Provided by: bind9_9.10.3.dfsg.P4-5_i386 bug

NAME

       dnssec-importkey - Import DNSKEY records from external systems so they
       can be managed.

SYNOPSIS

       dnssec-importkey [-K directory] [-L ttl] [-P date/offset]
                        [-D date/offset] [-h] [-v level] [-V] {keyfile}

       dnssec-importkey {-f filename} [-K directory] [-L ttl] [-P date/offset]
                        [-D date/offset] [-h] [-v level] [-V] [dnsname]

DESCRIPTION

       dnssec-importkey reads a public DNSKEY record and generates a pair of
       .key/.private files. The DNSKEY record may be read from an existing
       .key file, in which case a corresponding .private file will be
       generated, or it may be read from any other file or from the standard
       input, in which case both .key and .private files will be generated.

       The newly-created .private file does not contain private key data, and
       cannot be used for signing. However, having a .private file makes it
       possible to set publication (-P) and deletion (-D) times for the key,
       which means the public key can be added to and removed from the DNSKEY
       RRset on schedule even if the true private key is stored offline.

OPTIONS

       -f filename
           Zone file mode: instead of a public keyfile name, the argument is
           the DNS domain name of a zone master file, which can be read from
           file. If the domain name is the same as file, then it may be
           omitted.

           If file is set to "-", then the zone data is read from the standard
           input.

       -K directory
           Sets the directory in which the key files are to reside.

       -L ttl
           Sets the default TTL to use for this key when it is converted into
           a DNSKEY RR. If the key is imported into a zone, this is the TTL
           that will be used for it, unless there was already a DNSKEY RRset
           in place, in which case the existing TTL would take precedence.
           Setting the default TTL to 0 or none removes it.

       -h
           Emit usage message and exit.

       -v level
           Sets the debugging level.

       -V
           Prints version information.

TIMING OPTIONS

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
       argument begins with a '+' or '-', it is interpreted as an offset from
       the present time. For convenience, if such an offset is followed by one
       of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
       computed in years (defined as 365 24-hour days, ignoring leap years),
       months (defined as 30 24-hour days), weeks, days, hours, or minutes,
       respectively. Without a suffix, the offset is computed in seconds. To
       explicitly prevent a date from being set, use 'none' or 'never'.

       -P date/offset
           Sets the date on which a key is to be published to the zone. After
           that date, the key will be included in the zone but will not be
           used to sign it.

       -D date/offset
           Sets the date on which the key is to be deleted. After that date,
           the key will no longer be included in the zone. (It may remain in
           the key repository, however.)

FILES

       A keyfile can be designed by the key identification Knnnn.+aaa+iiiii or
       the full file name Knnnn.+aaa+iiiii.key as generated by
       dnssec-keygen(8).

SEE ALSO

       dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
       Manual, RFC 5011.

AUTHOR

       Internet Systems Consortium

COPYRIGHT

       Copyright © 2013, 2014 Internet Systems Consortium, Inc. ("ISC")