-
Notifications
You must be signed in to change notification settings - Fork 0
/
dnskey.1
66 lines (66 loc) · 1.43 KB
/
dnskey.1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
.Dd May 10, 2021
.Dt DNSKEY 1
.Os
.Sh NAME
.Nm dnskey
.Nd generate DNSSEC DNSKEY record
.Sh SYNOPSIS
.Nm dnskey
.Op Fl k
.Op Fl t Ar ttl
.Op Fl c Ar class
.Ar domain
.Ar keyfile
.Sh DESCRIPTION
.Nm
writes a DNSSEC DNSKEY record to standard output.
.Pp
The record is generated with the name
.Ar domain
and public key given by
.Ar keyfile .
.Pp
A DNSKEY record contains a public key that can be used to verify
the signatures of the records in a zone.
If the Secure Entry Point (SEP) flag is set, the key may be used
to verify signatures of the DNSKEY RRset.
Otherwise, it may only be used to verify the signatures of other
record types.
.Sh OPTIONS
.Bl -tag -width Ds
.It Fl k
Set the Secure Entry Point (SEP) flag.
.It Fl a
The signature algorithm to use with the key.
This option can be used to disambiguate the hash used with RSA keys.
The following algorithms are supported:
.Bl -bullet -compact
.It
RSASHA1
.It
RSASHA256 (default for RSA keys)
.It
RSASHA512
.It
ECDSAP256SHA256
.It
ECDSAP384SHA384
.El
.It Fl t
The TTL value of the record.
If not specified, the TTL is omitted.
.It Fl c
The record class.
Defaults to IN.
.El
.Sh EXAMPLES
Generate a DNSKEY record with the SEP flag set for the key in key.pem.
.Bd -literal -offset indent
$ dnskey -k example.com. key.pem
example.com. IN DNSKEY 257 3 13 vj2jYoUXYP5L/Y3VKwy2tv1lTQKvieaDdg2DpZRItJ0TblzoKoJ+9WQgxi4/mq0JkFUFeltRmhPnhtXoCH7Tfw==
.Ed
.Sh See ALSO
.Xr ds 1 ,
.Xr nsec 1 ,
.Xr rrsig 1 ,
.Xr tlsa 1