dnssec-importkey.html revision 5347c0fcb04eaea19d9f39795646239f487c6207
c80e152862cc3e3207dc837fde7116bd4c0e4b9dTinderbox User - Copyright (C) 2013-2016 Internet Systems Consortium, Inc. ("ISC")
8d1b3ceb4d491ce32572f1702f37ed585eede993Evan Hunt - This Source Code Form is subject to the terms of the Mozilla Public
8d1b3ceb4d491ce32572f1702f37ed585eede993Evan Hunt - License, v. 2.0. If a copy of the MPL was not distributed with this
d77cb075aae5595e460e3299bfc1e8ea5d42b560Evan Hunt - file, You can obtain one at http://mozilla.org/MPL/2.0/.
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
30ca20f720ad0887772a79e7abb25b4fa0e4b5b0Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
7ec97ae74e42ec21b354fd2d1366313b41d947d6Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
701a93f5a592e4652343e049aa495d409c3ee133Mark Andrews<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
002f1373374a0b72fc0329baa682917929bef168Tony Finch<p><span class="application">dnssec-importkey</span> — import DNSKEY records from external systems so they can be managed</p>
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
8f1ed05dc0aae7ae6c3da6ec6d405df61257a61eMark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
d8351dfc9b725b0d727be7acab6247d7d501d9a0Mark Andrews<p><span class="command"><strong>dnssec-importkey</strong></span>
d8351dfc9b725b0d727be7acab6247d7d501d9a0Mark Andrews reads a public DNSKEY record and generates a pair of
d8351dfc9b725b0d727be7acab6247d7d501d9a0Mark Andrews .key/.private files. The DNSKEY record may be read from an
3a29ce9c08dd31709c73e7187aebda0d360c537bEvan Hunt existing .key file, in which case a corresponding .private file
3a29ce9c08dd31709c73e7187aebda0d360c537bEvan Hunt will be generated, or it may be read from any other file or
5c78f1f50e53d8e2ed51a187efc2c9a0f43b4b1bMark Andrews from the standard input, in which case both .key and .private
f1740da065d4555039fe8bb53beb4153e3f94de3Mark Andrews files will be generated.
31c7ab4fb3f7710af87dc9c3d64c5daf9a3dea35Mark Andrews The newly-created .private file does <span class="emphasis"><em>not</em></span>
31c7ab4fb3f7710af87dc9c3d64c5daf9a3dea35Mark Andrews contain private key data, and cannot be used for signing.
31c7ab4fb3f7710af87dc9c3d64c5daf9a3dea35Mark Andrews However, having a .private file makes it possible to set
31c7ab4fb3f7710af87dc9c3d64c5daf9a3dea35Mark Andrews publication (<code class="option">-P</code>) and deletion
31c7ab4fb3f7710af87dc9c3d64c5daf9a3dea35Mark Andrews (<code class="option">-D</code>) times for the key, which means the
ad309e8dfa0601d6053aaa12770a98a6940f89deEvan Hunt public key can be added to and removed from the DNSKEY RRset
ad309e8dfa0601d6053aaa12770a98a6940f89deEvan Hunt on schedule even if the true private key is stored offline.
7cbac360bf98c0a52b2d6866ad887616c32d4d3aMark Andrews<div class="variablelist"><dl class="variablelist">
7cbac360bf98c0a52b2d6866ad887616c32d4d3aMark Andrews<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt Zone file mode: instead of a public keyfile name, the argument
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt is the DNS domain name of a zone master file, which can be read
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt from <code class="option">file</code>. If the domain name is the same as
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt <code class="option">file</code>, then it may be omitted.
1cf118a656f5fd210787908b845362077fc507f8Evan Hunt If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
6fb3db01acad7f5c1f4e23789fb0f2ce56cc07deMukund Sivaraman the zone data is read from the standard input.
fd82c70695888c134287b8018296028c252d100eMukund Sivaraman<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
fd82c70695888c134287b8018296028c252d100eMukund Sivaraman Sets the directory in which the key files are to reside.
