Generate DNSSEC DS RR (GENDNSDSRR)
| Where allowed to run: All environments (*ALL) Threadsafe: No |
Parameters Examples Error messages |
The Generate DNSSEC DS RR (GENDNSDSRR) command generates the Delegation Signer (DS) resource record (RR).
Restrictions:
- You must have execute (*X) authority to the directories in the path of the entropy source file.
- You must have read (*R) authority to the entropy source file.
- You must have execute (*X) authority to the directories in the path of the keyset directory.
- You must have read (*R) authority to the keyset directory files.
- You must have execute (*X) authority to the directories in the path of the output file.
- You must have write (*W) authority to the output file if it already exists.
- You must have read, write and execute (*RWX) authority to the output file's parent directory if the output file does not already exist.
| Top |
Parameters
| Keyword | Description | Choices | Notes |
|---|---|---|---|
| NAME | Name | Character value | Required, Positional 1 |
| NAMEMODE | Name mode | *KEYFILE, *KEYSET, *ZONEFILE | Optional, Positional 2 |
| ALGORITHM | Digest algorithm | *SHA1, *SHA256 | Optional, Positional 3 |
| KEYDIR | Key files directory | Path name, *DFT | Optional, Positional 4 |
| ZONENAME | Zone name | Character value | Optional |
| ZSK | Include ZSK | *NO, *YES | Optional |
| DLVDMN | DLV domain name | Character value, *NONE | Optional |
| CLASS | Class | *IN, *CH, *HS | Optional |
| DBGLVL | Debug level | 0-10, 0 | Optional |
| TOSTMF | Output file | Path name, *STDOUT | Optional |
| Top |
Name (NAME)
Specifies the file used to generate the Delegation Signer (DS) resource record (RR). This parameter has different meaning based on the Name mode (NAMEMODE). For *KEYFILE name mode, the Name (NAME) is the common key file name which can be designed by the key identification Knnnn.+aaa+iiiii(nnnn is the key name; aaa is the numeric representation of the algorithm; iiiii is the key identifier or footprint) or the full file name Knnnn.+aaa+iiiii.key as generated by GENDNSKEY. For *KEYSET name mode, the real file name is built from the Name (NAME) with the prefix of keyset-. For *ZONEFILE name mode, the Name (NAME) is the zone master file name.
This is a required parameter.
- character-value
- Specify a name. The meaning of the name depends on the Name mode (NAMEMODE) parameter.
| Top |
Name mode (NAMEMODE)
Specifies the name mode used to generate the real key file name from the Name (NAME).
- *KEYFILE
- the Name (NAME) is the common key file name which can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by GENDNSKEY.
- *KEYSET
- The real file name is built from the Name (NAME) with the prefix of keyset-.
- *ZONEFILE
- the Name (NAME) is the zone master file name.
| Top |
Digest algorithm (ALGORITHM)
Specifies the digest algorithm to use. The value of algorithm must be one of SHA-1 (SHA1) or SHA-256 (SHA256).
- *SHA1
- Secure Hash Algorithm 1 (SHA1) is a one-way hash algorithm.
- *SHA256
- Secure Hash Algorithm 256 (SHA256) is a one-way hash algorithm.
| Top |
Key files directory (KEYDIR)
Specifies the directory where the Name (NAME) will be searched.
- *DFT
- The default directory is /QIBM/UserData/OS400/DNS/_DYN.
- path-name
- Specify the path name for the directory where the key or zone master file will be searched.
| Top |
Zone name (ZONENAME)
Specifies the zone name of a zone master file. In *ZONEFILE name mode, if the zone master file name(as specified by Name(NAME) parameter) is not same as the zone name, the zone name should be specified in this parameter. This parameter is only valid in *ZONEFILE name mode.
- character-value
- Specify the zone name.
| Top |
Include ZSK (ZSK)
Specifies whether or not to include Zone Sign Key (ZSK) when generating Delegation Signer (DS) records.
If setting *NO for this parameter, only keys which have the KSK flag set will be converted to DS records and printed. This is only valid in *ZONEFILE name mode.
- *NO
- Do not include ZSK's .
- *YES
- Include ZSK's.
| Top |
DLV domain name (DLVDMN)
Specifies the domain name used to generate a DNSSEC Look-aside Validation (DLV) set instead of a Delegation Signer (DS) set. The specified domain is appended to the name for each record in the set.
- *NONE
- Generate a DS set instead of a DLV set.
- domain
- Specifies the domain name used to generate a DLV set instead of a DS set.
| Top |
Class (CLASS)
Specifies the DNS class. This is only valid in *KEYSET and *ZONEFILE name mode.
- *IN
- The Internet class.
- *CH
- The CHAOS class.
- *HS
- The Hesiod class.
| Top |
Debug level (DBGLVL)
Specifies the debugging level to indicate how much diagnostic (debug) information this command will generate.
- 0
- Debugging is off.
- 1-10
- Specify a number within the range of 1-10. The amount of debug information increases as the DBGLVL value increases. 1 equals minimum debug information. 10 equals maximum debug information.
| Top |
Output file (TOSTMF)
Specifies the name of a stream file where all command output is written.
- *STDOUT
- All command output goes to the standard output device (normally the display).
- path-name
- Specify the path name for a stream file where output should be written.
| Top |
Examples
GENDNSDSRR NAME('Kexample.com.+003+26160')
ALGORITHM(*SHA256)
This command builds the SHA-256 delegation signer resource record from the Kexample.com.+003+26160 keyfile name which is located in directory /QIBM/UserData/OS400/DNS/_DYN. Output from the command is sent to stdout and will look like the following:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0C5EA0B94
| Top |
Error messages
*ESCAPE Messages
- DNS0013
- Error processing command parameters.
- DNS0065
- Option 33 of i5/OS is required, but is not installed.
- TCP7124
- Program &1 in library &2 type *PGM ended abnormally.
| Top |