### Install specific dnst version on Ubuntu Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Instructions for installing a specific version of dnst on Ubuntu, including adding a proposed repository for release candidates and specifying the version during installation. ```bash echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/ubuntu \ $(lsb_release -cs)-proposed main" | sudo tee /etc/apt/sources.list.d/nlnetlabs-proposed.list > /dev/null sudo apt update sudo apt install dnst=0.1.0~rc1-1jammy ``` -------------------------------- ### Install dnst on Ubuntu Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Steps to install dnst on Ubuntu systems. This includes updating the package index, installing prerequisite packages for HTTPS repositories, adding the NLnet Labs GPG key, setting up the apt repository, and installing the dnst package. ```bash sudo apt update ``` ```bash sudo apt install \ ca-certificates \ curl \ gnupg \ lsb-release ``` ```bash curl -fsSL https://packages.nlnetlabs.nl/aptkey.asc | sudo gpg --dearmor -o /usr/share/keyrings/nlnetlabs-archive-keyring.gpg ``` ```bash echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/ubuntu \ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/nlnetlabs.list > /dev/null ``` ```bash sudo apt update ``` ```bash sudo apt install dnst ``` -------------------------------- ### Install dnst on Debian Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Steps to install dnst on Debian systems. This involves updating the package index, installing necessary HTTPS packages, adding the NLnet Labs GPG key, configuring the apt repository, and finally installing the dnst package. ```bash sudo apt update ``` ```bash sudo apt install \ ca-certificates \ curl \ gnupg \ lsb-release ``` ```bash curl -fsSL https://packages.nlnetlabs.nl/aptkey.asc | sudo gpg --dearmor -o /usr/share/keyrings/nlnetlabs-archive-keyring.gpg ``` ```bash echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/debian \ $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/nlnetlabs.list > /dev/null ``` ```bash sudo apt update ``` ```bash sudo apt install dnst ``` -------------------------------- ### Install specific dnst version on Debian/Ubuntu Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Instructions for installing a specific version of dnst on Debian and Ubuntu, including adding a proposed repository for release candidates and specifying the version during installation. ```bash echo \ "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/nlnetlabs-archive-keyring.gpg] https://packages.nlnetlabs.nl/linux/debian \ $(lsb_release -cs)-proposed main" | sudo tee /etc/apt/sources.list.d/nlnetlabs-proposed.list > /dev/null sudo apt update sudo apt install dnst=0.1.0~rc1-1bookworm ``` -------------------------------- ### Install Rustup Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/building.rst Installs the Rust toolchain manager, rustup, which is recommended for managing Rust versions. This command downloads and executes the official installation script. ```text curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh ``` -------------------------------- ### Install specific dnst version on RHEL Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Instructions for installing a specific version of dnst on RHEL-based systems using yum. This involves creating a testing repository file and specifying the version during installation. ```text [nlnetlabs-testing] name=NLnet Labs Testing baseurl=https://packages.nlnetlabs.nl/linux/centos/$releasever/proposed/$basearch enabled=1 ``` ```bash sudo yum --showduplicates list dnst sudo yum install -y dnst-0.1.0~rc1 ``` -------------------------------- ### Install DNST from Git Repository Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/building.rst Installs DNST directly from its GitHub repository, specifying the Git URL and branch. This is useful for installing development versions or when the package is not yet published. ```text cargo install --git https://github.com/NLnetLabs/dnst.git --branch main ``` -------------------------------- ### Install dnst on RHEL/Rocky Linux Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Instructions for installing dnst on RHEL 8/9 or compatible systems like Rocky Linux. This involves creating a repository configuration file, importing the NLnet Labs GPG key, and installing the package using yum. ```text [nlnetlabs] name=NLnet Labs baseurl=https://packages.nlnetlabs.nl/linux/centos/$releasever/main/$basearch enabled=1 ``` ```bash sudo rpm --import https://packages.nlnetlabs.nl/aptkey.asc ``` ```bash sudo yum install -y dnst ``` -------------------------------- ### Install Rust on OpenBSD Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/building.rst Installs the Rust programming language on OpenBSD using the system's package manager. This command requires root privileges. ```bash pkg_add rust ``` -------------------------------- ### Install Specific DNST Version Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/building.rst Installs a specific version of DNST from crates.io, using the --version flag. The --force option can be used to overwrite an existing installation. ```text cargo install --locked --force dnst --version 0.1.0-rc1 ``` -------------------------------- ### Update dnst on Ubuntu Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Instructions for updating an existing dnst installation on Ubuntu. This process involves updating the repository information and then performing the upgrade. ```bash sudo apt update ``` -------------------------------- ### Install Latest DNST Release (Force) Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/building.rst Installs the latest stable release of DNST from crates.io, forcing an overwrite if a version is already installed. The --locked flag ensures dependency integrity. ```text cargo install --locked --force dnst ``` -------------------------------- ### Install Latest DNST Release Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/building.rst Installs the latest stable release of DNST from crates.io using Cargo. The --locked flag ensures that dependencies are installed according to the lock file. ```text cargo install --locked dnst ``` -------------------------------- ### Check dnst versions on Debian/Ubuntu Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Command to list available versions of the dnst package on Debian and Ubuntu systems, useful for identifying upgrade paths or specific versions. ```bash sudo apt policy dnst ``` -------------------------------- ### Update dnst on Debian Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Steps to update an existing dnst installation on Debian. This includes refreshing the apt package index and then upgrading the dnst package to the latest available version. ```bash sudo apt update ``` ```bash sudo apt policy dnst ``` ```bash sudo apt --only-upgrade install dnst ``` -------------------------------- ### Update dnst on RHEL Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Commands to update the dnst package to the latest version on RHEL-based systems using yum. This includes listing available versions and performing the update. ```bash sudo yum --showduplicates list dnst sudo yum update -y dnst ``` -------------------------------- ### Update dnst on Debian/Ubuntu Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/installation.rst Commands to update the dnst package to the latest version on Debian and Ubuntu systems. This involves updating the package index and then performing the upgrade. ```bash sudo apt update sudo apt --only-upgrade install dnst ``` -------------------------------- ### Update Rust Toolchain Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/building.rst Updates the installed Rust toolchain, including the compiler and Cargo, to the latest available version. This is recommended when updating DNST. ```text rustup update ``` -------------------------------- ### DNS Zone File for DNSSEC Testing Source: https://github.com/nlnetlabs/dnst/blob/main/test-data/example.org A comprehensive DNS zone file containing various record types (SOA, NS, A, AAAA, DS) and configurations to test DNSSEC functionalities, including secure and insecure delegations, occluded RRs, and glue RRs. This file is intended for DNS server testing and validation. ```DNS Zone File ; The provenance of this zone is unknown, it is assumed to be hand crafted as ; example.org is an RFC 2606 reserved second level domain. ; ; This example includes various kinds of record that are useful for testing ; DNSSEC corner cases, including occluded and glue RRs, and insecure and secure ; delegations. example.org. 239 IN SOA example.net. hostmaster.example.net. 1234567890 28800 7200 604800 238 $TTL 1000 example.org. IN NS example.net. example.org. 240 IN A 128.140.76.106 insecure-deleg.example.org. 240 IN NS example.com. occluded.insecure-deleg.example.org. 240 IN A 1.2.3.4 secure-deleg.example.org. 240 IN NS example.com. secure-deleg.example.org. 240 IN DS 3120 15 2 0675d8c4a90ecd25492e4c4c6583afcef7c3b910b7a39162803058e6e7393a19 secure-deleg.example.org. 240 IN NS secure-deleg.example.org. secure-deleg.example.org. 240 IN A 1.1.1.1 secure-deleg.example.org. 240 IN AAAA ::1 insecure-deleg.example.org. 240 IN NS insecure-deleg.example.org. insecure-deleg.example.org. 240 IN A 1.1.1.1 insecure-deleg.example.org. 240 IN AAAA ::1 ``` -------------------------------- ### ldns-signzone Command-Line Interface Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/ldns-signzone.rst Detailed documentation for the ldns-signzone command-line tool, covering its synopsis, arguments, and various options for DNSSEC zone signing. It explains how to specify zone files, keys, and control the signing process. ```APIDOC ldns-signzone Synopsis -------- :program:`ldns-signzone` ``[OPTIONS]`` ```` ``...