471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski [<!ENTITY mdash "&#8212;">]>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder<refentry id="man.dnssec-settime">

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <refentryinfo>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <date>July 15, 2009</date>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski </refentryinfo>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder <refmeta>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder <refentrytitle><application>dnssec-settime</application></refentrytitle>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder <manvolnum>8</manvolnum>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder <refmiscinfo>BIND9</refmiscinfo>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder </refmeta>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder <refnamediv>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder <refname><application>dnssec-settime</application></refname>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>

a07d77ce09907914eec722e8af1690a859efb29bChristian Maeder </refnamediv>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <docinfo>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <copyright>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <year>2009</year>

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder <holder>Internet Systems Consortium, Inc. ("ISC")</holder>

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder </copyright>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder </docinfo>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder <refsynopsisdiv>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <cmdsynopsis>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder <command>dnssec-settime</command>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder <arg><option>-f</option></arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <arg><option>-h</option></arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder <arg choice="req">keyfile</arg>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski </cmdsynopsis>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski </refsynopsisdiv>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <refsect1>

bf7d5e9881cb74f6ae4c5b27adca061d24f87e0eChristian Maeder <title>DESCRIPTION</title>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <para><command>dnssec-settime</command>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski reads a DNSSEC private key file and sets the key timing metadata

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski as specified by the <option>-P</option>, <option>-A</option>,

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <option>-R</option>, <option>-I</option>, and <option>-D</option>

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski options. The metadata can then be used by

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <command>dnssec-signzone</command> or other signing software to

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski determine when a key is to be published, whether it should be

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski used for signing a zone, etc.

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder </para>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder <para>

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder If none of these options is set on the command line,

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder then <command>dnssec-settime</command> simply prints the key timing

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder metadata already stored in the key.

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder </para>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder <para>

f0bf6380a0d9535227ede0b2afad65a35e84badeChristian Maeder When key metadata fields are changed, both files of a key

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski pair (<filename>Knnnn.+aaa+iiiii.key</filename> and

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski Metadata fields are stored in the private file. A human-readable

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder description of the metadata is also placed in comments in the key

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski file.

471f79b0ba3ce875148d71d67fb120b2de0ed83cTill Mossakowski </para>

827abf6c961893aa3aa0bc511edd21ac78046b53Christian Maeder </refsect1>

<refsect1>

<title>OPTIONS</title>

<variablelist>

<varlistentry>

<term>-f</term>

<listitem>

<para>

Force an update of an old-format key with no metadata fields.

Without this option, <command>dnssec-settime</command> will

fail when attempting to update a legacy key. With this option,

the key will be recreated in the new format, but with the

original key data retained. The key's creation date will be

set to the present time.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-K <replaceable class="parameter">directory</replaceable></term>

<listitem>

<para>

Sets the directory in which the key files are to reside.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-h</term>

<listitem>

<para>

Emit usage message and exit.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-v <replaceable class="parameter">level</replaceable></term>

<listitem>

<para>

Sets the debugging level.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-E <replaceable class="parameter">engine</replaceable></term>

<listitem>

<para>

Use the given OpenSSL engine. When compiled with PKCS#11 support

it defaults to pcks11, the empty name resets it to no engine.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect1>

<refsect1>

<title>TIMING OPTIONS</title>

<para>

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

If the argument begins with a '+' or '-', it is interpreted as

an offset from the present time. For convenience, if such an offset

is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',

then the offset is computed in years (defined as 365 24-hour days,

ignoring leap years), months (defined as 30 24-hour days), weeks,

days, hours, or minutes, respectively. Without a suffix, the offset

is computed in seconds. To unset a date, use 'none'.

</para>

<variablelist>

<varlistentry>

<term>-P <replaceable class="parameter">date/offset</replaceable></term>

<listitem>

<para>

Sets the date on which a key is to be published to the zone.

After that date, the key will be included in the zone but will

not be used to sign it.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-A <replaceable class="parameter">date/offset</replaceable></term>

<listitem>

<para>

Sets the date on which the key is to be activated. After that

date, the key will be included and the zone and used to sign

it.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-R <replaceable class="parameter">date/offset</replaceable></term>

<listitem>

<para>

Sets the date on which the key is to be revoked. After that

date, the key will be flagged as revoked. It will be included

in the zone and will be used to sign it.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-I <replaceable class="parameter">date/offset</replaceable></term>

<listitem>

<para>

Sets the date on which the key is to be retired. After that

date, the key will still be included in the zone, but it

will not be used to sign it.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-D <replaceable class="parameter">date/offset</replaceable></term>

<listitem>

<para>

Sets the date on which the key is to be deleted. After that

date, the key will no longer be included in the zone. (It

may remain in the key repository, however.)

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect1>

<refsect1>

<title>PRINTING OPTIONS</title>

<para>

<command>dnssec-settime</command> can also be used to print the

timing metadata associated with a key.

</para>

<variablelist>

<varlistentry>

<term>-u</term>

<listitem>

<para>

Print times in UNIX epoch format.

</para>

</listitem>

</varlistentry>

<varlistentry>

<term>-p <replaceable class="parameter">C/P/A/R/U/D/all</replaceable></term>

<listitem>

<para>

Print a specific metadata value or set of metadata values.

The <option>-p</option> option may be followed by one or more

of the following letters to indicate which value or values to print:

<option>C</option> for the creation date,

<option>P</option> for the publication date,

<option>A</option> for the activation date,

<option>R</option> for the revokation date,

<option>U</option> for the unpublication date, or

<option>D</option> for the deletion date.

To print all of the metadata, use <option>-p all</option>.

</para>

</listitem>

</varlistentry>

</variablelist>

</refsect1>

<refsect1>

<title>SEE ALSO</title>

<para><citerefentry>

<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>

</citerefentry>,

<citerefentry>

<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>

</citerefentry>,

<citetitle>BIND 9 Administrator Reference Manual</citetitle>,

<citetitle>RFC 5011</citetitle>.

</para>

</refsect1>

<refsect1>

<title>AUTHOR</title>

<para><corpauthor>Internet Systems Consortium</corpauthor>

</para>

</refsect1>

</refentry><!--