dnssec-revoke command
Purpose
Sets the revoked bit on a DNSSEC key.
Syntax
dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}
Description
The dnssec-revoke command reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files that contains the now-revoked key.
Flags
- -E engine
-
Specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this flag needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11). When BIND is built with native PKCS#11 cryptography (
--enable-native-pkcs11
), it defaults to the path of the PKCS#11 provider library specified by using the--with-pkcs11
option. - -f
- Indicates a forced overwrite and causes dnssec-revoke command to write the new key pair, even if a file exists that matches the algorithm and key ID of the revoked key.
- -h
- Displays a usage message and exits.
- -K directory
- Sets the directory in which the key files must exist.
- -R
- Prints the key tag of the key with the REVOKE bit set, but does not revoke the key.
- -r
- Indicates to remove the original keyset files after the new keyset files are written.
- -V
- Prints version information.
- -v level
- Sets the debugging level.