`` Description ----------- ``ldns-signzone`` is used to generate a DNSSEC signed zone. When run it will create a new zonefile that contains RRSIG and NSEC(3) resource records, as specified in RFC 4033, RFC 4034, RFC 4035 and RFC 5155. This is a re-implementation of the original ``ldns-signzone`` which is largely compatible with the original with some exceptions which are noted below. Arguments --------- .. option:: The zonefile to sign. Note: Unlike the original LDNS, any existing NSEC(3), NSEC3PARAM and/or RRSIG resource records will be skipped when loading the zonefile. Note: Unlike the original LDNS, the origin must be explicitly specified either via an ``$ORIGIN`` directive in the zonefile or using the ``-o`` command line argument. .. option:: ... The keys to sign the zonefile with. Keys must be specified by their base file name (usually ``K++``), i.e. WITHOUT the ``.private`` or ``.key`` extension, with an optional path prefix. The ``.private`` file is required to exist. The ``.key`` file will be used if a ``DNSKEY`` record corresponding to the ``.private`` key cannot be found. Multiple keys can be specified. Key Signing Keys are used as such when they are either already present in the zone, or specified in a ``.key`` file, and have the Secure Entry Point flag set. Note: Unlike the original LDNS: - Public keys corresponding to ``.private`` key MUST be supplied, either as DNSKEY RRs in the given zone or as ``.key`` files. This implementation is not able to generate missing public keys. - Supported DNSKEY algorithms are the ones supported by the domain crate. Supported algorithms include RSASHA256, ECDSAP256SHA256, and ED25519 but exclude RSHASHA1 and RSASHA1-NSEC3-SHA1. Options ------- .. option:: -a Sign the DNSKEY records with all keys. By default it is signed with a minimal number of keys, to keep the response size for the DNSKEY query small, only the SEP keys that are passed are used. If there are no SEP keys, the DNSKEY RRset is signed with the non-SEP keys. This option turns off the default and all keys are used to sign the DNSKEY RRset. .. option:: -b Augments the zone and the RR's with extra comment texts for a more readable layout, easier to debug. NSEC3 records will have the unhashed owner names in the comment text. Without this option, only DNSKEY RR's will have their Key Tag annotated in the comment text. Note: This option is ignored if the ``-f -`` is used. Note: Unlike the original LDNS, DS records are printed without a bubblebabble version of the data in the comment text, and some ordering for easier consumption by humans is ONLY done if ``-b`` is in effect, e.g. ordering RRSIGs after the record they cover, and ordering NSEC3 hashes by unhashed owner name rather than by hashed owner name. .. option:: -d Do not add used keys to the resulting zonefile. .. option:: -e Set the expiration timestamp of signatures to the given date (and time, optionally, see :ref:`ldns-signzone-dates` for details about acceptable formats for the given ```` value). Defaults to 4 weeks from now. .. option:: -f Write signed zone to file. Use ``-f -`` to output to stdout. Defaults to ``.signed``. .. option:: -h Print the help text. .. option:: -i Set the inception timestamp of signatures to the given date (and time, optionally, see :ref:`ldns-signzone-dates` for details about acceptable formats for the given ```` value). Defaults to now. .. option:: -n Use NSEC3 instead of NSEC. If specified, you can use extra options (see :ref:`ldns-signzone-nsec3-options`). .. option:: -o Use this owner name as the apex of the zone. If not specified the owner name of the first SOA record will be used as the apex of the zone. .. option:: -u Set the SOA serial in the resulting zonefile to the given number of seconds since January 1st 1970. .. option:: -u Sign with every unique algorithm in the provided keys. The DNSKEY set is signed with all the SEP keys, plus all the non-SEP keys that have an algorithm that was not present in the SEP key set. .. option:: -v Print the version and exit. .. option:: -z <[SCHEME:]HASH> Add a ZONEMD resource record. Accepts both mnemonics and numbers. This option can be provided more than once to add multiple ZONEMD RRs. However, only one per scheme-hash tuple will be added. | HASH supports ``sha384`` (1) and ``sha512`` (2). ``` -------------------------------- ### dnst nsec3-hash Command Reference Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/dnst-nsec3-hash.rst Provides detailed information on the dnst nsec3-hash command, including its purpose, usage syntax, arguments, and available options for customizing NSEC3 hash generation. ```APIDOC dnst nsec3-hash Synopsis: dnst nsec3-hash [OPTIONS] Description: Prints the NSEC3 hash of a given domain name. Arguments: : The domain name to generate an NSEC3 hash for. Options: -a , --algorithm Use the given algorithm