dnssec-revoke — Set the REVOKED bit on a DNSSEC key


dnssec-revoke [-hr] [-v level] [-K directory] [-E engine] [-f] {keyfile}


dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as defined in RFC 5011, and creates a new pair of key files containing the now-revoked key.



Emit usage message and exit.

-K directory

Sets the directory in which the key files are to reside.


After writing the new keyset files remove the original keyset files.

-v level

Sets the debugging level.

-E engine

Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name resets it to no engine.


Force overwrite: Causes dnssec-revoke to write the new key pair even if a file already exists matching the algorithm and key ID of the revoked key.


dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC 5011.


Internet Systems Consortium