Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-importkey.html
CommitLineData
63fe88e8 1<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
0c91911b 2<!--
b4d3f782 3 - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
66327219 4 -
6807a2dc
TU
5 - This Source Code Form is subject to the terms of the Mozilla Public
6 - License, v. 2.0. If a copy of the MPL was not distributed with this
7 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
0c91911b 8-->
63fe88e8 9<html lang="en">
0c91911b
MA
10<head>
11<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12<title>dnssec-importkey</title>
fd2597f7 13<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
0c91911b 14</head>
fd2597f7 15<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
0c91911b 16<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
16fde7f0
TU
17
18
19
20
21
22 <div class="refnamediv">
0c91911b 23<h2>Name</h2>
16fde7f0
TU
24<p>
25 <span class="application">dnssec-importkey</span>
26 &#8212; import DNSKEY records from external systems so they can be managed
27 </p>
0c91911b 28</div>
16fde7f0
TU
29
30
31
32 <div class="refsynopsisdiv">
0c91911b 33<h2>Synopsis</h2>
16fde7f0
TU
34 <div class="cmdsynopsis"><p>
35 <code class="command">dnssec-importkey</code>
36 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
37 [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
38 [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
39 [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
40 [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
41 [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
42 [<code class="option">-h</code>]
43 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
44 [<code class="option">-V</code>]
45 {<code class="option">keyfile</code>}
46 </p></div>
47 <div class="cmdsynopsis"><p>
48 <code class="command">dnssec-importkey</code>
49 {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
50 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
51 [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
52 [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
53 [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
54 [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
55 [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
56 [<code class="option">-h</code>]
57 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
58 [<code class="option">-V</code>]
59 [<code class="option">dnsname</code>]
60 </p></div>
61 </div>
62
63 <div class="refsection">
fd2597f7 64<a name="id-1.7"></a><h2>DESCRIPTION</h2>
16fde7f0
TU
65
66 <p><span class="command"><strong>dnssec-importkey</strong></span>
914ed533
TU
67 reads a public DNSKEY record and generates a pair of
68 .key/.private files. The DNSKEY record may be read from an
69 existing .key file, in which case a corresponding .private file
70 will be generated, or it may be read from any other file or
71 from the standard input, in which case both .key and .private
72 files will be generated.
73 </p>
16fde7f0 74 <p>
914ed533
TU
75 The newly-created .private file does <span class="emphasis"><em>not</em></span>
76 contain private key data, and cannot be used for signing.
77 However, having a .private file makes it possible to set
78 publication (<code class="option">-P</code>) and deletion
79 (<code class="option">-D</code>) times for the key, which means the
80 public key can be added to and removed from the DNSKEY RRset
81 on schedule even if the true private key is stored offline.
0c91911b 82 </p>
16fde7f0
TU
83 </div>
84
85 <div class="refsection">
fd2597f7 86<a name="id-1.8"></a><h2>OPTIONS</h2>
16fde7f0
TU
87
88
89 <div class="variablelist"><dl class="variablelist">
0c91911b 90<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
914ed533 91<dd>
16fde7f0 92 <p>
e62b9c9c 93 Zone file mode: instead of a public keyfile name, the argument
914ed533 94 is the DNS domain name of a zone master file, which can be read
e62b9c9c
TU
95 from <code class="option">file</code>. If the domain name is the same as
96 <code class="option">file</code>, then it may be omitted.
97 </p>
16fde7f0 98 <p>
e62b9c9c
TU
99 If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
100 the zone data is read from the standard input.
101 </p>
16fde7f0 102 </dd>
0c91911b 103<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
16fde7f0
TU
104<dd>
105 <p>
e62b9c9c 106 Sets the directory in which the key files are to reside.
