DNSSEC-REVOKE(8)                    BIND 9                    DNSSEC-REVOKE(8)

NAME
       dnssec-revoke - set the REVOKED bit on a DNSSEC key

SYNOPSIS
       dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f]
       [-R] {keyfile}

DESCRIPTION
       dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key
       as defined in RFC 5011, and creates a new pair of key files containing
       the now-revoked key.

OPTIONS

       -h     This option emits a usage message and exits.

       -K directory
              This option sets the directory in which the key files are to
              reside.

       -r     This option indicates to remove the original keyset files after
              writing the new keyset files.

       -v level
              This option sets the debugging level.

       -V     This option prints version information.

       -E engine
              This option specifies the cryptographic hardware to use, when
              applicable.

              When BIND 9 is built with OpenSSL, this needs to be set to the
              OpenSSL engine identifier that drives the cryptographic
              accelerator or hardware service module (usually pkcs11). When
              BIND is built with native PKCS#11 cryptography
              (--enable-native-pkcs11), it defaults to the path of the PKCS#11
              provider library specified via --with-pkcs11.

       -f     This option indicates a forced overwrite and causes
              dnssec-revoke to write the new key pair, even if a file already
              exists matching the algorithm and key ID of the revoked key.

       -R     This option prints the key tag of the key with the REVOKE bit
              set, but does not revoke the key.

SEE ALSO
       dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.

AUTHOR
       Internet Systems Consortium

COPYRIGHT
       2021, Internet Systems Consortium

9.16.18                           2021-06-18                  DNSSEC-REVOKE(8)