dnssec-revoke reads a DNSSEC key file, sets the REVOKED bit on the key as
defined in RFC 5011, and creates a new pair of key files containing the
now-revoked key.
This option sets the directory in which the key files are to reside.
-r
This option indicates to remove the original keyset files after writing
the new keyset files.
-v level
This option sets the debugging level.
-V
This option prints version information.
-E engine
This option specifies the cryptographic hardware to use, when applicable.
When BIND 9 is built with OpenSSL, this needs to be set to the
OpenSSL engine identifier that drives the cryptographic accelerator or
hardware service module (usually pkcs11).
-f
This option indicates a forced overwrite and causes dnssec-revoke
to write the new key pair, even if a file already exists matching the
algorithm and key ID of the revoked key.
-R
This option prints the key tag of the key with the REVOKE bit set, but
does not revoke the key.