16fde7f0
TU
107 </p>
108 </dd>
0c91911b 109<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
16fde7f0
TU
110<dd>
111 <p>
e62b9c9c
TU
112 Sets the default TTL to use for this key when it is converted
113 into a DNSKEY RR. If the key is imported into a zone,
114 this is the TTL that will be used for it, unless there was
115 already a DNSKEY RRset in place, in which case the existing TTL
116 would take precedence. Setting the default TTL to
117 <code class="literal">0</code> or <code class="literal">none</code> removes it.
16fde7f0
TU
118 </p>
119 </dd>
0c91911b 120<dt><span class="term">-h</span></dt>
16fde7f0
TU
121<dd>
122 <p>
0c91911b 123 Emit usage message and exit.
16fde7f0
TU
124 </p>
125 </dd>
0c91911b 126<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
16fde7f0
TU
127<dd>
128 <p>
e62b9c9c 129 Sets the debugging level.
16fde7f0
TU
130 </p>
131 </dd>
6f120589 132<dt><span class="term">-V</span></dt>
16fde7f0
TU
133<dd>
134 <p>
6f120589 135 Prints version information.
16fde7f0
TU
136 </p>
137 </dd>
0c91911b 138</dl></div>
16fde7f0
TU
139 </div>
140
141 <div class="refsection">
fd2597f7 142<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
16fde7f0
TU
143
144 <p>
0c91911b
MA
145 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
146 If the argument begins with a '+' or '-', it is interpreted as
147 an offset from the present time. For convenience, if such an offset
148 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
149 then the offset is computed in years (defined as 365 24-hour days,
150 ignoring leap years), months (defined as 30 24-hour days), weeks,
151 days, hours, or minutes, respectively. Without a suffix, the offset
914ed533
TU
152 is computed in seconds. To explicitly prevent a date from being
153 set, use 'none' or 'never'.
0c91911b 154 </p>
16fde7f0
TU
155
156 <div class="variablelist"><dl class="variablelist">
0c91911b 157<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
16fde7f0
TU
158<dd>
159 <p>
e62b9c9c
TU
160 Sets the date on which a key is to be published to the zone.
161 After that date, the key will be included in the zone but will
162 not be used to sign it.
16fde7f0
TU
163 </p>
164 </dd>
e62b9c9c 165<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
16fde7f0
TU
166<dd>
167 <p>
e62b9c9c
TU
168 Sets the date on which CDS and CDNSKEY records that match this
169 key are to be published to the zone.
16fde7f0
TU
170 </p>
171 </dd>
0c91911b 172<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
16fde7f0
TU
173<dd>
174 <p>
e62b9c9c
TU
175 Sets the date on which the key is to be deleted. After that
176 date, the key will no longer be included in the zone. (It
177 may remain in the key repository, however.)
16fde7f0
TU
178 </p>
179 </dd>
e62b9c9c 180<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
16fde7f0
TU
181<dd>
182 <p>
e62b9c9c
TU
183 Sets the date on which the CDS and CDNSKEY records that match
184 this key are to be deleted.
16fde7f0
TU
185 </p>
186 </dd>
0c91911b 187</dl></div>
16fde7f0
TU
188 </div>
189
190 <div class="refsection">
fd2597f7 191<a name="id-1.10"></a><h2>FILES</h2>
16fde7f0
TU
192
193 <p>
914ed533
TU
194 A keyfile can be designed by the key identification
195 <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
196 <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
197 <span class="refentrytitle">dnssec-keygen</span>(8).
198 </p>
16fde7f0
TU
199 </div>
200
201 <div class="refsection">
fd2597f7 202<a name="id-1.11"></a><h2>SEE ALSO</h2>
16fde7f0
TU
203
204 <p><span class="citerefentry">
205 <span class="refentrytitle">dnssec-keygen</span>(8)
206 </span>,
207 <span class="citerefentry">
208 <span class="refentrytitle">dnssec-signzone</span>(8)
209 </span>,
0c91911b
MA
210 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
211 <em class="citetitle">RFC 5011</em>.
212 </p>
16fde7f0
TU
213 </div>
214
0c91911b
MA
215</div></body>
216</html>