dnssec-importkey.html revision a7051299c60cbaac13d62d35038460507459e140
e461e790745fa2b2374e5734984107c7672c6c49Randall Ralphs - Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC")
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - Permission to use, copy, modify, and/or distribute this software for any
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - purpose with or without fee is hereby granted, provided that the above
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - copyright notice and this permission notice appear in all copies.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar - PERFORMANCE OF THIS SOFTWARE.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<!-- $Id$ -->
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<a name="man.dnssec-importkey"></a><div class="titlepage"></div>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<p><span class="application">dnssec-importkey</span> — Import DNSKEY records from external systems so they can be managed.</p>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {<code class="option">keyfile</code>}</p></div>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<div class="cmdsynopsis"><p><code class="command">dnssec-importkey</code> {<code class="option">-f <em class="replaceable"><code>filename</code></em></code>} [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">dnsname</code>]</p></div>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<p><span><strong class="command">dnssec-importkey</strong></span>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar reads a public DNSKEY record and generates a pair of
e461e790745fa2b2374e5734984107c7672c6c49Randall Ralphs .key/.private files. The DNSKEY record may be read from an
e461e790745fa2b2374e5734984107c7672c6c49Randall Ralphs existing .key file, in which case a corresponding .private file
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar will be generated, or it may be read from any other file or
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar from the standard input, in which case both .key and .private
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar files will be generated.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar The newly-created .private file does <span class="emphasis"><em>not</em></span>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar contain private key data, and cannot be used for signing.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar However, having a .private file makes it possible to set
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar publication (<code class="option">-P</code>) and deletion
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar (<code class="option">-D</code>) times for the key, which means the
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar public key can be added to and removed from the DNSKEY RRset
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar on schedule even if the true private key is stored offline.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<dt><span class="term">-f <em class="replaceable"><code>filename</code></em></span></dt>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Zone file mode: instead of a public keyfile name, the argument
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar is the DNS domain name of a zone master file, which can be read
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar from <code class="option">file</code>. If the domain name is the same as
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar <code class="option">file</code>, then it may be omitted.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar If <code class="option">file</code> is set to <code class="literal">"-"</code>, then
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar the zone data is read from the standard input.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Sets the directory in which the key files are to reside.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Sets the default TTL to use for this key when it is converted
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar into a DNSKEY RR. If the key is imported into a zone,
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar this is the TTL that will be used for it, unless there was
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar already a DNSKEY RRset in place, in which case the existing TTL
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar would take precedence. Setting the default TTL to
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar <code class="literal">0</code> or <code class="literal">none</code> removes it.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Emit usage message and exit.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Sets the debugging level.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar If the argument begins with a '+' or '-', it is interpreted as
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar an offset from the present time. For convenience, if such an offset
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar then the offset is computed in years (defined as 365 24-hour days,
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar ignoring leap years), months (defined as 30 24-hour days), weeks,
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar days, hours, or minutes, respectively. Without a suffix, the offset
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar is computed in seconds. To explicitly prevent a date from being
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar set, use 'none' or 'never'.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Sets the date on which a key is to be published to the zone.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar After that date, the key will be included in the zone but will
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar not be used to sign it.
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar Sets the date on which the key is to be deleted. After that
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar date, the key will no longer be included in the zone. (It
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar may remain in the key repository, however.)
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar A keyfile can be designed by the key identification
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar <code class="filename">Knnnn.+aaa+iiiii</code> or the full file name
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar <code class="filename">Knnnn.+aaa+iiiii.key</code> as generated by
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar <span class="refentrytitle">dnssec-keygen</span>(8).
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
2654012f83cec5dc15b61dfe3e4a4915f186e7a6Reza Sabdar<p><span class="corpauthor">Internet Systems Consortium</span>