start of change

dnssec-revoke command

Edit online

Purpose

Sets the revoked bit on a DNSSEC key.

Syntax

dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}

Description

The dnssec-revoke command reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files that contains the now-revoked key.

Flags

-E engine

Specifies the cryptographic hardware to use, when applicable.

When BIND 9 is built with OpenSSL, this flag needs to be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11). When BIND is built with native PKCS#11 cryptography (--enable-native-pkcs11), it defaults to the path of the PKCS#11 provider library specified by using the --with-pkcs11 option.

-f
Indicates a forced overwrite and causes dnssec-revoke command to write the new key pair, even if a file exists that matches the algorithm and key ID of the revoked key.
-h
Displays a usage message and exits.
-K directory
Sets the directory in which the key files must exist.
-R
Prints the key tag of the key with the REVOKE bit set, but does not revoke the key.
-r
Indicates to remove the original keyset files after the new keyset files are written.
-V
Prints version information.
-v level
Sets the debugging level.
end of change