DNSSEC-REVOKE(8) BIND9 DNSSEC-REVOKE(8)NAME
dnssec-revoke - Set the REVOKED bit on a DNSSEC key
SYNOPSIS
dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] [-R] {keyfile}
DESCRIPTION
dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files
containing the now-revoked key.
OPTIONS -h
Emit usage message and exit.
-K directory
Sets the directory in which the key files are to reside.
-r
After writing the new keyset files remove the original keyset files.
-v level
Sets the debugging level.
-E engine
Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.
-f
Force overwrite: Causes dnssec-revoke to write the new key pair even if a file already exists matching the algorithm and key ID of the
revoked key.
-R
Print the key tag of the key with the REVOKE bit set but do not revoke the key.
SEE ALSO dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.
AUTHOR
Internet Systems Consortium
COPYRIGHT
Copyright (C) 2009, 2011 Internet Systems Consortium, Inc. ("ISC")
BIND9 June 1, 2009 DNSSEC-REVOKE(8)
Check Out this Related Man Page
DNSSEC-DSFROMKEY(8) BIND9 DNSSEC-DSFROMKEY(8)NAME
dnssec-dsfromkey - DNSSEC DS RR generation tool
SYNOPSIS
dnssec-dsfromkey [-v level] [-1] [-2] [-a alg] {keyfile}
dnssec-dsfromkey {-s} [-v level] [-1] [-2] [-a alg] [-c class] [-d dir] {dnsname}
DESCRIPTION
dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR), as defined in RFC 3658 and RFC 4509, for the given key(s).
OPTIONS -1
Use SHA-1 as the digest algorithm (the default is to use both SHA-1 and SHA-256).
-2
Use SHA-256 as the digest algorithm.
-a algorithm
Select the digest algorithm. The value of algorithm must be one of SHA-1 (SHA1) or SHA-256 (SHA256). These values are case insensitive.
-v level
Sets the debugging level.
-s
Keyset mode: in place of the keyfile name, the argument is the DNS domain name of a keyset file. Following options make sense only in
this mode.
-c class
Specifies the DNS class (default is IN), useful only in the keyset mode.
-d directory
Look for keyset files in directory as the directory, ignored when not in the keyset mode.
EXAMPLE
To build the SHA-256 DS RR from the Kexample.com.+003+26160 keyfile name, the following command would be issued:
dnssec-dsfromkey -2 Kexample.com.+003+26160
The command would print something like:
example.com. IN DS 26160 5 2 3A1EADA7A74B8D0BA86726B0C227AA85AB8BBD2B2004F41A868A54F0 C5EA0B94
FILES
The keyfile can be designed by the key identification Knnnn.+aaa+iiiii or the full file name Knnnn.+aaa+iiiii.key as generated by
dnssec-keygen(8).
The keyset file name is built from the directory, the string keyset- and the dnsname.
CAVEAT
A keyfile error can give a "file not found" even if the file exists.
SEE ALSO dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 3658, RFC 4509.
AUTHOR
Internet Systems Consortium
COPYRIGHT
Copyright (C) 2008 Internet Systems Consortium, Inc. ("ISC")
BIND9 November 29, 2008 DNSSEC-DSFROMKEY(8)
Hi,
I have a sql file that runs something like this
vi Test.sql
REVOKE EXECUTE ON DEMO_USER.SQC_SAMP FROM PUBLIC;
REVOKE EXECUTE ON DEMO_USER.SQC_SAMP FROM DEMO_READ;
REVOKE SELECT ON DEMO_USER.DEMO_NOMINEE_TEST FROM DEMO_READ;
REVOKE EXECUTE ON DEMO_USER.SQC_SAMP FROM... (3 Replies)
Optiver is a worldwide market maker and derivatives trading firm with offices strategically located in Chicago, Amsterdam and Sydney. Attracting very ambitious, talented and results-oriented individuals to become members of a highly selective trading and support group is a primary contributor to... (0 Replies)
Hi,
I am working Linux server machine. Somebody by mistake(or may be knowingly) deleted few folders and files from the machine. How is this possible to recover those files and folders????:confused:
I normally logged in through Putty and winscp only. And don't have any history for putty... (8 Replies)
Hi,
I am receiving 'no valid signatures' errors in /var/log/messages. I understand that it would be gone if I set 'dnssec-enable no' in named.conf. But I want to let it be (i.e 'dnssec-enable yes').
Please help! (0 Replies)
Hi,
I currently have dnscrypt working, and now, I want to add dnssec. dnscrypt is basically a daemon running, and it's configured to 127.0.0.1 under dns in wifi.
I have installed dnsmasq, and I am ready to enable dnssec in /usr/local/etc/dnsmasq.conf. My question is the following.
Do I... (2 Replies)