2 - Copyright (C) 2013-2015 Internet Systems Consortium, Inc. ("ISC")
4 - Permission to use, copy, modify, and/or distribute this software for any
5 - purpose with or without fee is hereby granted, provided that the above
6 - copyright notice and this permission notice appear in all copies.
8 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
10 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
11 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
12 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
13 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
14 - PERFORMANCE OF THIS SOFTWARE.
17 <!-- Converted by db4-upgrade version 1.0 -->
18 <refentry xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="man.dnssec-importkey">
20 <date>2014-02-07</date>
23 <corpname>ISC</corpname>
24 <corpauthor>Internet Systems Consortium, Inc.</corpauthor>
28 <refentrytitle><application>dnssec-importkey</application></refentrytitle>
29 <manvolnum>8</manvolnum>
30 <refmiscinfo>BIND9</refmiscinfo>
34 <refname><application>dnssec-importkey</application></refname>
35 <refpurpose>Import DNSKEY records from external systems so they can be managed.</refpurpose>
43 <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
48 <cmdsynopsis sepchar=" ">
49 <command>dnssec-importkey</command>
50 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
51 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
52 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
53 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
54 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
55 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
56 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
57 <arg choice="req" rep="norepeat"><option>keyfile</option></arg>
59 <cmdsynopsis sepchar=" ">
60 <command>dnssec-importkey</command>
61 <arg choice="req" rep="norepeat"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
62 <arg choice="opt" rep="norepeat"><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
63 <arg choice="opt" rep="norepeat"><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
64 <arg choice="opt" rep="norepeat"><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
65 <arg choice="opt" rep="norepeat"><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
66 <arg choice="opt" rep="norepeat"><option>-h</option></arg>
67 <arg choice="opt" rep="norepeat"><option>-v <replaceable class="parameter">level</replaceable></option></arg>
68 <arg choice="opt" rep="norepeat"><option>-V</option></arg>
69 <arg choice="opt" rep="norepeat"><option>dnsname</option></arg>
73 <refsection><info><title>DESCRIPTION</title></info>
75 <para><command>dnssec-importkey</command>
76 reads a public DNSKEY record and generates a pair of
77 .key/.private files. The DNSKEY record may be read from an
78 existing .key file, in which case a corresponding .private file
79 will be generated, or it may be read from any other file or
80 from the standard input, in which case both .key and .private
81 files will be generated.
84 The newly-created .private file does <emphasis>not</emphasis>
85 contain private key data, and cannot be used for signing.
86 However, having a .private file makes it possible to set
87 publication (<option>-P</option>) and deletion
88 (<option>-D</option>) times for the key, which means the
89 public key can be added to and removed from the DNSKEY RRset
90 on schedule even if the true private key is stored offline.
94 <refsection><info><title>OPTIONS</title></info>
99 <term>-f <replaceable class="parameter">filename</replaceable></term>
102 Zone file mode: instead of a public keyfile name, the argument
103 is the DNS domain name of a zone master file, which can be read
104 from <option>file</option>. If the domain name is the same as
105 <option>file</option>, then it may be omitted.
108 If <option>file</option> is set to <literal>"-"</literal>, then
109 the zone data is read from the standard input.
115 <term>-K <replaceable class="parameter">directory</replaceable></term>
118 Sets the directory in which the key files are to reside.
124 <term>-L <replaceable class="parameter">ttl</replaceable></term>
127 Sets the default TTL to use for this key when it is converted
128 into a DNSKEY RR. If the key is imported into a zone,
129 this is the TTL that will be used for it, unless there was
130 already a DNSKEY RRset in place, in which case the existing TTL
131 would take precedence. Setting the default TTL to
132 <literal>0</literal> or <literal>none</literal> removes it.
141 Emit usage message and exit.
147 <term>-v <replaceable class="parameter">level</replaceable></term>
150 Sets the debugging level.
159 Prints version information.
167 <refsection><info><title>TIMING OPTIONS</title></info>
170 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
171 If the argument begins with a '+' or '-', it is interpreted as
172 an offset from the present time. For convenience, if such an offset
173 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
174 then the offset is computed in years (defined as 365 24-hour days,
175 ignoring leap years), months (defined as 30 24-hour days), weeks,
176 days, hours, or minutes, respectively. Without a suffix, the offset
177 is computed in seconds. To explicitly prevent a date from being
178 set, use 'none' or 'never'.
183 <term>-P <replaceable class="parameter">date/offset</replaceable></term>
186 Sets the date on which a key is to be published to the zone.
187 After that date, the key will be included in the zone but will
188 not be used to sign it.
194 <term>-D <replaceable class="parameter">date/offset</replaceable></term>
197 Sets the date on which the key is to be deleted. After that
198 date, the key will no longer be included in the zone. (It
199 may remain in the key repository, however.)
207 <refsection><info><title>FILES</title></info>
210 A keyfile can be designed by the key identification
211 <filename>Knnnn.+aaa+iiiii</filename> or the full file name
212 <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
213 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
217 <refsection><info><title>SEE ALSO</title></info>
220 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
223 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
225 <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
226 <citetitle>RFC 5011</citetitle>.