dnssec-revoke — Set the REVOKED bit on a DNSSEC key


dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] [-R] {keyfile}


dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now-revoked key.



Emit usage message and exit.

-K directory

Sets the directory in which the key files are to reside.


After writing the new keyset files remove the original keyset files.

-v level

Sets the debugging level.

-E engine

Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.


Force overwrite: Causes dnssec-revoke to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.


Print the key tag of the key with the REVOKE bit set but do not revoke the key.


dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.


Internet Systems Consortium