1DNSSEC-REVOKE(8) BIND 9 DNSSEC-REVOKE(8)
2
6 dnssec-revoke - set the REVOKED bit on a DNSSEC key
7
9 dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f]
10 [-R] {keyfile}
11
13 dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key
14 as defined in RFC 5011, and creates a new pair of key files containing
15 the now-revoked key.
16
18 -h This option emits a usage message and exits.
19 -K directory
21 This option sets the directory in which the key files are to re‐
22 side.
23 -r This option indicates to remove the original keyset files after
25 writing the new keyset files.
26 -v level
28 This option sets the debugging level.
29 -V This option prints version information.
31 -E engine
33 This option specifies the cryptographic hardware to use, when
34 applicable.
35 When BIND 9 is built with OpenSSL, this needs to be set to the
37 OpenSSL engine identifier that drives the cryptographic acceler‐
38 ator or hardware service module (usually pkcs11). When BIND is
39 built with native PKCS#11 cryptography (--enable-native-pkcs11),
40 it defaults to the path of the PKCS#11 provider library speci‐
41 fied via --with-pkcs11.
42 -f This option indicates a forced overwrite and causes dnssec-re‐
44 voke to write the new key pair, even if a file already exists
45 matching the algorithm and key ID of the revoked key.
46 -R This option prints the key tag of the key with the REVOKE bit
48 set, but does not revoke the key.
49
51 dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.
52
54 Internet Systems Consortium
55
57 2021, Internet Systems Consortium
589.16.23-RH DNSSEC-REVOKE(8)