dnssec-keyfromlabel.docbook revision a60bf97f9f7dcde6f4ca6e8188245fb0866200db
5a580c3a38ced62d4bcc95b8ac7c4f2935b5d294Timo Sirainen<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch [<!ENTITY mdash "—">]>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - Copyright (C) 2008-2012, 2014 Internet Systems Consortium, Inc. ("ISC")
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen - Permission to use, copy, modify, and/or distribute this software for any
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - purpose with or without fee is hereby granted, provided that the above
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - copyright notice and this permission notice appear in all copies.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch - PERFORMANCE OF THIS SOFTWARE.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <refentryinfo>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch </refentryinfo>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen <refentrytitle><application>dnssec-keyfromlabel</application></refentrytitle>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <refname><application>dnssec-keyfromlabel</application></refname>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <refpurpose>DNSSEC key generation tool</refpurpose>
dde71564d306d07cba63bdf0f40996ffb90ca47aTimo Sirainen </refnamediv>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <refsynopsisdiv>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <cmdsynopsis>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg choice="req">-l <replaceable class="parameter">label</replaceable></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-a <replaceable class="parameter">algorithm</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-i <replaceable class="parameter">interval</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-L <replaceable class="parameter">ttl</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-S <replaceable class="parameter">key</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch </cmdsynopsis>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen </refsynopsisdiv>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch generates a key pair of files that referencing a key object stored
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch in a cryptographic hardware service module (HSM). The private key
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch file can be used for DNSSEC signing of zone data as if it were a
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch conventional signing key created by <command>dnssec-keygen</command>,
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch but the key material is stored within the HSM, and the actual signing
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch takes place there.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch The <option>name</option> of the key is specified on the command
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch line. This must match the name of the zone for which the key is
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch being generated.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <variablelist>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <term>-a <replaceable class="parameter">algorithm</replaceable></term>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Selects the cryptographic algorithm. The value of
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <option>algorithm</option> must be one of RSAMD5, RSASHA1,
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch ECDSAP256SHA256 or ECDSAP384SHA384.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch These values are case insensitive.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch If no algorithm is specified, then RSASHA1 will be used by
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch default, unless the <option>-3</option> option is specified,
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch in which case NSEC3RSASHA1 will be used instead. (If
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <option>-3</option> is used and an algorithm is specified,
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch that algorithm will be checked for compatibility with NSEC3.)
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch algorithm, and DSA is recommended.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Note 2: DH automatically sets the -k flag.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch </varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Use an NSEC3-capable algorithm to generate a DNSSEC key.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch If this option is used and no algorithm is explicitly
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch set on the command line, NSEC3RSASHA1 will be used by
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch </varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <term>-E <replaceable class="parameter">engine</replaceable></term>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Specifies the cryptographic hardware to use.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch When BIND is built with OpenSSL PKCS#11 support, this defaults
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch to the string "pkcs11", which identifies an OpenSSL engine
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch that can drive a cryptographic accelerator or hardware service
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch module. When BIND is built with native PKCS#11 cryptography
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch (--enable-native-pkcs11), it defaults to the path of the PKCS#11
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch provider library specified via "--with-pkcs11".
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch </varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <term>-l <replaceable class="parameter">label</replaceable></term>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Specifies the label for a key pair in the crypto hardware.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch When <acronym>BIND</acronym> 9 is built with OpenSSL-based
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch PKCS#11 support, the label is an arbitrary string that
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch identifies a particular key. It may be preceded by an
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch optional OpenSSL engine name, followed by a colon, as in
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch When <acronym>BIND</acronym> 9 is built with native PKCS#11
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch support, the label is a PKCS#11 URI string in the format
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch "pkcs11:<option>keyword</option>=<replaceable>value</replaceable><optional>;<option>keyword</option>=<replaceable>value</replaceable>;...</optional>"
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Keywords include "token", which identifies the HSM; "object", which
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch identifies the key; and "pin-source", which identifies a file from
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch which the HSM's PIN code can be obtained. The label will be
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch stored in the on-disk "private" file.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch If the label contains a
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <option>pin-source</option> field, tools using the generated
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch key files will be able to use the HSM for signing and other
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch operations without any need for an operator to manually enter
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch a PIN. Note: Making the HSM's PIN accessible in this manner
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch may reduce the security advantage of using an HSM; be sure
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch this is what you want to do before making use of this feature.
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen </varlistentry>
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen <varlistentry>
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen <term>-n <replaceable class="parameter">nametype</replaceable></term>
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen Specifies the owner type of the key. The value of
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen <option>nametype</option> must either be ZONE (for a DNSSEC
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen a host (KEY)),
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch These values are case insensitive.
