com.+003+26160 + + + The command would print something like: + + example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94 + + + + + FILES + + The keyfile can be designed by the key identification + Knnnn.+aaa+iiiii or the full file name + Knnnn.+aaa+iiiii.key as generate by + dnssec-keygen8. + + + The keyset file name is built from the , + the string keyset- and the + . + + + + + CAVEAT + + A keyfile error can give a "file not found" even if the file exists. + + + + + SEE ALSO + + dnssec-keygen8 + , + + dnssec-signzone8 + , + BIND 9 Administrator Reference Manual, + RFC 3658, + RFC 4509. + + + + + AUTHOR + Internet Systems Consortium + + + + + + + + +dnssec-dsfromkey + + +
+
+
+

Name

+

dnssec-dsfromkey — DNSSEC DS RR generation tool

+
+
+

Synopsis

+

dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] {keyfile}

+

dnssec-dsfromkey {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

+
+
+

DESCRIPTION

+

dnssec-dsfromkey + outputs the DS RR for the given key(s) as defined in RFC 3658 + and RFC 4509. +

+
+
+

OPTIONS

+
+
-1
+

+ Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). +

+
-2
+

+ Use SHA-256 as the digest algorithm. +

+
-a algorithm
+

+ Select the digest algorithm. The value of + algorithm must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. +

+
-v level
+

+ Sets the debugging level. +

+
-s
+

+ Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. +

+
-c class
+

+ Specifies the DNS class (default is IN), useful only + in the keyset mode. +

+
-d directory
+

+ Look for keyset files in + directory as the directory, ignored when + not in the keyset mode. +

+
+
+
+

EXAMPLE

+

+ To build the SHA-256 DS RR from the + Kexample.com.+003+26160 + keyfile name, the following command would be issued: +

+

dnssec-dsfromkey -2 Kexample.com.+003+26160 +

+

+ The command would print something like: +

+

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94 +

+
+
+

FILES

+

+ The keyfile can be designed by the key identification + Knnnn.+aaa+iiiii or the full file name + Knnnn.+aaa+iiiii.key. +

+

+ The keyset file name is built from the directory, + the string keyset- and the + dnsname with a trailing dot. +

+
+
+

CAVEAT

+

+ A keyfile error can give a "file not found" even the file exists. +

+
+
+

SEE ALSO

+

dnssec-keygen(8), + dnssec-signzone(8), + BIND 9 Administrator Reference Manual, + RFC 3658, + RFC 4509. +

+
+
+

AUTHOR

+

Internet Systems Consortium +

+
+
+ + + + + + +dnssec-dsfromkey + + +
+
+
+

Name

+

dnssec-dsfromkey — DNSSEC DS RR generation tool

+
+
+

Synopsis

+

dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] {keyfile}

+

dnssec-dsfromkey {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

+
+
+

DESCRIPTION

+

dnssec-dsfromkey + outputs the DS RR for the given key(s) as defined in RFC 3658 + and RFC 4509. +

+
+
+

OPTIONS

+
+
-1
+

+ Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). +

+
-2
+

+ Use SHA-256 as the digest algorithm. +

+
-a algorithm
+

+ Select the digest algorithm. The value of + algorithm must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. +

+
-v level
+

+ Sets the debugging level. +

+
-s
+

+ Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. +

+
-c class
+

+ Specifies the DNS class (default is IN), useful only + in the keyset mode. +

+
-d directory
+

+ Look for keyset files in + directory as the directory, ignored when + not in the keyset mode. +

+
+
+
+

EXAMPLE

+

+ To build the SHA-256 DS RR from the + Kexample.com.+003+26160 + keyfile name, the following command would be issued: +

+

dnssec-dsfromkey -2 Kexample.com.+003+26160 +

+

+ The command would print something like: +

+

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94 +

+
+
+

FILES

+

+ The keyfile can be designed by the key identification + Knnnn.+aaa+iiiii or the full file name + Knnnn.+aaa+iiiii.key. +

+

+ The keyset file name is built from the directory, + the string keyset- and the + dnsname with a trailing dot. +

+
+
+

CAVEAT

+

+ A keyfile error can give a "file not found" even the file exists. +

+
+
+

SEE ALSO

+

dnssec-keygen(8), + dnssec-signzone(8), + BIND 9 Administrator Reference Manual, + RFC 3658, + RFC 4509. +

