Update repub branch u/fanf2/patch to rebasing branch u/fanf2/rebasing revision v9_13_...
[ipreg/bind9.git] / bin / dnssec / dnssec-importkey.html
1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
2 <!--
3 - Copyright (C) 2013-2016, 2018, 2019 Internet Systems Consortium, Inc. ("ISC")
4 -
5 - This Source Code Form is subject to the terms of the Mozilla Public
6 - License, v. 2.0. If a copy of the MPL was not distributed with this
7 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
8 -->
9 <html lang="en">
10 <head>
11 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
12 <title>dnssec-importkey</title>
13 <meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14 </head>
15 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
16 <a name="man.dnssec-importkey"></a><div class="titlepage"></div>
17
18
19
20
21
22 <div class="refnamediv">
23 <h2>Name</h2>
24 <p>
25 <span class="application">dnssec-importkey</span>
26 &#8212; import DNSKEY records from external systems so they can be managed
27 </p>
28 </div>
29
30
31
32 <div class="refsynopsisdiv">
33 <h2>Synopsis</h2>
34 <div class="cmdsynopsis"><p>
35 <code class="command">dnssec-importkey</code>
36 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
37 [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
38 [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
39 [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
40 [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
41 [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
42 [<code class="option">-h</code>]
43 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
44 [<code class="option">-V</code>]
45 {<code class="option">keyfile</code>}
46 </p></div>
47 <div class="cmdsynopsis"><p>
48 <code class="command">dnssec-importkey</code>
49 {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>}
50 [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
51 [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
52 [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
53 [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
54 [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
55 [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
56 [<code class="option">-h</code>]
57 [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
58 [<code class="option">-V</code>]
59 [<code class="option">dnsname</code>]
60 </p></div>
61 </div>
62
63 <div class="refsection">
64 <a name="id-1.7"></a><h2>DESCRIPTION</h2>
65
66 <p><span class="command"><strong>dnssec-importkey</strong></span>
67 reads a public DNSKEY record and generates a pair of
68 .key/.private files. The DNSKEY record may be read from an
69 existing .key file, in which case a corresponding .private file
70 will be generated, or it may be read from any other file or
71 from the standard input, in which case both .key and .private
72 files will be generated.
73 </p>
74 <p>
75 The newly-created .private file does <span class="emphasis"><em>not</em></span>
76 contain private key data, and cannot be used for signing.
77 However, having a .private file makes it possible to set
78 publication (<code class="option">-P</code>) and deletion
79 (<code class="option">-D</code>) times for the key, which means the
80 public key can be added to and removed from the DNSKEY RRset
81 on schedule even if the true private key is stored offline.
82 </p>
83 </div>
84
85 <div class="refsection">
86 <a name="id-1.8"></a><h2>OPTIONS</h2>
87
88
89 <div class="variablelist"><dl class="variablelist">
90 <dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
91 <dd>
92 <p>
93 Zone file mode: instead of a public keyfile name, the argument
94 is the DNS domain name of a zone master file, which can be read
95 from <code class="option">file</code>. If the domain name is the same as
96 <code class="option">file</code>, then it may be omitted.
97 </p>
98 <p>
99 If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
100 the zone data is read from the standard input.
101 </p>
102 </dd>
103 <dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
104 <dd>
105 <p>
106 Sets the directory in which the key files are to reside.
107 </p>
108 </dd>
109 <dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
110 <dd>
111 <p>
112 Sets the default TTL to use for this key when it is converted
113 into a DNSKEY RR. If the key is imported into a zone,
114 this is the TTL that will be used for it, unless there was
115 already a DNSKEY RRset in place, in which case the existing TTL
116 would take precedence. Setting the default TTL to
117 <code class="literal">0</code> or <code class="literal">none</code> removes it.
118 </p>
119 </dd>
120 <dt><span class="term">-h</span></dt>
121 <dd>
122 <p>
123 Emit usage message and exit.
124 </p>
125 </dd>
126 <dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
127 <dd>
128 <p>
129 Sets the debugging level.
130 </p>
131 </dd>
132 <dt><span class="term">-V</span></dt>
133 <dd>
134 <p>
135 Prints version information.
136 </p>
137 </dd>
138 </dl></div>
139 </div>
140
141 <div class="refsection">
142 <a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
143
144 <p>
145 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
146 If the argument begins with a '+' or '-', it is interpreted as
147 an offset from the present time. For convenience, if such an offset
148 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
149 then the offset is computed in years (defined as 365 24-hour days,
150 ignoring leap years), months (defined as 30 24-hour days), weeks,
151 days, hours, or minutes, respectively. Without a suffix, the offset
152 is computed in seconds. To explicitly prevent a date from being
153 set, use 'none' or 'never'.
154 </p>
155
156 <div class="variablelist"><dl class="variablelist">
157 <dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
158 <dd>
159 <p>
160 Sets the date on which a key is to be published to the zone.
161 After that date, the key will be included in the zone but will
162 not be used to sign it.
163 </p>
164 </dd>
165 <dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
166 <dd>
167 <p>
168 Sets the date on which CDS and CDNSKEY records that match this
169 key are to be published to the zone.
170 </p>
171 </dd>
172 <dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
173 <dd>
174 <p>
175 Sets the date on which the key is to be deleted. After that
176 date, the key will no longer be included in the zone. (It
177 may remain in the key repository, however.)
178 </p>
179 </dd>
180 <dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
181 <dd>
182 <p>
183 Sets the date on which the CDS and CDNSKEY records that match
184 this key are to be deleted.
185 </p>
186 </dd>
187 </dl></div>
188 </div>
189
190 <div class="refsection">
191 <a name="id-1.10"></a><h2>FILES</h2>
192
193 <p>
194 A keyfile can be designed by the key identification
195 <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
196 <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
197 <span class="refentrytitle">dnssec-keygen</span>(8).
198 </p>
199 </div>
200
201 <div class="refsection">
202 <a name="id-1.11"></a><h2>SEE ALSO</h2>
203
204 <p><span class="citerefentry">
205 <span class="refentrytitle">dnssec-keygen</span>(8)
206 </span>,
207 <span class="citerefentry">
208 <span class="refentrytitle">dnssec-signzone</span>(8)
209 </span>,
210 <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
211 <em class="citetitle">RFC 5011</em>.
212 </p>
213 </div>
214
215 </div></body>
216 </html>