Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-importkey.docbook
1 <!--
2 - Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3 -
4 - This Source Code Form is subject to the terms of the Mozilla Public
5 - License, v. 2.0. If a copy of the MPL was not distributed with this
6 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
7 -
8 - See the COPYRIGHT file distributed with this work for additional
9 - information regarding copyright ownership.
10 -->
11
12 <!-- Converted by db4-upgrade version 1.0 -->
13 <refentry xmlns:db="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
14 <info>
15 <date>2014-02-20</date>
16 </info>
17 <refentryinfo>
18 <date>August 21, 2015</date>
19 <corpname>ISC</corpname>
20 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
21 </refentryinfo>
22
23 <refmeta>
24 <refentrytitle><application>dnssec-importkey</application></refentrytitle>
25 <manvolnum>8</manvolnum>
26 <refmiscinfo>BIND9</refmiscinfo>
27 </refmeta>
28
29 <refnamediv>
30 <refname><application>dnssec-importkey</application></refname>
31 <refpurpose>import DNSKEY records from external systems so they can be managed</refpurpose>
32 </refnamediv>
33
34 <docinfo>
35 <copyright>
36 <year>2013</year>
37 <year>2014</year>
38 <year>2015</year>
39 <year>2016</year>
40 <year>2018</year>
41 <year>2019</year>
42 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
43 </copyright>
44 </docinfo>
45
46 <refsynopsisdiv>
47 <cmdsynopsis sepchar=" ">
48 <command>dnssec-importkey</command>
49 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
50 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
51 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
52 <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
53 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
54 <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
55 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
56 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
57 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
58 <arg choice="req" rep="norepeat"><option>keyfile</option></arg>
59 </cmdsynopsis>
60 <cmdsynopsis sepchar=" ">
61 <command>dnssec-importkey</command>
62 <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
63 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
64 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
65 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
66 <arg choice="opt" rep="norepeat"><option>-P sync <replaceable class="parameter">date/offset</replaceable></option></arg>
67 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
68 <arg choice="opt" rep="norepeat"><option>-D sync <replaceable class="parameter">date/offset</replaceable></option></arg>
69 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
70 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
71 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
72 <arg choice="opt" rep="norepeat"><option>dnsname</option></arg>
73 </cmdsynopsis>
74 </refsynopsisdiv>
75
76 <refsection><info><title>DESCRIPTION</title></info>
77
78 <para><command>dnssec-importkey</command>
79 reads a public DNSKEY record and generates a pair of
80 .key/.private files. The DNSKEY record may be read from an
81 existing .key file, in which case a corresponding .private file
82 will be generated, or it may be read from any other file or
83 from the standard input, in which case both .key and .private
84 files will be generated.
85 </para>
86 <para>
87 The newly-created .private file does <emphasis>not</emphasis>
88 contain private key data, and cannot be used for signing.
89 However, having a .private file makes it possible to set
90 publication (<option>-P</option>) and deletion
91 (<option>-D</option>) times for the key, which means the
92 public key can be added to and removed from the DNSKEY RRset
93 on schedule even if the true private key is stored offline.
94 </para>
95 </refsection>
96
97 <refsection><info><title>OPTIONS</title></info>
98
99
100 <variablelist>
101 <varlistentry>
102 <term>-f <replaceable class="parameter">filename</replaceable></term>
103 <listitem>
104 <para>
105 Zone file mode: instead of a public keyfile name, the argument
106 is the DNS domain name of a zone master file, which can be read
107 from <option>file</option>. If the domain name is the same as
108 <option>file</option>, then it may be omitted.
109 </para>
110 <para>
111 If <option>file</option> is set to <literal>"-"</literal>, then
112 the zone data is read from the standard input.
113 </para>
114 </listitem>
115 </varlistentry>
116
117 <varlistentry>
118 <term>-K <replaceable class="parameter">directory</replaceable></term>
119 <listitem>
120 <para>
121 Sets the directory in which the key files are to reside.
122 </para>
123 </listitem>
124 </varlistentry>
125
126 <varlistentry>
127 <term>-L <replaceable class="parameter">ttl</replaceable></term>
128 <listitem>
129 <para>
130 Sets the default TTL to use for this key when it is converted
131 into a DNSKEY RR. If the key is imported into a zone,
132 this is the TTL that will be used for it, unless there was
133 already a DNSKEY RRset in place, in which case the existing TTL
134 would take precedence. Setting the default TTL to
135 <literal>0</literal> or <literal>none</literal> removes it.
136 </para>
137 </listitem>
138 </varlistentry>
139
140 <varlistentry>
141 <term>-h</term>
142 <listitem>
143 <para>
144 Emit usage message and exit.
145 </para>
146 </listitem>
147 </varlistentry>
148
149 <varlistentry>
150 <term>-v <replaceable class="parameter">level</replaceable></term>
151 <listitem>
152 <para>
153 Sets the debugging level.
154 </para>
155 </listitem>
156 </varlistentry>
157
158 <varlistentry>
159 <term>-V</term>
160 <listitem>
161 <para>
162 Prints version information.
163 </para>
164 </listitem>
165 </varlistentry>
166
167 </variablelist>
168 </refsection>
169
170 <refsection><info><title>TIMING OPTIONS</title></info>
171
172 <para>
173 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
174 If the argument begins with a '+' or '-', it is interpreted as
175 an offset from the present time. For convenience, if such an offset
176 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
177 then the offset is computed in years (defined as 365 24-hour days,
178 ignoring leap years), months (defined as 30 24-hour days), weeks,
179 days, hours, or minutes, respectively. Without a suffix, the offset
180 is computed in seconds. To explicitly prevent a date from being
181 set, use 'none' or 'never'.
182 </para>
183
184 <variablelist>
185 <varlistentry>
186 <term>-P <replaceable class="parameter">date/offset</replaceable></term>
187 <listitem>
188 <para>
189 Sets the date on which a key is to be published to the zone.
190 After that date, the key will be included in the zone but will
191 not be used to sign it.
192 </para>
193 </listitem>
194 </varlistentry>
195
196 <varlistentry>
197 <term>-P sync <replaceable class="parameter">date/offset</replaceable></term>
198 <listitem>
199 <para>
200 Sets the date on which CDS and CDNSKEY records that match this
201 key are to be published to the zone.
202 </para>
203 </listitem>
204 </varlistentry>
205
206 <varlistentry>
207 <term>-D <replaceable class="parameter">date/offset</replaceable></term>
208 <listitem>
209 <para>
210 Sets the date on which the key is to be deleted. After that
211 date, the key will no longer be included in the zone. (It
212 may remain in the key repository, however.)
213 </para>
214 </listitem>
215 </varlistentry>
216
217 <varlistentry>
218 <term>-D sync <replaceable class="parameter">date/offset</replaceable></term>
219 <listitem>
220 <para>
221 Sets the date on which the CDS and CDNSKEY records that match
222 this key are to be deleted.
223 </para>
224 </listitem>
225 </varlistentry>
226
227 </variablelist>
228 </refsection>
229
230 <refsection><info><title>FILES</title></info>
231
232 <para>
233 A keyfile can be designed by the key identification
234 <filename>Knnnn.+aaa+iiiii</filename> or the full file name
235 <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
236 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
237 </para>
238 </refsection>
239
240 <refsection><info><title>SEE ALSO</title></info>
241
242 <para><citerefentry>
243 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
244 </citerefentry>,
245 <citerefentry>
246 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
247 </citerefentry>,
248 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
249 <citetitle>RFC 5011</citetitle>.
250 </para>
251 </refsection>
252
253 </refentry>