dnssec-importkey.html revision e62b9c9ce6413fb183c8116381e75dcd07ca5517
19c7b1a0293498a3e36692c59646ed6e15ffc8d0Tinderbox User - Copyright (C) 2013-2015 Internet Systems Consortium, Inc. ("ISC")
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - purpose with or without fee is hereby granted, provided that the above
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - copyright notice and this permission notice appear in all copies.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d2bdd5b314d3ee2250c740fe5fff8b91ab3731b2Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="application">dnssec-importkey</span> — Import DNSKEY records from external systems so they can be managed.</p>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] {<code class="option">keyfile</code>}</p></div>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-V</code>] [<code class="option">dnsname</code>]</p></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="command"><strong>dnssec-importkey</strong></span>
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User reads a public DNSKEY record and generates a pair of
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User .key/.private files. The DNSKEY record may be read from an
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User existing .key file, in which case a corresponding .private file
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User will be generated, or it may be read from any other file or
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User from the standard input, in which case both .key and .private
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User files will be generated.
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User The newly-created .private file does <span class="emphasis"><em>not</em></span>
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User contain private key data, and cannot be used for signing.
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User However, having a .private file makes it possible to set
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User publication (<code class="option">-P</code>) and deletion
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User (<code class="option">-D</code>) times for the key, which means the
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User public key can be added to and removed from the DNSKEY RRset
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User on schedule even if the true private key is stored offline.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="variablelist"><dl class="variablelist">
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Zone file mode: instead of a public keyfile name, the argument
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User is the DNS domain name of a zone master file, which can be read
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User from <code class="option">file</code>. If the domain name is the same as
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">file</code>, then it may be omitted.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User the zone data is read from the standard input.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the directory in which the key files are to reside.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the default TTL to use for this key when it is converted
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User into a DNSKEY RR. If the key is imported into a zone,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User this is the TTL that will be used for it, unless there was
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User already a DNSKEY RRset in place, in which case the existing TTL
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User would take precedence. Setting the default TTL to
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="literal">0</code> or <code class="literal">none</code> removes it.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Emit usage message and exit.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the debugging level.
6f1205897504b8f50b1785975482c995888dd630Tinderbox User Prints version information.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews an offset from the present time. For convenience, if such an offset
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User is computed in seconds. To explicitly prevent a date from being
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User set, use 'none' or 'never'.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="variablelist"><dl class="variablelist">
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which a key is to be published to the zone.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User After that date, the key will be included in the zone but will
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User not be used to sign it.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which CDS and CDNSKEY records that match this
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User key are to be published to the zone.
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the key is to be deleted. After that
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User date, the key will no longer be included in the zone. (It
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User may remain in the key repository, however.)
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the CDS and CDNSKEY records that match
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User this key are to be deleted.
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User A keyfile can be designed by the key identification
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
914ed533b846624c8ba5e7a72a5e8e50c9018b0aTinderbox User <span class="refentrytitle">dnssec-keygen</span>(8).
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
0c91911b4d1e872b87eaf6431ed47fe24d18dd43Mark Andrews <em class="citetitle">BIND 9 Administrator Reference Manual</em>,