number for the hash calculation. Defaults to 1 (SHA-1). -i , -t , --iterations Use the given number of additional iterations for the hash calculation. Defaults to 0. -s , --salt Use the given salt for the hash calculation. The salt value should be in hexadecimal format. Defaults to an empty salt. -h, --help Print the help text (short summary with -h, long help with --help). -V, --version Print the version. ``` -------------------------------- ### dnst key2ds Command Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/dnst-key2ds.rst Generates a DS (Delegation Signer) resource record for each DNSKEY present in a given file. The command creates .ds files and prints their base names to standard output. ```APIDOC dnst key2ds Command Synopsis: dnst key2ds [OPTIONS] Description: Generates a DS RR for each DNSKEY in . The command creates files named K++.ds for each key and prints the base name to stdout. Arguments: : A file containing one or more RFC 4034 DNSKEY resource records in presentation format. Options: -a, --algorithm Use the given algorithm for the digest. Defaults to the digest algorithm used for the DNSKEY, or SHA-1 if it cannot be determined. -f, --force Overwrite existing .ds files. --ignore-sep Ignore the SEP flag and make DS records for any key. -n Write the generated DS records to stdout instead of a file. -h, --help Print the help text (short summary with -h, long help with --help). -V, --version Print the version. Example: # Assuming keyfile.txt contains DNSKEY records dnst key2ds keyfile.txt # This might output something like: # Kexample.com+1234+56789 # And create a file named Kexample.com+1234+56789.ds ``` -------------------------------- ### ldns-key2ds Command-Line Tool Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/ldns-key2ds.rst Transforms a public DNSKEY RR to a DS RR. Reads a DNSKEY RR from a file and creates a .ds file with the DS RR. Supports various hashing algorithms and output options. ```APIDOC ldns-key2ds: Transform DNSKEY RR to DS RR Synopsis -------- :program:`ldns-key2ds` ``[OPTIONS]`` ```` Description ----------- Reads a DNSKEY RR from ```` and creates a .ds file with the DS RR. Prints the basename for the .ds file (``K++``). By default, picks a hash algorithm similar to the key algorithm (e.g., SHA1 for RSASHA1). Options ------- -f, --ignore-sep-flag Ignore SEP flag (i.e. make DS records for any key) -n, --stdout Write the result DS Resource Record to stdout instead of a file -1, --sha1 Use SHA1 as the hash function. -2, --sha256 Use SHA256 as the hash function. -4, --sha384 Use SHA384 as the hash function. ``` -------------------------------- ### ldns-keygen Usage and Options Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/ldns-keygen.rst The ldns-keygen tool generates DNSSEC key pairs. It creates .key (public DNSKEY), .private (private keydata), and .ds (DS record) files. The output filename format is K++. Key features include specifying the algorithm, key bit length, generating key signing keys (KSK), setting a custom random seed source, and creating symbolic links to the generated files. Options can be forced to overwrite existing symlinks. ```APIDOC ldns-keygen Synopsis: ldns-keygen [OPTIONS] Description: Generates a private/public keypair for DNSSEC. Creates .key (public DNSKEY), .private (private keydata), and .ds (DS record) files. Prints the basename for the key files: K++. Options: -a Create a key with this algorithm. Specify 'list' to see supported algorithms. Note: Does not support symmetric keys (for TSIG). -b Use this many bits for the key length. -k Generate a key signing key (sets flag field to 257 in DNSKEY RR). -r Use this file to seed the random generator (defaults to /dev/random). -s Create symbolic links: .private to private key, .key to public DNSKEY, .ds to DS record file. -f Force overwriting existing symbolic links. -v Show the version and exit. ``` -------------------------------- ### dnst keygen Command Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/dnst-keygen.rst Generates a new key pair for a given domain name, creating public key, private key, and DS record files. Supports various algorithms and options for key generation. ```APIDOC dnst keygen [OPTIONS] -a Generates a new key pair for a given domain name. Creates the following files: - K++.key: Public key file (DNSKEY RR format). - K++.private: Private key file (BIND's Private-key-format). - K++.ds: Public key digest file (DS RR format, for KSK). Parameters: (string): The owner name of the apex of the zone. -a (string or number): The signing algorithm. Mandatory. Possible values: list: List available algorithms RSASHA256 (8): RSA with SHA-256 ECDSAP256SHA256 (13): ECDSA P-256 with SHA-256 ECDSAP384SHA384 (14): ECDSA P-384 with SHA-384 ED25519 (15): ED25519 ED448 (16): ED448 -k (flag): Generate a key signing key (KSK) instead of a zone signing key (ZSK). -b (integer): The length of