]> November 29, 2008 dnssec-dsfromkey 8 BIND9 dnssec-dsfromkey DNSSEC DS RR generation tool 2008 Internet Systems Consortium, Inc. ("ISC") dnssec-dsfromkey -v level -1 -2 -a alg keyfile dnssec-dsfromkey -s -v level -1 -2 -a alg -c class -d dir dnsname dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s). -1 Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256). -2 Use SHA-256 as the digest algorithm. -a algorithm Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1) or SHA-256 (SHA256). These values are case insensitive. -v level Sets the debugging level. -s Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode. -c class Specifies the DNS class (default is IN), useful only in the keyset mode. -d directory Look for keyset files in directory as the directory, ignored when not in the keyset mode. To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, the following command would be issued: dnssec-dsfromkey -2 Kexample.com.+003+26160 The command would print something like: example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94 The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen8. The keyset file name is built from the directory, the string keyset- and the dnsname. A keyfile error can give a "file not found" even if the file exists. dnssec-keygen8 , dnssec-signzone8 , BIND 9 Administrator Reference Manual, RFC 3658, RFC 4509. Internet Systems Consortium