+
+
+

AUTHOR

+

Internet Systems Consortium +

+
+
+ diff --git a/doc/arm/Bv9ARM-book.xml b/doc/arm/Bv9ARM-book.xml index 7b2a6cdf55..8c17589da6 100644 --- a/doc/arm/Bv9ARM-book.xml +++ b/doc/arm/Bv9ARM-book.xml @@ -18,7 +18,7 @@ - PERFORMANCE OF THIS SOFTWARE. --> - + BIND 9 Administrator Reference Manual @@ -14182,6 +14182,7 @@ zone "example.com" { Manual pages + diff --git a/doc/arm/man.dnssec-dsfromkey.html b/doc/arm/man.dnssec-dsfromkey.html new file mode 100644 index 0000000000..cbf29a28fb --- /dev/null +++ b/doc/arm/man.dnssec-dsfromkey.html @@ -0,0 +1,169 @@ + + + + + +dnssec-dsfromkey + + + + + + + +
+ + + + + + + +
dnssec-dsfromkey
+Prev Manual pages Next +
+
+
+
+
+
+

Name

+

dnssec-dsfromkey — DNSSEC DS RR generation tool

+
+
+

Synopsis

+

dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] {keyfile}

+

dnssec-dsfromkey {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}

+
+
+

DESCRIPTION

+

dnssec-dsfromkey + outputs the Delegation Signer (DS) resource record (RR), + as defined in RFC 3658 and RFC 4509, for the given key(s). +

+
+
+

OPTIONS

+
+
-1
+

+ Use SHA-1 as the digest algorithm (the default is to use + both SHA-1 and SHA-256). +

+
-2
+

+ Use SHA-256 as the digest algorithm. +

+
-a algorithm
+

+ Select the digest algorithm. The value of + algorithm must be one of SHA-1 (SHA1) or + SHA-256 (SHA256). These values are case insensitive. +

+
-v level
+

+ Sets the debugging level. +

+
-s
+

+ Keyset mode: in place of the keyfile name, the argument is + the DNS domain name of a keyset file. Following options make sense + only in this mode. +

+
-c class
+

+ Specifies the DNS class (default is IN), useful only + in the keyset mode. +

+
-d directory
+

+ Look for keyset files in + directory as the directory, ignored when + not in the keyset mode. +

+
+
+
+

EXAMPLE

+

+ To build the SHA-256 DS RR from the + Kexample.com.+003+26160 + keyfile name, the following command would be issued: +

+

dnssec-dsfromkey -2 Kexample.com.+003+26160 +

+

+ The command would print something like: +

+

example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94 +

+
+
+

FILES

+

+ The keyfile can be designed by the key identification + Knnnn.+aaa+iiiii or the full file name + Knnnn.+aaa+iiiii.key as generated by + dnssec-keygen8. +

+

+ The keyset file name is built from the directory, + the string keyset- and the + dnsname. +

+
+
+

CAVEAT

+

+ A keyfile error can give a "file not found" even if the file exists. +

+
+
+

SEE ALSO

+

dnssec-keygen(8), + dnssec-signzone(8), + BIND 9 Administrator Reference Manual, + RFC 3658, + RFC 4509. +

+
+
+

AUTHOR

+

Internet Systems Consortium +

+
+
+
+
+ + + + + + + + + + + +
+Prev Up Next +
+dnssec-dsfromkey Home dnssec-keyfromlabel +
+
+ diff --git a/doc/arm/man.dnssec-keyfromlabel.html b/doc/arm/man.dnssec-keyfromlabel.html index 5b80a89dc8..ebb6204113 100644 --- a/doc/arm/man.dnssec-keyfromlabel.html +++ b/doc/arm/man.dnssec-keyfromlabel.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -22,7 +22,7 @@ - + @@ -31,7 +31,7 @@ dnssec-keyfromlabel -Prev  +Prev  Manual pages  Next @@ -192,7 +192,7 @@ +Prev  diff --git a/doc/arm/man.host.html b/doc/arm/man.host.html index 6c54ce659c..da243c78ed 100644 --- a/doc/arm/man.host.html +++ b/doc/arm/man.host.html @@ -14,7 +14,7 @@ - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - PERFORMANCE OF THIS SOFTWARE. --> - + @@ -23,7 +23,7 @@ - +
@@ -33,7 +33,7 @@
-
-Prev  Up  Next Prev  Manual pages Next + Next
@@ -234,13 +234,13 @@ Prev  UpNextNext dig  Homednssec-keyfromlabeldnssec-dsfromkey