the key (for RSA keys only). Defaults to 2048. -r (string): The randomness source. Defaults to /dev/urandom. -s (flag): Create symlinks (.key and .private) to the generated keys. -f (flag): Overwrite existing symlinks (used with -s). -h, --help (flag): Print help text. Returns: Prints the generated key name (e.g., K++). ``` -------------------------------- ### dnst signzone Command Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/dnst-signzone.rst The `dnst signzone` command signs a DNS zonefile using DNS Security Extensions (DNSSEC). It requires a zonefile, one or more keys, and a mandatory origin domain. The command supports numerous options to control signing behavior, NSEC/NSEC3 generation, date formats, and output customization. ```APIDOC dnst signzone Command Synopsis: dnst signzone [OPTIONS] -o ... Description: Signs the zonefile with the given key(s), adding DNS Security Extensions (DNSSEC) resource records. Keys are specified by their base name (e.g., K++), requiring both .private and .key files. Arguments: The zonefile to sign. Existing NSEC(3) and/or RRSIG records are skipped. ... The keys to sign the zonefile with. Options: -d Do not add used keys to the resulting zonefile. -e Set the expiration date of signatures. Defaults to 4 weeks from now. -f Write signed zone to file. Use "-" for stdout. Defaults to ".signed". -i Set the inception date of signatures. Defaults to now. -o Use this owner name as the apex of the zone. Mandatory. -u Set SOA serial to the number of seconds since Jan 1st 1970. Increments if the value does not increase. -n Use NSEC3 instead of NSEC. Defaults to RFC 9276 best practice settings (SHA-1, no extra iterations, empty salt). See -a, -s, -t for NSEC3 options. -A Sign DNSKEYs with all keys instead of the minimal set. -U Sign with every unique algorithm in the provided keys. -z <[SCHEME:]HASH> Add a ZONEMD resource record. Can be provided multiple times. HASH supports SHA384 (1) and SHA512 (2). SCHEME supports SIMPLE (1), the default. -Z Allow adding ZONEMD RRs without signing the zone. ... becomes optional. -H Hash only, don't sign. ... can be omitted. -h, --help Print help text. Output Formatting Options: -b Add comments on DNSSEC records. Annotates key tag for DNSKEY RRs without this option. -L Precede zone output with a list of NSEC3 hashes of original ownernames. -O Order NSEC3 RRs by unhashed owner name. -R Order RRSIG RRs by the record type they cover. -T Output YYYYMMDDHHmmSS RRSIG timestamps instead of seconds since epoch. NSEC3 Options (used with -n): -a Specify the hashing algorithm. Defaults to SHA-1. -s Specify the salt as a hex string. Defaults to "-" (empty salt). -t Set the number of extra hash iterations. Defaults to 0. -p Set the opt-out flag on all NSEC3 RRs. -P Set the opt-out flag on all NSEC3 RRs and skip unsigned delegations. DATES: A date can be a UNIX timestamp (seconds since Epoch) or of the form . ``` -------------------------------- ### ldns-nsec3-hash Command-Line Tool Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/ldns-nsec3-hash.rst The ldns-nsec3-hash command is used to print out the NSEC3 hash for a given domain name. It supports options for specifying the algorithm, salt, and iteration count for the hash calculation. ```APIDOC ldns-nsec3-hash Synopsis: ldns-nsec3-hash [OPTIONS] Description: Prints the NSEC3 hash for the given domain name. Options: -a Use the given algorithm number for the hash calculation. Defaults to 1 (SHA-1). -s Use the given salt for the hash calculation. The salt value should be in hexadecimal format. Defaults to an empty salt. -t Use the given number of additional iterations for the hash calculation. Defaults to 0. Note that this differs to the default value used by the original ldns-nsec3-hash command to comply with latest best practice per RFC 9276. ``` -------------------------------- ### NSEC3 Options for ldns-signzone Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/ldns-signzone.rst Configures NSEC3 parameters for zone signing, allowing overrides for hashing algorithm, iterations, salt, and opt-out flag. These options are used with the -n flag. ```APIDOC .. option:: -a Specify the hashing algorithm. Only SHA-1 is supported. .. option:: -t Set the number of extra hash iterations. Defaults to 0. Note: The default value differs to that of the original LDNS which has a default of 1. The new default value is in accordance with RFC 9276 "Guidance for NSEC3 Parameter Settings". .. option:: -s Specify the salt as a hex string. Defaults to ``-``, meaning empty salt. .. option:: -p Set the opt-out flag on all NSEC3 RRs. ``` -------------------------------- ### dnst-signzone Command Source: https://github.com/nlnetlabs/dnst/blob/main/doc/manual/source/man/dnst.rst Signs a DNS zone with the given key(s). This command is essential for implementing DNSSEC. ```APIDOC dnst-signzone - Sign the zone with the given key(s). ```