5b23fb78a695f797b3c0fa4ec32d979283e995b7Stephan Bosch </varlistentry>
5b23fb78a695f797b3c0fa4ec32d979283e995b7Stephan Bosch <varlistentry>
5b23fb78a695f797b3c0fa4ec32d979283e995b7Stephan Bosch Compatibility mode: generates an old-style key, without
5b23fb78a695f797b3c0fa4ec32d979283e995b7Stephan Bosch any metadata. By default, <command>dnssec-keyfromlabel</command>
5b23fb78a695f797b3c0fa4ec32d979283e995b7Stephan Bosch will include the key's creation date in the metadata stored
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch with the private key, and other dates may be set there as well
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch (publication date, activation date, etc). Keys that include
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch this data may be incompatible with older versions of BIND; the
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch </varlistentry>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch <varlistentry>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch <term>-c <replaceable class="parameter">class</replaceable></term>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch Indicates that the DNS record containing the key should have
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch the specified class. If not specified, class IN is used.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch </varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <varlistentry>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <term>-f <replaceable class="parameter">flag</replaceable></term>
50a6d26bd9041f44b4cad0c0357c0c604c132cc8Stephan Bosch Set the specified flag in the flag field of the KEY/DNSKEY record.
50a6d26bd9041f44b4cad0c0357c0c604c132cc8Stephan Bosch The only recognized flags are KSK (Key Signing Key) and REVOKE.
50a6d26bd9041f44b4cad0c0357c0c604c132cc8Stephan Bosch </varlistentry>
50a6d26bd9041f44b4cad0c0357c0c604c132cc8Stephan Bosch <varlistentry>
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen Generate a key, but do not publish it or sign with it. This
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen option is incompatible with -P and -A.
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen </varlistentry>
65c0e43da8cfc730eeb4634f8aa384081bbfa4e7Timo Sirainen <varlistentry>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch Prints a short summary of the options and arguments to
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch </varlistentry>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch <varlistentry>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch <term>-K <replaceable class="parameter">directory</replaceable></term>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch Sets the directory in which the key files are to be written.
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch </varlistentry>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch <varlistentry>
eb325a5a90c1d2655e74972bde0de6a699d2c864Stephan Bosch Generate KEY records rather than DNSKEY records.
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen </varlistentry>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen <varlistentry>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen <term>-L <replaceable class="parameter">ttl</replaceable></term>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen Sets the default TTL to use for this key when it is converted
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen into a DNSKEY RR. If the key is imported into a zone,
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen this is the TTL that will be used for it, unless there was
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen already a DNSKEY RRset in place, in which case the existing TTL
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen would take precedence. Setting the default TTL to
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen <literal>0</literal> or <literal>none</literal> removes it.
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen </varlistentry>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen <varlistentry>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen <term>-p <replaceable class="parameter">protocol</replaceable></term>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen Sets the protocol value for the key. The protocol
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen is a number between 0 and 255. The default is 3 (DNSSEC).
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen Other possible values for this argument are listed in
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen RFC 2535 and its successors.
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen </varlistentry>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen <varlistentry>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen <term>-S <replaceable class="parameter">key</replaceable></term>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen Generate a key as an explicit successor to an existing key.
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen The name, algorithm, size, and type of the key will be set
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen to match the predecessor. The activation date of the new
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen key will be set to the inactivation date of the existing
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen one. The publication date will be set to the activation
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen date minus the prepublication interval, which defaults to
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen </varlistentry>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen <varlistentry>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen <term>-t <replaceable class="parameter">type</replaceable></term>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen Indicates the use of the key. <option>type</option> must be
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen is AUTHCONF. AUTH refers to the ability to authenticate
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen data, and CONF the ability to encrypt data.
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen </varlistentry>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen <varlistentry>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen <term>-v <replaceable class="parameter">level</replaceable></term>
9e10978b8632da8e50af18059205c44678c1dfedTimo Sirainen Sets the debugging level.
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen </varlistentry>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen <varlistentry>
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen Allows DNSSEC key files to be generated even if the key ID
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen would collide with that of an existing key, in the event of
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen either key being revoked. (This is only safe to use if you
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch are sure you won't be using RFC 5011 trust anchor maintenance
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen with either of the keys involved.)
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen </varlistentry>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen </variablelist>
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen If the argument begins with a '+' or '-', it is interpreted as
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen an offset from the present time. For convenience, if such an offset
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen then the offset is computed in years (defined as 365 24-hour days,
85b5b20e1931039c0867894a405b62e3a8d2c660Timo Sirainen ignoring leap years), months (defined as 30 24-hour days), weeks,
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen days, hours, or minutes, respectively. Without a suffix, the offset
fc3ac5b8207117163530be1dda58299c65e23d73Timo Sirainen is computed in seconds. To explicitly prevent a date from being
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch set, use 'none' or 'never'.
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <variablelist>
7384b4e78eaab44693c985192276e31322155e32Stephan Bosch <varlistentry>