NAME

       dnssec-revoke - set the REVOKED bit on a DNSSEC key

SYNOPSIS

       dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

DESCRIPTION

       dnssec-revoke  reads  a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC
       5011, and creates a new pair of key files containing the now-revoked key.

OPTIONS

       -h     This option emits a usage message and exits.

       -K directory
              This option sets the directory in which the key files are to reside.

       -r     This option indicates to remove the original keyset files  after  writing  the  new
              keyset files.

       -v level
              This option sets the debugging level.

       -V     This option prints version information.

       -E engine
              This option specifies the cryptographic hardware to use, when applicable.

              When  BIND  9  is  built  with  OpenSSL, this needs to be set to the OpenSSL engine
              identifier that drives the cryptographic accelerator  or  hardware  service  module
              (usually pkcs11).

       -f     This  option indicates a forced overwrite and causes dnssec-revoke to write the new
              key pair, even if a file already exists matching the algorithm and key  ID  of  the
              revoked key.

       -R     This  option  prints  the  key tag of the key with the REVOKE bit set, but does not
              revoke the key.

SEE ALSO

       dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

AUTHOR

       Internet Systems Consortium

COPYRIGHT

       2024, Internet Systems Consortium