Updated: 2022/Sep/29
Please read Privacy Policy. It's for your privacy.
DNSSEC-IMPORTKEY(8) BIND 9 DNSSEC-IMPORTKEY(8)
NAME
dnssec-importkey - import DNSKEY records from external systems so they
can be managed
SYNOPSIS
dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync
date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level]
[-V] {keyfile}
dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset]
[-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v
level] [-V] [dnsname]
DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an existing
.key file, in which case a corresponding .private file is generated, or
it may be read from any other file or from the standard input, in which
case both .key and .private files are generated.
The newly created .private file does not contain private key data, and
cannot be used for signing. However, having a .private file makes it
possible to set publication (-P) and deletion (-D) times for the key,
which means the public key can be added to and removed from the DNSKEY
RRset on schedule even if the true private key is stored offline.
OPTIONS
-f filename
This option indicates the zone file mode. Instead of a public
keyfile name, the argument is the DNS domain name of a zone
master file, which can be read from filename. If the domain name
is the same as filename, then it may be omitted.
If filename is set to "-", then the zone data is read from the
standard input.
-K directory
This option sets the directory in which the key files are to
reside.
-L ttl This option sets the default TTL to use for this key when it is
converted into a DNSKEY RR. This is the TTL used when the key is
imported into a zone, unless there was already a DNSKEY RRset in
place, in which case the existing TTL takes precedence. Setting
the default TTL to 0 or none removes it from the key.
-h This option emits a usage message and exits.
-v level
This option sets the debugging level.
-V This option prints version information.
TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
argument begins with a + or -, it is interpreted as an offset from the
present time. For convenience, if such an offset is followed by one of
the suffixes y, mo, w, d, h, or mi, then the offset is computed in
years (defined as 365 24-hour days, ignoring leap years), months
(defined as 30 24-hour days), weeks, days, hours, or minutes,
respectively. Without a suffix, the offset is computed in seconds. To
explicitly prevent a date from being set, use none or never.
-P date/offset
This option sets the date on which a key is to be published to
the zone. After that date, the key is included in the zone but
is not used to sign it.
-P sync date/offset
This option sets the date on which CDS and CDNSKEY records that
match this key are to be published to the zone.
-D date/offset
This option sets the date on which the key is to be deleted.
After that date, the key is no longer included in the zone.
(However, it may remain in the key repository.)
-D sync date/offset
This option sets the date on which the CDS and CDNSKEY records
that match this key are to be deleted.
FILES
A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or
the full file name Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.
SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
Manual, RFC 5011.
AUTHOR
Internet Systems Consortium
COPYRIGHT
2023, Internet Systems Consortium
9.16.42 DNSSEC-IMPORTKEY(8)