Provided by: bind9_9.16.15-1ubuntu3_amd64 bug

NAME

       dnssec-importkey - import DNSKEY records from external systems so they can be managed

SYNOPSIS

       dnssec-importkey  [-K  directory]  [-L  ttl]  [-P  date/offset]  [-P sync date/offset] [-D
       date/offset] [-D sync date/offset] [-h] [-v level] [-V] {keyfile}

       dnssec-importkey  {-f  filename}  [-K  directory]  [-L  ttl]  [-P  date/offset]  [-P  sync
       date/offset] [-D date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

DESCRIPTION

       dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files.
       The DNSKEY record may be read from an existing .key file, in which  case  a  corresponding
       .private  file  is  generated,  or it may be read from any other file or from the standard
       input, in which case both .key and .private files are generated.

       The newly created .private file does not contain private key data, and cannot be used  for
       signing.  However,  having  a  .private file makes it possible to set publication (-P) and
       deletion (-D) times for the key, which means the public key can be added  to  and  removed
       from the DNSKEY RRset on schedule even if the true private key is stored offline.

OPTIONS

       -f filename
              This  option  indicates  the  zone file mode. Instead of a public keyfile name, the
              argument is the DNS domain name of a zone master  file,  which  can  be  read  from
              filename. If the domain name is the same as filename, then it may be omitted.

              If filename is set to "-", then the zone data is read from the standard input.

       -K directory
              This option sets the directory in which the key files are to reside.

       -L ttl This  option  sets  the default TTL to use for this key when it is converted into a
              DNSKEY RR. This is the TTL used when the key is imported into a zone, unless  there
              was  already  a  DNSKEY  RRset  in  place,  in  which  case  the existing TTL takes
              precedence. Setting the default TTL to 0 or none removes it from the key.

       -h     This option emits a usage message and exits.

       -v level
              This option sets the debugging level.

       -V     This option prints version information.

TIMING OPTIONS

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If  the  argument  begins
       with  a  + or -, it is interpreted as an offset from the present time. For convenience, if
       such an offset is followed by one of the suffixes y, mo, w, d, h, or mi, then  the  offset
       is  computed  in years (defined as 365 24-hour days, ignoring leap years), months (defined
       as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a  suffix,  the
       offset  is  computed  in seconds. To explicitly prevent a date from being set, use none or
       never.

       -P date/offset
              This option sets the date on which a key is to be published to the zone. After that
              date, the key is included in the zone but is not used to sign it.

       -P sync date/offset
              This  option sets the date on which CDS and CDNSKEY records that match this key are
              to be published to the zone.

       -D date/offset
              This option sets the date on which the key is to be deleted. After that  date,  the
              key  is  no  longer  included  in  the  zone.  (However,  it  may remain in the key
              repository.)

       -D sync date/offset
              This option sets the date on which the CDS and CDNSKEY records that match this  key
              are to be deleted.

FILES

       A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name
       Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.

SEE ALSO

       dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 5011.

AUTHOR

       Internet Systems Consortium

COPYRIGHT

       2021, Internet Systems Consortium