dnssec-importkey.html revision 914ed533b846624c8ba5e7a72a5e8e50c9018b0a
cd791043c8a6edbcacc2392575a9816d19b8157cTinderbox User - Copyright (C) 2013 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - purpose with or without fee is hereby granted, provided that the above
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9016767f4e15191b7c763b8a4ad36a57dc2705a2Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ca67ebfe9eef0b8f04179f7e511a19e0337a5422Automatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="application">dnssec-importkey</span> — Import DNSKEY records from external systems so they can be managed.</p>
7865ea9545f28f12f046b32d24c989e8441b9812Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {<code class="option">keyfile</code>}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">dnsname</code>]</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-importkey</strong></span>
d71e2e0c61df16ff37c9934c371a4a60c08974f7Mark Andrews reads a public DNSKEY record and generates a pair of
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater .key/.private files. The DNSKEY record may be read from an
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater existing .key file, in which case a corresponding .private file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will be generated, or it may be read from any other file or
ad671240d635376dd8681550eebee799d2e3d1fdAutomatic Updater from the standard input, in which case both .key and .private
ad671240d635376dd8681550eebee799d2e3d1fdAutomatic Updater files will be generated.
ad671240d635376dd8681550eebee799d2e3d1fdAutomatic Updater The newly-created .private file does <span class="emphasis"><em>not</em></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein contain private key data, and cannot be used for signing.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein However, having a .private file makes it possible to set
7865ea9545f28f12f046b32d24c989e8441b9812Mark Andrews publication (<code class="option">-P</code>) and deletion
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (<code class="option">-D</code>) times for the key, which means the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein public key can be added to and removed from the DNSKEY RRset
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein on schedule even if the true private key is stored offline.
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Zone file mode: instead of a public keyfile name, the argument
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater is the DNS domain name of a zone master file, which can be read
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater from <code class="option">file</code>. If the domain name is the same as
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="option">file</code>, then it may be omitted.
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater the zone data is read from the standard input.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
731cc132f22dbc9e0ecd7035dce314a61076d31bAutomatic Updater Sets the directory in which the key files are to reside.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the default TTL to use for this key when it is converted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein into a DNSKEY RR. If the key is imported into a zone,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein this is the TTL that will be used for it, unless there was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein already a DNSKEY RRset in place, in which case the existing TTL
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt would take precedence. Setting the default TTL to
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt <code class="literal">0</code> or <code class="literal">none</code> removes it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Emit usage message and exit.
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt Sets the debugging level.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<a name="id2543601"></a><h2>TIMING OPTIONS</h2>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt an offset from the present time. For convenience, if such an offset
b272d38cc5d24f64c0647a9afb340c21c4b9aaf7Evan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein then the offset is computed in years (defined as 365 24-hour days,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ignoring leap years), months (defined as 30 24-hour days), weeks,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein days, hours, or minutes, respectively. Without a suffix, the offset
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is computed in seconds. To explicitly prevent a date from being
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set, use 'none' or 'never'.
2f8d63983c297c62630044d28a6f66676b4d339dMark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which a key is to be published to the zone.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater After that date, the key will be included in the zone but will
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater not be used to sign it.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews Sets the date on which the key is to be deleted. After that
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews date, the key will no longer be included in the zone. (It
8e821eea5f57ac47a94305aa7ab0c3570d92a311Automatic Updater may remain in the key repository, however.)
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater A keyfile can be designed by the key identification
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <span class="refentrytitle">dnssec-keygen</span>(8).
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>