1DNSSEC-IMPORTKEY(1) BIND 9 DNSSEC-IMPORTKEY(1)
2
6 dnssec-importkey - import DNSKEY records from external systems so they
7 can be managed
8
10 dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync
11 date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level]
12 [-V] {keyfile}
13 dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset]
15 [-P sync date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v
16 level] [-V] [dnsname]
17
19 dnssec-importkey reads a public DNSKEY record and generates a pair of
20 .key/.private files. The DNSKEY record may be read from an existing
21 .key file, in which case a corresponding .private file is generated, or
22 it may be read from any other file or from the standard input, in which
23 case both .key and .private files are generated.
24 The newly created .private file does not contain private key data, and
26 cannot be used for signing. However, having a .private file makes it
27 possible to set publication (-P) and deletion (-D) times for the key,
28 which means the public key can be added to and removed from the DNSKEY
29 RRset on schedule even if the true private key is stored offline.
30
32 -f filename
33 This option indicates the zone file mode. Instead of a public
34 keyfile name, the argument is the DNS domain name of a zone mas‐
35 ter file, which can be read from filename. If the domain name is
36 the same as filename, then it may be omitted.
37 If filename is set to "-", then the zone data is read from the
39 standard input.
40 -K directory
42 This option sets the directory in which the key files are to re‐
43 side.
44 -L ttl This option sets the default TTL to use for this key when it is
46 converted into a DNSKEY RR. This is the TTL used when the key is
47 imported into a zone, unless there was already a DNSKEY RRset in
48 place, in which case the existing TTL takes precedence. Setting
49 the default TTL to 0 or none removes it from the key.
50 -h This option emits a usage message and exits.
52 -v level
54 This option sets the debugging level.
55 -V This option prints version information.
57
59 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
60 (which is the format used inside key files), or 'Day Mon DD HH:MM:SS
61 YYYY' (as printed by dnssec-settime -p), or UNIX epoch time (as printed
62 by dnssec-settime -up), or the literal now.
63 The argument can be followed by + or - and an offset from the given
65 time. The literal now can be omitted before an offset. The offset can
66 be followed by one of the suffixes y, mo, w, d, h, or mi, so that it is
67 computed in years (defined as 365 24-hour days, ignoring leap years),
68 months (defined as 30 24-hour days), weeks, days, hours, or minutes,
69 respectively. Without a suffix, the offset is computed in seconds.
70 To explicitly prevent a date from being set, use none, never, or unset.
72 All these formats are case-insensitive.
74 -P date/offset
76 This option sets the date on which a key is to be published to
77 the zone. After that date, the key is included in the zone but
78 is not used to sign it.
79 sync date/offset
81 This option sets the date on which CDS and CDNSKEY
82 records that match this key are to be published to the
83 zone.
84 -D date/offset
86 This option sets the date on which the key is to be deleted. Af‐
87 ter that date, the key is no longer included in the zone. (How‐
88 ever, it may remain in the key repository.)
89 sync date/offset
91 This option sets the date on which the CDS and CDNSKEY
92 records that match this key are to be deleted.
93
95 A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or
96 the full file name Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.
97
99 dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
100 Manual, RFC 5011.
101
103 Internet Systems Consortium
104
106 2023, Internet Systems Consortium
1079.18.20 DNSSEC-IMPORTKEY(1)