ddnnsssseecc--ddssffrroommkkeeyy outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
-1 Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).
-2 Use SHA-256 as the digest algorithm.
-a _a_l_g_o_r_i_t_h_m Select the digest algorithm. The value of aallggoorriitthhmm must be one of SHA-1 (SHA1) or SHA-256 (SHA256). These values are case insensitive.
-K _d_i_r_e_c_t_o_r_y Look for key files (or, in keyset mode, _k_e_y_s_e_t_- files) in ddiirreeccttoorryy.
-f _f_i_l_e Zone file mode: in place of the keyfile name, the argument is the DNS domain name of a zone master file, which can be read from ffiillee. If the zone name is the same as ffiillee, then it may be omitted.
-A Include ZSK's when generating DS records. Without this option, only keys which have the KSK flag set will be converted to DS records and printed. Useful only in zone file mode.
-l _d_o_m_a_i_n Generate a DLV set instead of a DS set. The specified ddoommaaiinn is appended to the name for each record in the set. The DNSSEC Lookaside Validation (DLV) RR is described in RFC 4431.
-s Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file.
-c _c_l_a_s_s Specifies the DNS class (default is IN). Useful only in keyset or zone file mode.
-v _l_e_v_e_l Sets the debugging level.
To build the SHA-256 DS RR from the KKeexxaammppllee..ccoomm..++000033++2266116600 keyfile name, the following command would be issued:
ddnnsssseecc--ddssffrroommkkeeyy --22 KKeexxaammppllee..ccoomm..++000033++2266116600
The command would print something like:
eexxaammppllee..ccoomm.. IINN DDSS 2266116600 55 22 33AA11EEAADDAA77AA7744BB88DD00BBAA8866772266BB00CC222277AAAA8855AABB88BBBBDD22BB22000044FF4411AA886688AA5544FF00 CC55EEAA00BB9944
The keyfile can be designed by the key identification _K_n_n_n_n_._+_a_a_a_+_i_i_i_i_i or the full file name _K_n_n_n_n_._+_a_a_a_+_i_i_i_i_i_._k_e_y as generated by dnssec-keygen(8).
The keyset file name is built from the ddiirreeccttoorryy, the string _k_e_y_s_e_t_- and the ddnnssnnaammee.
A keyfile error can give a "file not found" even if the file exists.
ddnnsssseecc--kkeeyyggeenn(8), ddnnsssseecc--ssiiggnnzzoonnee(8), BIND 9 Administrator Reference Manual, RFC 3658, RFC 4431. RFC 4509.
Internet Systems Consortium