Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-importkey.docbook
CommitLineData
0c91911b 1<!--
843d3896 2 - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
0c91911b 3 -
0c27b3fe
MA
4 - This Source Code Form is subject to the terms of the Mozilla Public
5 - License, v. 2.0. If a copy of the MPL was not distributed with this
6 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
843d3896
OS
7 -
8 - See the COPYRIGHT file distributed with this work for additional
9 - information regarding copyright ownership.
0c91911b 10-->
2eeb74d1 11
14a656f9 12<!-- Converted by db4-upgrade version 1.0 -->
1b8ce3b3 13<refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
14a656f9
EH
14 <info>
15 <date>2014-02-20</date>
16 </info>
0c91911b 17 <refentryinfo>
e939674d 18 <date>August 21, 2015</date>
14a656f9
EH
19 <corpname>ISC</corpname>
20 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
0c91911b
MA
21 </refentryinfo>
22
23 <refmeta>
24 <refentrytitle><application>dnssec-importkey</application></refentrytitle>
25 <manvolnum>8</manvolnum>
26 <refmiscinfo>BIND9</refmiscinfo>
27 </refmeta>
28
29 <refnamediv>
30 <refname><application>dnssec-importkey</application></refname>
f02194c0 31 <refpurpose>import DNSKEY records from external systems so they can be managed</refpurpose>
0c91911b
MA
32 </refnamediv>
33
34 <docinfo>
35 <copyright>
36 <year>2013</year>
81f58902 37 <year>2014</year>
19c7b1a0 38 <year>2015</year>
0c27b3fe 39 <year>2016</year>
843d3896 40 <year>2018</year>
dc64b706 41 <year>2019</year>
0c91911b
MA
42 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
43 </copyright>
44 </docinfo>
45
46 <refsynopsisdiv>
14a656f9 47 <cmdsynopsis sepchar=" ">
0c91911b 48 <command>dnssec-importkey</command>
14a656f9
EH
49 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
50 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
51 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 52 <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9 53 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 54 <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
55 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
56 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
57 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
58 <arg choice="req" rep="norepeat"><option>keyfile</option></arg>
6b043429 59 </cmdsynopsis>
14a656f9 60 <cmdsynopsis sepchar=" ">
6b043429 61 <command>dnssec-importkey</command>
14a656f9
EH
62 <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
63 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
64 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
65 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 66 <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9 67 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
e939674d 68 <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f9
EH
69 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
70 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
71 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
72 <arg choice="opt" rep="norepeat"><option>dnsname</option></arg>
0c91911b
MA
73 </cmdsynopsis>
74 </refsynopsisdiv>
75
14a656f9 76 <refsection><info><title>DESCRIPTION</title></info>
30eec077 77
0c91911b 78 <para><command>dnssec-importkey</command>
6b043429
MA
79 reads a public DNSKEY record and generates a pair of
80 .key/.private files. The DNSKEY record may be read from an
81 existing .key file, in which case a corresponding .private file
82 will be generated, or it may be read from any other file or
83 from the standard input, in which case both .key and .private
84 files will be generated.
85 </para>
86 <para>
6ce1aa19 87 The newly-created .private file does <emphasis>not</emphasis>
6b043429
MA
88 contain private key data, and cannot be used for signing.
89 However, having a .private file makes it possible to set
90 publication (<option>-P</option>) and deletion
91 (<option>-D</option>) times for the key, which means the
92 public key can be added to and removed from the DNSKEY RRset
93 on schedule even if the true private key is stored offline.
0c91911b 94 </para>
14a656f9 95 </refsection>
0c91911b 96
14a656f9 97 <refsection><info><title>OPTIONS</title></info>
30eec077 98
0c91911b
MA
99
100 <variablelist>
101 <varlistentry>
102 <term>-f <replaceable class="parameter">filename</replaceable></term>
e939674d
MA
103 <listitem>
104 <para>
105 Zone file mode: instead of a public keyfile name, the argument
6b043429 106 is the DNS domain name of a zone master file, which can be read
e939674d
MA
107 from <option>file</option>. If the domain name is the same as
108 <option>file</option>, then it may be omitted.
109 </para>
110 <para>
111 If <option>file</option> is set to <literal>"-"</literal>, then
112 the zone data is read from the standard input.
