DNSSEC-REVOKE(1) BIND 9 DNSSEC-REVOKE(1)
NAME
dnssec-revoke - set the REVOKED bit on a DNSSEC key
SYNOPSIS
dnssec-revoke [
-hr] [
-v level] [
-V] [
-K directory] [
-E engine] [
-f]
[
-R] {keyfile}
DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the
key as defined in
RFC 5011, and creates a new pair of key files
containing the now-revoked key.
OPTIONS
-h This option emits a usage message and exits.
-K directory This option sets the directory in which the key files are to
reside.
-r This option indicates to remove the original keyset files
after writing the new keyset files.
-v level This option sets the debugging level.
-V This option prints version information.
-E engine This option specifies the cryptographic hardware to use, when
applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the
OpenSSL engine identifier that drives the cryptographic
accelerator or hardware service module (usually
pkcs11).
-f This option indicates a forced overwrite and causes
dnssec-revoke to write the new key pair, even if a file
already exists matching the algorithm and key ID of the
revoked key.
-R This option prints the key tag of the key with the REVOKE bit
set, but does not revoke the key.
SEE ALSO
dnssec-keygen(8), BIND 9 Administrator Reference Manual,
RFC 5011.
AUTHOR
Internet Systems Consortium
COPYRIGHT
2025, Internet Systems Consortium
9.18.34 2025-02-11 DNSSEC-REVOKE(1)
