xref: /netbsd-src/external/mpl/bind/dist/bin/dnssec/dnssec-importkey.rst (revision 2718af68c3efc72c9769069b5c7f9ed36f6b9def) 
1..
2   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
3
4   This Source Code Form is subject to the terms of the Mozilla Public
5   License, v. 2.0. If a copy of the MPL was not distributed with this
6   file, you can obtain one at https://mozilla.org/MPL/2.0/.
7
8   See the COPYRIGHT file distributed with this work for additional
9   information regarding copyright ownership.
10
11..
12   Copyright (C) Internet Systems Consortium, Inc. ("ISC")
13
14   This Source Code Form is subject to the terms of the Mozilla Public
15   License, v. 2.0. If a copy of the MPL was not distributed with this
16   file, You can obtain one at http://mozilla.org/MPL/2.0/.
17
18   See the COPYRIGHT file distributed with this work for additional
19   information regarding copyright ownership.
20
21
22.. highlight: console
23
24.. _man_dnssec-importkey:
25
26dnssec-importkey - import DNSKEY records from external systems so they can be managed
27-------------------------------------------------------------------------------------
28
29Synopsis
30~~~~~~~~
31
32:program:`dnssec-importkey` [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] {keyfile}
33
34:program:`dnssec-importkey` {**-f** filename} [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** sync date/offset] [**-D** date/offset] [**-D** sync date/offset] [**-h**] [**-v** level] [**-V**] [dnsname]
35
36Description
37~~~~~~~~~~~
38
39``dnssec-importkey`` reads a public DNSKEY record and generates a pair
40of .key/.private files. The DNSKEY record may be read from an
41existing .key file, in which case a corresponding .private file is
42generated, or it may be read from any other file or from the standard
43input, in which case both .key and .private files are generated.
44
45The newly created .private file does *not* contain private key data, and
46cannot be used for signing. However, having a .private file makes it
47possible to set publication (``-P``) and deletion (``-D``) times for the
48key, which means the public key can be added to and removed from the
49DNSKEY RRset on schedule even if the true private key is stored offline.
50
51Options
52~~~~~~~
53
54``-f filename``
55   This option indicates the zone file mode. Instead of a public keyfile name, the argument is the
56   DNS domain name of a zone master file, which can be read from
57   ``filename``. If the domain name is the same as ``filename``, then it may be
58   omitted.
59
60   If ``filename`` is set to ``"-"``, then the zone data is read from the
61   standard input.
62
63``-K directory``
64   This option sets the directory in which the key files are to reside.
65
66``-L ttl``
67   This option sets the default TTL to use for this key when it is converted into a
68   DNSKEY RR. This is the TTL used when the key is imported into a zone,
69   unless there was already a DNSKEY RRset in
70   place, in which case the existing TTL takes precedence. Setting the default TTL to ``0`` or ``none``
71   removes it from the key.
72
73``-h``
74   This option emits a usage message and exits.
75
76``-v level``
77   This option sets the debugging level.
78
79``-V``
80   This option prints version information.
81
82Timing Options
83~~~~~~~~~~~~~~
84
85Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
86argument begins with a ``+`` or ``-``, it is interpreted as an offset from
87the present time. For convenience, if such an offset is followed by one
88of the suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, then the offset is
89computed in years (defined as 365 24-hour days, ignoring leap years),
90months (defined as 30 24-hour days), weeks, days, hours, or minutes,
91respectively. Without a suffix, the offset is computed in seconds. To
92explicitly prevent a date from being set, use ``none`` or ``never``.
93
94``-P date/offset``
95   This option sets the date on which a key is to be published to the zone. After
96   that date, the key is included in the zone but is not used
97   to sign it.
98
99``-P sync date/offset``
100   This option sets the date on which CDS and CDNSKEY records that match this key
101   are to be published to the zone.
102
103``-D date/offset``
104   This option sets the date on which the key is to be deleted. After that date, the
105   key is no longer included in the zone. (However, it may remain in the key
106   repository.)
107
108``-D sync date/offset``
109   This option sets the date on which the CDS and CDNSKEY records that match this
110   key are to be deleted.
111
112Files
113~~~~~
114
115A keyfile can be designed by the key identification ``Knnnn.+aaa+iiiii``
116or the full file name ``Knnnn.+aaa+iiiii.key``, as generated by
117``dnssec-keygen``.
118
119See Also
120~~~~~~~~
121
122:manpage:`dnssec-keygen(8)`, :manpage:`dnssec-signzone(8)`, BIND 9 Administrator Reference Manual,
123:rfc:`5011`.
124