dnssec-importkey(8)
DNSSEC-IMPORTKEY(8) BIND9 DNSSEC-IMPORTKEY(8)
NAME
dnssec-importkey - import DNSKEY records from external
systems so they can be managed
SYNOPSIS
dnssec-importkey [-K directory] [-L ttl] [-P date/offset]
[-D date/offset] [-h] [-v level] [-V]
{keyfile}
dnssec-importkey {-f filename} [-K directory] [-L ttl]
[-P date/offset] [-D date/offset] [-h]
[-v level] [-V] [dnsname]
DESCRIPTION
dnssec-importkey reads a public DNSKEY record and generates
a pair of .key/.private files. The DNSKEY record may be read
from an existing .key file, in which case a corresponding
.private file will be generated, or it may be read from any
other file or from the standard input, in which case both
.key and .private files will be generated.
The newly-created .private file does not contain private key
data, and cannot be used for signing. However, having a
.private file makes it possible to set publication (-P) and
deletion (-D) times for the key, which means the public key
can be added to and removed from the DNSKEY RRset on
schedule even if the true private key is stored offline.
OPTIONS
-f filename
Zone file mode: instead of a public keyfile name, the
argument is the DNS domain name of a zone master file,
which can be read from file. If the domain name is the
same as file, then it may be omitted.
If file is set to "-", then the zone data is read from
the standard input.
-K directory
Sets the directory in which the key files are to reside.
-L ttl
Sets the default TTL to use for this key when it is
converted into a DNSKEY RR. If the key is imported into
a zone, this is the TTL that will be used for it, unless
there was already a DNSKEY RRset in place, in which case
the existing TTL would take precedence. Setting the
default TTL to 0 or none removes it.
-h
Emit usage message and exit.
ISC Last change: 2014-02-20 1
DNSSEC-IMPORTKEY(8) BIND9 DNSSEC-IMPORTKEY(8)
-v level
Sets the debugging level.
-V
Prints version information.
TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or
YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it
is interpreted as an offset from the present time. For
convenience, if such an offset is followed by one of the
suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset
is computed in years (defined as 365 24-hour days, ignoring
leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the
offset is computed in seconds. To explicitly prevent a date
from being set, use 'none' or 'never'.
-P date/offset
Sets the date on which a key is to be published to the
zone. After that date, the key will be included in the
zone but will not be used to sign it.
-D date/offset
Sets the date on which the key is to be deleted. After
that date, the key will no longer be included in the
zone. (It may remain in the key repository, however.)
FILES
A keyfile can be designed by the key identification
Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key
as generated by dnssec-keygen(8).
SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator
Reference Manual, RFC 5011.
AUTHOR
Internet Systems Consortium, Inc.
COPYRIGHT
Copyright �8c�9 2013-2016 Internet Systems Consortium, Inc.
("ISC")
ISC Last change: 2014-02-20 2
Man(1) output converted with
man2html