dnssec-revoke − set the REVOKED bit on a DNSSEC key
dnssec−revoke [−hr] [−v level] [−V] [−K directory] [−E engine] [−f] [−R] {keyfile}
dnssec−revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now−revoked key.
−h |
This option emits a usage message and exits. |
−K directory
This option sets the directory in which the key files are to reside.
−r |
This option indicates to remove the original keyset files after writing the new keyset files. |
−v level
This option sets the debugging level.
−V |
This option prints version information. |
−E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11).
−f |
This option indicates a forced overwrite and causes dnssec−revoke to write the new key pair, even if a file already exists matching the algorithm and key ID of the revoked key. | ||
−R |
This option prints the key tag of the key with the REVOKE bit set, but does not revoke the key. |
dnssec−keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.
Internet Systems Consortium
2023, Internet Systems Consortium