dnssec-revoke - set the REVOKED bit on a DNSSEC key

       Internet Systems Consortium

       2025, Internet Systems Consortium

9.20.4-3ubuntu1.2-Ubuntu                           2024-12-03                                   DNSSEC-REVOKE(1)

dnssec-revoke  reads  a  DNSSEC  key  file,  sets  the REVOKED bit on the key as defined in RFC5011, and
       creates a new pair of key files containing the now-revoked key.

       dnssec-revoke - set the REVOKED bit on a DNSSEC key

-h     This option emits a usage message and exits.

       -Kdirectory
              This option sets the directory in which the key files are to reside.

       -r     This option indicates to remove the original keyset files after writing the new keyset files.

       -vlevel
              This option sets the debugging level.

       -V     This option prints version information.

       -Eengine
              This option specifies the cryptographic hardware to use, when applicable.

              When BIND 9 is built with OpenSSL, this needs to be set to  the  OpenSSL  engine  identifier  that
              drives the cryptographic accelerator or hardware service module (usually pkcs11).

       -f     This  option indicates a forced overwrite and causes dnssec-revoke to write the new key pair, even
              if a file already exists matching the algorithm and key ID of the revoked key.

       -R     This option prints the key tag of the key with the REVOKE bit set, but does not revoke the key.

dnssec-keygen(8), BIND 9 Administrator Reference Manual, RFC5011.

dnssec-revoke [-hr] [-v level] [-V] [-K directory] [-E engine] [-f] [-R] {keyfile}