113 </para>
114 </listitem>
0c91911b 115 </varlistentry>
30eec077 116
0c91911b 117 <varlistentry>
e939674d
MA
118 <term>-K <replaceable class="parameter">directory</replaceable></term>
119 <listitem>
120 <para>
121 Sets the directory in which the key files are to reside.
122 </para>
123 </listitem>
0c91911b
MA
124 </varlistentry>
125
126 <varlistentry>
e939674d
MA
127 <term>-L <replaceable class="parameter">ttl</replaceable></term>
128 <listitem>
129 <para>
130 Sets the default TTL to use for this key when it is converted
131 into a DNSKEY RR. If the key is imported into a zone,
132 this is the TTL that will be used for it, unless there was
133 already a DNSKEY RRset in place, in which case the existing TTL
134 would take precedence. Setting the default TTL to
135 <literal>0</literal> or <literal>none</literal> removes it.
136 </para>
137 </listitem>
0c91911b
MA
138 </varlistentry>
139
140 <varlistentry>
141 <term>-h</term>
e939674d 142 <listitem>
0c91911b
MA
143 <para>
144 Emit usage message and exit.
145 </para>
e939674d 146 </listitem>
0c91911b 147 </varlistentry>
30eec077 148
0c91911b 149 <varlistentry>
e939674d
MA
150 <term>-v <replaceable class="parameter">level</replaceable></term>
151 <listitem>
152 <para>
153 Sets the debugging level.
154 </para>
155 </listitem>
0c91911b
MA
156 </varlistentry>
157
42782931
MS
158 <varlistentry>
159 <term>-V</term>
e939674d 160 <listitem>
42782931
MS
161 <para>
162 Prints version information.
163 </para>
e939674d 164 </listitem>
42782931
MS
165 </varlistentry>
166
0c91911b 167 </variablelist>
14a656f9 168 </refsection>
0c91911b 169
14a656f9 170 <refsection><info><title>TIMING OPTIONS</title></info>
30eec077 171
0c91911b
MA
172 <para>
173 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
174 If the argument begins with a '+' or '-', it is interpreted as
175 an offset from the present time. For convenience, if such an offset
176 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
177 then the offset is computed in years (defined as 365 24-hour days,
178 ignoring leap years), months (defined as 30 24-hour days), weeks,
179 days, hours, or minutes, respectively. Without a suffix, the offset
a165a17a
EH
180 is computed in seconds. To explicitly prevent a date from being
181 set, use 'none' or 'never'.
0c91911b
MA
182 </para>
183
184 <variablelist>
185 <varlistentry>
e939674d
MA
186 <term>-P <replaceable class="parameter">date/offset</replaceable></term>
187 <listitem>
188 <para>
189 Sets the date on which a key is to be published to the zone.
190 After that date, the key will be included in the zone but will
191 not be used to sign it.
192 </para>
193 </listitem>
194 </varlistentry>
195
196 <varlistentry>
197 <term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
198 <listitem>
199 <para>
200 Sets the date on which CDS and CDNSKEY records that match this
201 key are to be published to the zone.
202 </para>
203 </listitem>
204 </varlistentry>
205
206 <varlistentry>
207 <term>-D <replaceable class="parameter">date/offset</replaceable></term>
208 <listitem>
209 <para>
210 Sets the date on which the key is to be deleted. After that
211 date, the key will no longer be included in the zone. (It
212 may remain in the key repository, however.)
213 </para>
214 </listitem>
0c91911b
MA
215 </varlistentry>
216
217 <varlistentry>
e939674d
MA
218 <term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
219 <listitem>
220 <para>
221 Sets the date on which the CDS and CDNSKEY records that match
222 this key are to be deleted.
223 </para>
224 </listitem>
0c91911b
MA
225 </varlistentry>
226
227 </variablelist>
14a656f9 228 </refsection>
0c91911b 229
14a656f9 230 <refsection><info><title>FILES</title></info>
30eec077 231
6b043429
MA
232 <para>
233 A keyfile can be designed by the key identification
234 <filename>Knnnn.+aaa+iiiii</filename> or the full file name
235 <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
236 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
237 </para>
14a656f9 238 </refsection>
6b043429 239
14a656f9 240 <refsection><info><title>SEE ALSO</title></info>
30eec077 241
0c91911b 242 <para><citerefentry>
e939674d 243 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
0c91911b
MA
244 </citerefentry>,
245 <citerefentry>
e939674d 246 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
0c91911b
MA
247 </citerefentry>,
248 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
249 <citetitle>RFC 5011</citetitle>.
250 </para>
14a656f9 251 </refsection>
0c91911b 252
14a656f9 253</refentry>