- bookworm 1:9.18.28-1~deb12u2
- testing 1:9.20.3-1
- unstable 1:9.20.4-2
- experimental 1:9.21.3-1
DNSSEC-REVOKE(1) | BIND 9 | DNSSEC-REVOKE(1) |
NAME¶
dnssec-revoke - set the REVOKED bit on a DNSSEC key
SYNOPSIS¶
dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}
DESCRIPTION¶
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now-revoked key.
OPTIONS¶
- -h
- This option emits a usage message and exits.
- -K directory
- This option sets the directory in which the key files are to reside.
- -r
- This option indicates to remove the original keyset files after writing the new keyset files.
- -v level
- This option sets the debugging level.
- -V
- This option prints version information.
- -E engine
- This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11).
- -f
- This option indicates a forced overwrite and causes dnssec-revoke to write the new key pair, even if a file already exists matching the algorithm and key ID of the revoked key.
- -R
- This option prints the key tag of the key with the REVOKE bit set, but does not revoke the key.
SEE ALSO¶
dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.
AUTHOR¶
Internet Systems Consortium
COPYRIGHT¶
2024, Internet Systems Consortium
2024-07-08 | 9.18.28-1~deb12u2-Debian |