NAME
dnssec-importkey - import DNSKEY records from external systems so they can be
managed
SYNOPSIS
dnssec-importkey
[ -K directory] [-L ttl]
[-P date/offset]
[-D date/offset] [ -h]
[-v level] [-V] {keyfile}
dnssec-importkey
{ -f filename}
[-K directory] [ -L ttl]
[-P date/offset]
[-D date/offset] [ -h]
[-v level] [-V] [dnsname]
DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an existing .key file,
in which case a corresponding .private file will be generated, or it may be
read from any other file or from the standard input, in which case both .key
and .private files will be generated.
The newly-created .private file does
not contain private key data, and
cannot be used for signing. However, having a .private file makes it possible
to set publication (
-P) and deletion (
-D) times for the key,
which means the public key can be added to and removed from the DNSKEY RRset
on schedule even if the true private key is stored offline.
OPTIONS
-f
filename
Zone file mode: instead of a public keyfile
name, the argument is the DNS domain name of a zone master file, which can be
read from
file. If the domain name is the same as
file, then it
may be omitted.
If
file is set to "-", then the zone data is read from the
standard input.
-K
directory
Sets the directory in which the key files are
to reside.
-L
ttl
Sets the default TTL to use for this key when
it is converted into a DNSKEY RR. If the key is imported into a zone, this is
the TTL that will be used for it, unless there was already a DNSKEY RRset in
place, in which case the existing TTL would take precedence. Setting the
default TTL to 0 or none removes it.
-h
Emit usage message and exit.
-v
level
Sets the debugging level.
-V
Prints version information.
TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument
begins with a '+' or '-', it is interpreted as an offset from the present
time. For convenience, if such an offset is followed by one of the suffixes
'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years
(defined as 365 24-hour days, ignoring leap years), months (defined as 30
24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix,
the offset is computed in seconds. To explicitly prevent a date from being
set, use 'none' or 'never'.
-P
date/offset
Sets the date on which a key is to be
published to the zone. After that date, the key will be included in the zone
but will not be used to sign it.
-D
date/offset
Sets the date on which the key is to be
deleted. After that date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
FILES
A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full
file name Knnnn.+aaa+iiiii.key as generated by dnssec-keygen(8).
SEE ALSO
dnssec-keygen(8),
dnssec-signzone(8), BIND 9 Administrator
Reference Manual, RFC 5011.
AUTHOR
Internet Systems Consortium, Inc.
COPYRIGHT
Copyright © 2013-2016 Internet Systems Consortium, Inc. ("ISC")