1<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" 2 "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" 3 [<!ENTITY mdash "—">]> 4<!-- 5 - Copyright (C) 2009, 2011, 2014 Internet Systems Consortium, Inc. ("ISC") 6 - 7 - Permission to use, copy, modify, and/or distribute this software for any 8 - purpose with or without fee is hereby granted, provided that the above 9 - copyright notice and this permission notice appear in all copies. 10 - 11 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 12 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 13 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 14 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 15 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 16 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 17 - PERFORMANCE OF THIS SOFTWARE. 18--> 19 20<refentry id="man.dnssec-revoke"> 21 <refentryinfo> 22 <date>January 15, 2014</date> 23 </refentryinfo> 24 25 <refmeta> 26 <refentrytitle><application>dnssec-revoke</application></refentrytitle> 27 <manvolnum>8</manvolnum> 28 <refmiscinfo>BIND9</refmiscinfo> 29 </refmeta> 30 31 <refnamediv> 32 <refname><application>dnssec-revoke</application></refname> 33 <refpurpose>Set the REVOKED bit on a DNSSEC key</refpurpose> 34 </refnamediv> 35 36 <docinfo> 37 <copyright> 38 <year>2009</year> 39 <year>2011</year> 40 <year>2014</year> 41 <holder>Internet Systems Consortium, Inc. ("ISC")</holder> 42 </copyright> 43 </docinfo> 44 45 <refsynopsisdiv> 46 <cmdsynopsis> 47 <command>dnssec-revoke</command> 48 <arg><option>-hr</option></arg> 49 <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg> 50 <arg><option>-V</option></arg> 51 <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg> 52 <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg> 53 <arg><option>-f</option></arg> 54 <arg><option>-R</option></arg> 55 <arg choice="req">keyfile</arg> 56 </cmdsynopsis> 57 </refsynopsisdiv> 58 59 <refsect1> 60 <title>DESCRIPTION</title> 61 <para><command>dnssec-revoke</command> 62 reads a DNSSEC key file, sets the REVOKED bit on the key as defined 63 in RFC 5011, and creates a new pair of key files containing the 64 now-revoked key. 65 </para> 66 </refsect1> 67 68 <refsect1> 69 <title>OPTIONS</title> 70 71 <variablelist> 72 <varlistentry> 73 <term>-h</term> 74 <listitem> 75 <para> 76 Emit usage message and exit. 77 </para> 78 </listitem> 79 </varlistentry> 80 81 <varlistentry> 82 <term>-K <replaceable class="parameter">directory</replaceable></term> 83 <listitem> 84 <para> 85 Sets the directory in which the key files are to reside. 86 </para> 87 </listitem> 88 </varlistentry> 89 90 <varlistentry> 91 <term>-r</term> 92 <listitem> 93 <para> 94 After writing the new keyset files remove the original keyset 95 files. 96 </para> 97 </listitem> 98 </varlistentry> 99 100 <varlistentry> 101 <term>-v <replaceable class="parameter">level</replaceable></term> 102 <listitem> 103 <para> 104 Sets the debugging level. 105 </para> 106 </listitem> 107 </varlistentry> 108 109 <varlistentry> 110 <term>-V</term> 111 <listitem> 112 <para> 113 Prints version information. 114 </para> 115 </listitem> 116 </varlistentry> 117 118 <varlistentry> 119 <term>-E <replaceable class="parameter">engine</replaceable></term> 120 <listitem> 121 <para> 122 Specifies the cryptographic hardware to use, when applicable. 123 </para> 124 <para> 125 When BIND is built with OpenSSL PKCS#11 support, this defaults 126 to the string "pkcs11", which identifies an OpenSSL engine 127 that can drive a cryptographic accelerator or hardware service 128 module. When BIND is built with native PKCS#11 cryptography 129 (--enable-native-pkcs11), it defaults to the path of the PKCS#11 130 provider library specified via "--with-pkcs11". 131 </para> 132 </listitem> 133 </varlistentry> 134 135 <varlistentry> 136 <term>-f</term> 137 <listitem> 138 <para> 139 Force overwrite: Causes <command>dnssec-revoke</command> to 140 write the new key pair even if a file already exists matching 141 the algorithm and key ID of the revoked key. 142 </para> 143 </listitem> 144 </varlistentry> 145 146 <varlistentry> 147 <term>-R</term> 148 <listitem> 149 <para> 150 Print the key tag of the key with the REVOKE bit set but do 151 not revoke the key. 152 </para> 153 </listitem> 154 </varlistentry> 155 </variablelist> 156 </refsect1> 157 158 <refsect1> 159 <title>SEE ALSO</title> 160 <para><citerefentry> 161 <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum> 162 </citerefentry>, 163 <citetitle>BIND 9 Administrator Reference Manual</citetitle>, 164 <citetitle>RFC 5011</citetitle>. 165 </para> 166 </refsect1> 167 168 <refsect1> 169 <title>AUTHOR</title> 170 <para><corpauthor>Internet Systems Consortium</corpauthor> 171 </para> 172 </refsect1> 173 174</refentry><!-- 175 - Local variables: 176 - mode: sgml 177 - End: 178--> 179