1<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" 3 [<!ENTITY mdash "—">]> 4<!-- 5 - Copyright (C) 2013, 2014 Internet Systems Consortium, Inc. ("ISC") 6 - 7 - Permission to use, copy, modify, and/or distribute this software for any 8 - purpose with or without fee is hereby granted, provided that the above 9 - copyright notice and this permission notice appear in all copies. 10 - 11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 - PERFORMANCE OF THIS SOFTWARE. 18--> 19 20<refentry id="man.dnssec-importkey"> 21 <refentryinfo> 22 <date>February 20, 2014</date> 23 </refentryinfo> 24 25 <refmeta> 26 <refentrytitle><application>dnssec-importkey</application></refentrytitle> 27 <manvolnum>8</manvolnum> 28 <refmiscinfo>BIND9</refmiscinfo> 29 </refmeta> 30 31 <refnamediv> 32 <refname><application>dnssec-importkey</application></refname> 33 <refpurpose>Import DNSKEY records from external systems so they can be managed.</refpurpose> 34 </refnamediv> 35 36 <docinfo> 37 <copyright> 38 <year>2013</year> 39 <year>2014</year> 40 <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 41 </copyright> 42 </docinfo> 43 44 <refsynopsisdiv> 45 <cmdsynopsis> 46 <command>dnssec-importkey</command> 47 <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg> 48 <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg> 49 <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg> 50 <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg> 51 <arg><option>-h</option></arg> 52 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> 53 <arg><option>-V</option></arg> 54 <arg choice="req"><option>keyfile</option></arg> 55 </cmdsynopsis> 56 <cmdsynopsis> 57 <command>dnssec-importkey</command> 58 <arg choice="req"><option>-f <replaceable class="parameter">filename</replaceable></option></arg> 59 <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg> 60 <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg> 61 <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg> 62 <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg> 63 <arg><option>-h</option></arg> 64 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> 65 <arg><option>-V</option></arg> 66 <arg><option>dnsname</option></arg> 67 </cmdsynopsis> 68 </refsynopsisdiv> 69 70 <refsect1> 71 <title>DESCRIPTION</title> 72 <para><command>dnssec-importkey</command> 73 reads a public DNSKEY record and generates a pair of 74 .key/.private files. The DNSKEY record may be read from an 75 existing .key file, in which case a corresponding .private file 76 will be generated, or it may be read from any other file or 77 from the standard input, in which case both .key and .private 78 files will be generated. 79 </para> 80 <para> 81 The newly-created .private file does <emphasis>not</emphasis> 82 contain private key data, and cannot be used for signing. 83 However, having a .private file makes it possible to set 84 publication (<option>-P</option>) and deletion 85 (<option>-D</option>) times for the key, which means the 86 public key can be added to and removed from the DNSKEY RRset 87 on schedule even if the true private key is stored offline. 88 </para> 89 </refsect1> 90 91 <refsect1> 92 <title>OPTIONS</title> 93 94 <variablelist> 95 <varlistentry> 96 <term>-f <replaceable class="parameter">filename</replaceable></term> 97 <listitem> 98 <para> 99 Zone file mode: instead of a public keyfile name, the argument 100 is the DNS domain name of a zone master file, which can be read 101 from <option>file</option>. If the domain name is the same as 102 <option>file</option>, then it may be omitted. 103 </para> 104 <para> 105 If <option>file</option> is set to <literal>"-"</literal>, then 106 the zone data is read from the standard input. 107 </para> 108 </listitem> 109 </varlistentry> 110 111 <varlistentry> 112 <term>-K <replaceable class="parameter">directory</replaceable></term> 113 <listitem> 114 <para> 115 Sets the directory in which the key files are to reside. 116 </para> 117 </listitem> 118 </varlistentry> 119 120 <varlistentry> 121 <term>-L <replaceable class="parameter">ttl</replaceable></term> 122 <listitem> 123 <para> 124 Sets the default TTL to use for this key when it is converted 125 into a DNSKEY RR. If the key is imported into a zone, 126 this is the TTL that will be used for it, unless there was 127 already a DNSKEY RRset in place, in which case the existing TTL 128 would take precedence. Setting the default TTL to 129 <literal>0</literal> or <literal>none</literal> removes it. 130 </para> 131 </listitem> 132 </varlistentry> 133 134 <varlistentry> 135 <term>-h</term> 136 <listitem> 137 <para> 138 Emit usage message and exit. 139 </para> 140 </listitem> 141 </varlistentry> 142 143 <varlistentry> 144 <term>-v <replaceable class="parameter">level</replaceable></term> 145 <listitem> 146 <para> 147 Sets the debugging level. 148 </para> 149 </listitem> 150 </varlistentry> 151 152 <varlistentry> 153 <term>-V</term> 154 <listitem> 155 <para> 156 Prints version information. 157 </para> 158 </listitem> 159 </varlistentry> 160 161 </variablelist> 162 </refsect1> 163 164 <refsect1> 165 <title>TIMING OPTIONS</title> 166 <para> 167 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. 168 If the argument begins with a '+' or '-', it is interpreted as 169 an offset from the present time. For convenience, if such an offset 170 is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', 171 then the offset is computed in years (defined as 365 24-hour days, 172 ignoring leap years), months (defined as 30 24-hour days), weeks, 173 days, hours, or minutes, respectively. Without a suffix, the offset 174 is computed in seconds. To explicitly prevent a date from being 175 set, use 'none' or 'never'. 176 </para> 177 178 <variablelist> 179 <varlistentry> 180 <term>-P <replaceable class="parameter">date/offset</replaceable></term> 181 <listitem> 182 <para> 183 Sets the date on which a key is to be published to the zone. 184 After that date, the key will be included in the zone but will 185 not be used to sign it. 186 </para> 187 </listitem> 188 </varlistentry> 189 190 <varlistentry> 191 <term>-D <replaceable class="parameter">date/offset</replaceable></term> 192 <listitem> 193 <para> 194 Sets the date on which the key is to be deleted. After that 195 date, the key will no longer be included in the zone. (It 196 may remain in the key repository, however.) 197 </para> 198 </listitem> 199 </varlistentry> 200 201 </variablelist> 202 </refsect1> 203 204 <refsect1> 205 <title>FILES</title> 206 <para> 207 A keyfile can be designed by the key identification 208 <filename>Knnnn.+aaa+iiiii</filename> or the full file name 209 <filename>Knnnn.+aaa+iiiii.key</filename> as generated by 210 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>. 211 </para> 212 </refsect1> 213 214 <refsect1> 215 <title>SEE ALSO</title> 216 <para><citerefentry> 217 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> 218 </citerefentry>, 219 <citerefentry> 220 <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum> 221 </citerefentry>, 222 <citetitle>BIND 9 Administrator Reference Manual</citetitle>, 223 <citetitle>RFC 5011</citetitle>. 224 </para> 225 </refsect1> 226 227 <refsect1> 228 <title>AUTHOR</title> 229 <para><corpauthor>Internet Systems Consortium</corpauthor> 230 </para> 231 </refsect1> 232 233</refentry><!-- 234 - Local variables: 235 - mode: sgml 236 - End: 237--> 238