outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).
Use SHA-256 as the digest algorithm.
Select the digest algorithm. The value of
must be one of SHA-1 (SHA1) or SHA-256 (SHA256). These values are case insensitive.
Sets the debugging level.
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in this mode.
Specifies the DNS class (default is IN), useful only in the keyset mode.
as the directory, ignored when not in the keyset mode.
To build the SHA-256 DS RR from the
keyfile name, the following command would be issued:
dnssec-dsfromkey -2 Kexample.com.+003+26160
The command would print something like:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94
The keyfile can be designed by the key identification
or the full file name
as generated by
The keyset file name is built from the
directory, the string
A keyfile error can give a "file not found" even if the file exists.
BIND 9 Administrator Reference Manual,
Internet Systems Consortium
Copyright © 2008 Internet Systems Consortium, Inc. ("ISC")
- SEE ALSO
This document was created by
using the manual pages.
Time: 04:17:50 GMT, September 24, 2010