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
4a53e3c2b83c476a93148eaee0272649beb221caMark Andrews Sets the default TTL to use for this key when it is converted
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews into a DNSKEY RR. If the key is imported into a zone,
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews this is the TTL that will be used for it, unless there was
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews already a DNSKEY RRset in place, in which case the existing TTL
2cf0fe3b8092f64f8f68ae3693fe2e73e90ad1a4Mark Andrews would take precedence. Setting the default TTL to
4221d9cd1d02311fbf9b5f08a038f5af78b10b4aEvan Hunt <code class="literal">0</code> or <code class="literal">none</code> removes it.
4221d9cd1d02311fbf9b5f08a038f5af78b10b4aEvan Hunt Emit usage message and exit.
f9c410d93711fbf312a0162f1e2d3f2a5ede69afFrancis Dupont<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
f9c410d93711fbf312a0162f1e2d3f2a5ede69afFrancis Dupont Sets the debugging level.
e526027287b849f0b6ab6e069156697cbafa22c1Michał Kępień Prints version information.
afefd754734f896bf3e0590177fff83e7cdfdf35Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
afefd754734f896bf3e0590177fff83e7cdfdf35Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
afefd754734f896bf3e0590177fff83e7cdfdf35Mark Andrews an offset from the present time. For convenience, if such an offset
f0353a586c2bfbae999193cb644b6bc94c7944d8Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
f0353a586c2bfbae999193cb644b6bc94c7944d8Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt ignoring leap years), months (defined as 30 24-hour days), weeks,
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt days, hours, or minutes, respectively. Without a suffix, the offset
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt is computed in seconds. To explicitly prevent a date from being
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt set, use 'none' or 'never'.
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt<div class="variablelist"><dl class="variablelist">
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt Sets the date on which a key is to be published to the zone.
7ff28f5befbee76048a23e504dcd3f9a44ce6209Evan Hunt After that date, the key will be included in the zone but will
cad79077bd5b2616bc4a7a6b3cbc0953bef8917fMark Andrews not be used to sign it.
cad79077bd5b2616bc4a7a6b3cbc0953bef8917fMark Andrews<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
adfe58e8e5cd1890585e92b67f1fd01989a1fa7dMark Andrews Sets the date on which CDS and CDNSKEY records that match this
adfe58e8e5cd1890585e92b67f1fd01989a1fa7dMark Andrews key are to be published to the zone.
c3237dec879f82855403ff7e3ba87b298172efd5Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
c3237dec879f82855403ff7e3ba87b298172efd5Mark Andrews Sets the date on which the key is to be deleted. After that
c3237dec879f82855403ff7e3ba87b298172efd5Mark Andrews date, the key will no longer be included in the zone. (It
c3237dec879f82855403ff7e3ba87b298172efd5Mark Andrews may remain in the key repository, however.)
cb616c6d5c2ece1fac37fa6e0bca2b53d4043098Mark Andrews<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
c0a2210466dec0cc81ebf2ffbe21693b57b9c29cMark Andrews Sets the date on which the CDS and CDNSKEY records that match
c0a2210466dec0cc81ebf2ffbe21693b57b9c29cMark Andrews this key are to be deleted.
0f14b041328c062b1fa391887376388dfc8b2fe5Mark Andrews A keyfile can be designed by the key identification
0f14b041328c062b1fa391887376388dfc8b2fe5Mark Andrews <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
f7f4730e563a2749629fe7fef4cd9513cd2bfab7Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
f7f4730e563a2749629fe7fef4cd9513cd2bfab7Mark Andrews <span class="refentrytitle">dnssec-keygen</span>(8).
2d82ed9456e72dc4373bea19d63411afe1c48962Mark Andrews<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
a5a1cbece45e6ca68aafe3b9b995eac6b0f45dd2Mark Andrews <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
a5a1cbece45e6ca68aafe3b9b995eac6b0f45dd2Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,