Updated: 2025/Nov/16

Please read Privacy Policy. It's for your privacy.

DNSSEC-REVOKE(1)                    BIND 9                    DNSSEC-REVOKE(1)

NAME
       dnssec-revoke - set the REVOKED bit on a DNSSEC key

SYNOPSIS
       dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f]
       [-R] {keyfile}

DESCRIPTION
       dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key
       as defined in RFC 5011, and creates a new pair of key files containing
       the now-revoked key.

OPTIONS

       -h     This option emits a usage message and exits.

       -K directory
              This option sets the directory in which the key files are to
              reside.

       -r     This option indicates to remove the original keyset files after
              writing the new keyset files.

       -v level
              This option sets the debugging level.

       -V     This option prints version information.

       -E engine
              This option specifies the cryptographic hardware to use, when
              applicable.

              When BIND 9 is built with OpenSSL, this needs to be set to the
              OpenSSL engine identifier that drives the cryptographic
              accelerator or hardware service module (usually pkcs11).

       -f     This option indicates a forced overwrite and causes
              dnssec-revoke to write the new key pair, even if a file already
              exists matching the algorithm and key ID of the revoked key.

       -R     This option prints the key tag of the key with the REVOKE bit
              set, but does not revoke the key.

SEE ALSO
       dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

AUTHOR
       Internet Systems Consortium

COPYRIGHT
       2025, Internet Systems Consortium

@PACKAGE_VERSION@                                             DNSSEC-REVOKE(1)