Home | History | Annotate | Line # | Download | only in dnssec 
      1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
      2 ..
      3 .. SPDX-License-Identifier: MPL-2.0
      4 ..
      5 .. This Source Code Form is subject to the terms of the Mozilla Public
      6 .. License, v. 2.0.  If a copy of the MPL was not distributed with this
      7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/.
      8 ..
      9 .. See the COPYRIGHT file distributed with this work for additional
     10 .. information regarding copyright ownership.
     11 
     12 .. highlight: console
     13 
     14 .. iscman:: dnssec-revoke
     15 .. program:: dnssec-revoke
     16 .. _man_dnssec-revoke:
     17 
     18 dnssec-revoke - set the REVOKED bit on a DNSSEC key
     19 ---------------------------------------------------
     20 
     21 Synopsis
     22 ~~~~~~~~
     23 
     24 :program:`dnssec-revoke` [**-hr**] [**-v** level] [**-V**] [**-K** directory] [**-E** engine] [**-f**] [**-R**] {keyfile}
     25 
     26 Description
     27 ~~~~~~~~~~~
     28 
     29 :program:`dnssec-revoke` reads a DNSSEC key file, sets the REVOKED bit on the
     30 key as defined in :rfc:`5011`, and creates a new pair of key files
     31 containing the now-revoked key.
     32 
     33 Options
     34 ~~~~~~~
     35 
     36 .. option:: -h
     37 
     38    This option emits a usage message and exits.
     39 
     40 .. option:: -K directory
     41 
     42    This option sets the directory in which the key files are to reside.
     43 
     44 .. option:: -r
     45 
     46    This option indicates to remove the original keyset files after writing the new keyset files.
     47 
     48 .. option:: -v level
     49 
     50    This option sets the debugging level.
     51 
     52 .. option:: -V
     53 
     54    This option prints version information.
     55 
     56 .. option:: -E engine
     57 
     58    This option specifies the cryptographic hardware to use, when applicable.
     59 
     60    When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
     61    engine identifier that drives the cryptographic accelerator or
     62    hardware service module (usually ``pkcs11``).
     63 
     64 .. option:: -f
     65 
     66    This option indicates a forced overwrite and causes :program:`dnssec-revoke` to write the new key pair,
     67    even if a file already exists matching the algorithm and key ID of
     68    the revoked key.
     69 
     70 .. option:: -R
     71 
     72    This option prints the key tag of the key with the REVOKE bit set, but does not
     73    revoke the key.
     74 
     75 See Also
     76 ~~~~~~~~
     77 
     78 :iscman:`dnssec-keygen(8) <dnssec-keygen>`, BIND 9 Administrator Reference Manual, :rfc:`5011`.
     79