1<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
2               "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
3               [<!ENTITY mdash "&#8212;">]>
4<!--
5 - Copyright (C) 2013, 2014  Internet Systems Consortium, Inc. ("ISC")
6 -
7 - Permission to use, copy, modify, and/or distribute this software for any
8 - purpose with or without fee is hereby granted, provided that the above
9 - copyright notice and this permission notice appear in all copies.
10 -
11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
13 - AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
17 - PERFORMANCE OF THIS SOFTWARE.
18-->
19
20<refentry id="man.dnssec-importkey">
21  <refentryinfo>
22    <date>February 20, 2014</date>
23  </refentryinfo>
24
25  <refmeta>
26    <refentrytitle><application>dnssec-importkey</application></refentrytitle>
27    <manvolnum>8</manvolnum>
28    <refmiscinfo>BIND9</refmiscinfo>
29  </refmeta>
30
31  <refnamediv>
32    <refname><application>dnssec-importkey</application></refname>
33    <refpurpose>Import DNSKEY records from external systems so they can be managed.</refpurpose>
34  </refnamediv>
35
36  <docinfo>
37    <copyright>
38      <year>2013</year>
39      <year>2014</year>
40      <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
41    </copyright>
42  </docinfo>
43
44  <refsynopsisdiv>
45    <cmdsynopsis>
46      <command>dnssec-importkey</command>
47      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
48      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
49      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
50      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
51      <arg><option>-h</option></arg>
52      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
53      <arg><option>-V</option></arg>
54      <arg choice="req"><option>keyfile</option></arg>
55    </cmdsynopsis>
56    <cmdsynopsis>
57      <command>dnssec-importkey</command>
58      <arg choice="req"><option>-f <replaceable class="parameter">filename</replaceable></option></arg>
59      <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
60      <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
61      <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
62      <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
63      <arg><option>-h</option></arg>
64      <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
65      <arg><option>-V</option></arg>
66      <arg><option>dnsname</option></arg>
67    </cmdsynopsis>
68  </refsynopsisdiv>
69
70  <refsect1>
71    <title>DESCRIPTION</title>
72    <para><command>dnssec-importkey</command>
73      reads a public DNSKEY record and generates a pair of
74      .key/.private files.  The DNSKEY record may be read from an
75      existing .key file, in which case a corresponding .private file
76      will be generated, or it may be read from any other file or
77      from the standard input, in which case both .key and .private
78      files will be generated.
79    </para>
80    <para>
81      The newly-created .private file does <emphasis>not</emphasis>
82      contain private key data, and cannot be used for signing.
83      However, having a .private file makes it possible to set
84      publication (<option>-P</option>) and deletion
85      (<option>-D</option>) times for the key, which means the
86      public key can be added to and removed from the DNSKEY RRset
87      on schedule even if the true private key is stored offline.
88    </para>
89  </refsect1>
90
91  <refsect1>
92    <title>OPTIONS</title>
93
94    <variablelist>
95      <varlistentry>
96	<term>-f <replaceable class="parameter">filename</replaceable></term>
97        <listitem>
98          <para>
99            Zone file mode: instead of a public keyfile name, the argument
100	    is the DNS domain name of a zone master file, which can be read
101            from <option>file</option>.  If the domain name is the same as
102            <option>file</option>, then it may be omitted.
103          </para>
104          <para>
105            If <option>file</option> is set to <literal>"-"</literal>, then
106            the zone data is read from the standard input.
107          </para>
108        </listitem>
109      </varlistentry>
110
111      <varlistentry>
112        <term>-K <replaceable class="parameter">directory</replaceable></term>
113        <listitem>
114          <para>
115            Sets the directory in which the key files are to reside.
116          </para>
117        </listitem>
118      </varlistentry>
119
120      <varlistentry>
121        <term>-L <replaceable class="parameter">ttl</replaceable></term>
122        <listitem>
123          <para>
124            Sets the default TTL to use for this key when it is converted
125            into a DNSKEY RR.  If the key is imported into a zone,
126            this is the TTL that will be used for it, unless there was
127            already a DNSKEY RRset in place, in which case the existing TTL
128            would take precedence.  Setting the default TTL to
129            <literal>0</literal> or <literal>none</literal> removes it.
130          </para>
131        </listitem>
132      </varlistentry>
133
134      <varlistentry>
135	<term>-h</term>
136        <listitem>
137	  <para>
138	    Emit usage message and exit.
139	  </para>
140        </listitem>
141      </varlistentry>
142
143      <varlistentry>
144        <term>-v <replaceable class="parameter">level</replaceable></term>
145        <listitem>
146          <para>
147            Sets the debugging level.
148          </para>
149        </listitem>
150      </varlistentry>
151
152      <varlistentry>
153	<term>-V</term>
154        <listitem>
155	  <para>
156	    Prints version information.
157	  </para>
158        </listitem>
159      </varlistentry>
160
161    </variablelist>
162  </refsect1>
163
164  <refsect1>
165    <title>TIMING OPTIONS</title>
166    <para>
167      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
168      If the argument begins with a '+' or '-', it is interpreted as
169      an offset from the present time.  For convenience, if such an offset
170      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
171      then the offset is computed in years (defined as 365 24-hour days,
172      ignoring leap years), months (defined as 30 24-hour days), weeks,
173      days, hours, or minutes, respectively.  Without a suffix, the offset
174      is computed in seconds.  To explicitly prevent a date from being
175      set, use 'none' or 'never'.
176    </para>
177
178    <variablelist>
179      <varlistentry>
180        <term>-P <replaceable class="parameter">date/offset</replaceable></term>
181        <listitem>
182          <para>
183            Sets the date on which a key is to be published to the zone.
184            After that date, the key will be included in the zone but will
185            not be used to sign it.
186          </para>
187        </listitem>
188      </varlistentry>
189
190      <varlistentry>
191        <term>-D <replaceable class="parameter">date/offset</replaceable></term>
192        <listitem>
193          <para>
194            Sets the date on which the key is to be deleted.  After that
195            date, the key will no longer be included in the zone.  (It
196            may remain in the key repository, however.)
197          </para>
198        </listitem>
199      </varlistentry>
200
201    </variablelist>
202  </refsect1>
203
204  <refsect1>
205    <title>FILES</title>
206    <para>
207      A keyfile can be designed by the key identification
208      <filename>Knnnn.+aaa+iiiii</filename> or the full file name
209      <filename>Knnnn.+aaa+iiiii.key</filename> as generated by
210      <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>.
211    </para>
212  </refsect1>
213
214  <refsect1>
215    <title>SEE ALSO</title>
216    <para><citerefentry>
217        <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
218      </citerefentry>,
219      <citerefentry>
220        <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
221      </citerefentry>,
222      <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
223      <citetitle>RFC 5011</citetitle>.
224    </para>
225  </refsect1>
226
227  <refsect1>
228    <title>AUTHOR</title>
229    <para><corpauthor>Internet Systems Consortium</corpauthor>
230    </para>
231  </refsect1>
232
233</refentry><!--
234 - Local variables:
235 - mode: sgml
236 - End:
237-->
238