Provided by: bind9_9.18.39-0ubuntu0.22.04.1_amd64 bug

NAME

       dnssec-importkey - import DNSKEY records from external systems so they can be managed

SYNOPSIS

       dnssec-importkey [-K directory] [-L ttl] [-P date/offset] [-P sync date/offset] [-D date/offset] [-D sync
       date/offset] [-h] [-v level] [-V] {keyfile}

       dnssec-importkey  {-f  filename}  [-K  directory]  [-L  ttl]  [-P  date/offset] [-P sync date/offset] [-D
       date/offset] [-D sync date/offset] [-h] [-v level] [-V] [dnsname]

DESCRIPTION

       dnssec-importkey reads a public DNSKEY record and generates a pair of  .key/.private  files.  The  DNSKEY
       record  may be read from an existing .key file, in which case a corresponding .private file is generated,
       or it may be read from any other file or from the standard input, in which case both  .key  and  .private
       files are generated.

       The  newly  created  .private  file  does  not  contain private key data, and cannot be used for signing.
       However, having a .private file makes it possible to set publication (-P) and deletion (-D) times for the
       key, which means the public key can be added to and removed from the DNSKEY RRset on schedule even if the
       true private key is stored offline.

OPTIONS

       -f filename
              This option indicates the zone file mode. Instead of a public keyfile name, the  argument  is  the
              DNS  domain name of a zone master file, which can be read from filename. If the domain name is the
              same as filename, then it may be omitted.

              If filename is set to "-", then the zone data is read from the standard input.

       -K directory
              This option sets the directory in which the key files are to reside.

       -L ttl This option sets the default TTL to use for this key when it is converted into a DNSKEY  RR.  This
              is  the  TTL used when the key is imported into a zone, unless there was already a DNSKEY RRset in
              place, in which case the existing TTL takes precedence. Setting the  default  TTL  to  0  or  none
              removes it from the key.

       -h     This option emits a usage message and exits.

       -v level
              This option sets the debugging level.

       -V     This option prints version information.

TIMING OPTIONS

       Dates  can  be  expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.  (which is the format used inside key
       files), or 'Day Mon DD HH:MM:SS YYYY' (as printed by dnssec-settime -p), or UNIX epoch time  (as  printed
       by dnssec-settime -up), or the literal now.

       The  argument can be followed by + or - and an offset from the given time. The literal now can be omitted
       before an offset. The offset can be followed by one of the suffixes y, mo, w, d, h, or mi, so that it  is
       computed  in  years  (defined  as  365  24-hour days, ignoring leap years), months (defined as 30 24-hour
       days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds.

       To explicitly prevent a date from being set, use none, never, or unset.

       All these formats are case-insensitive.

       -P date/offset
              This option sets the date on which a key is to be published to the zone. After that date, the  key
              is included in the zone but is not used to sign it.

              sync date/offset
                     This  option  sets  the date on which CDS and CDNSKEY records that match this key are to be
                     published to the zone.

       -D date/offset
              This option sets the date on which the key is to be deleted. After that date, the key is no longer
              included in the zone. (However, it may remain in the key repository.)

              sync date/offset
                     This option sets the date on which the CDS and CDNSKEY records that match this key  are  to
                     be deleted.

FILES

       A   keyfile  can  be  designed  by  the  key  identification  Knnnn.+aaa+iiiii  or  the  full  file  name
       Knnnn.+aaa+iiiii.key, as generated by dnssec-keygen.

SEE ALSO

       dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 5011.

AUTHOR

       Internet Systems Consortium

COPYRIGHT

       2025, Internet Systems Consortium

9.18.39-0ubuntu0.22.04.1-Ubuntu                    2025-08-13                                DNSSEC-IMPORTKEY(1)