dnssec-settime.docbook revision 8b78c993cb475cc94e88560941b28c37684789d9
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington [<!ENTITY mdash "—">]>
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and/or distribute this software for any
2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User - purpose with or without fee is hereby granted, provided that the above
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - copyright notice and this permission notice appear in all copies.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington - PERFORMANCE OF THIS SOFTWARE.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington<!-- $Id: dnssec-settime.docbook,v 1.5 2009/10/05 17:30:49 fdupont Exp $ -->
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </refentryinfo>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <refentrytitle><application>dnssec-settime</application></refentrytitle>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews <refnamediv>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews <refname><application>dnssec-settime</application></refname>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
704e6c8876907aac0bf7380effca8bca400d4acdMark Andrews </refnamediv>
3398334b3acda24b086957286288ca9852662b12Automatic Updater <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
43b94483957d3168796a816ed86cf097518817dcTinderbox User <refsynopsisdiv>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <cmdsynopsis>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </cmdsynopsis>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt </refsynopsisdiv>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt reads a DNSSEC private key file and sets the key timing metadata
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt as specified by the <option>-P</option>, <option>-A</option>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <option>-R</option>, <option>-I</option>, and <option>-D</option>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt options. The metadata can then be used by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <command>dnssec-signzone</command> or other signing software to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt determine when a key is to be published, whether it should be
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt used for signing a zone, etc.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If none of these options is set on the command line,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt then <command>dnssec-settime</command> simply prints the key timing
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt metadata already stored in the key.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt When key metadata fields are changed, both files of a key
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Metadata fields are stored in the private file. A human-readable
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt description of the metadata is also placed in comments in the key
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <variablelist>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Force an update of an old-format key with no metadata fields.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Without this option, <command>dnssec-settime</command> will
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington fail when attempting to update a legacy key. With this option,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the key will be recreated in the new format, but with the
30eec077db2bdcb6f2a0dc388a3cdde2ede75ec1Mark Andrews original key data retained. The key's creation date will be
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein set to the present time.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <term>-K <replaceable class="parameter">directory</replaceable></term>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington Sets the directory in which the key files are to reside.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Emit usage message and exit.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <term>-v <replaceable class="parameter">level</replaceable></term>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Sets the debugging level.
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <varlistentry>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt <term>-E <replaceable class="parameter">engine</replaceable></term>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt Use the given OpenSSL engine. When compiled with PKCS#11 support
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt it defaults to pcks11, the empty name resets it to no engine.
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt </varlistentry>
eab9975bcf5830a73f18ed8f320ae18ea32775eeEvan Hunt </variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein If the argument begins with a '+' or '-', it is interpreted as
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein an offset from the present time. For convenience, if such an offset
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt then the offset is computed in years (defined as 365 24-hour days,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein ignoring leap years), months (defined as 30 24-hour days), weeks,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein days, hours, or minutes, respectively. Without a suffix, the offset
b0c15bd9792112fb47f6d956e580e4369e92f4e7Mark Andrews is computed in seconds. To unset a date, use 'none'.
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <variablelist>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <varlistentry>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <term>-P <replaceable class="parameter">date/offset</replaceable></term>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews Sets the date on which a key is to be published to the zone.
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews After that date, the key will be included in the zone but will
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews not be used to sign it.
c9611b45736af157e2993c6ef852e55e8e24ca83Evan Hunt </varlistentry>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <varlistentry>
eff7f78bc65f30efd87a398e66084ddab72799d3Mark Andrews <term>-A <replaceable class="parameter">date/offset</replaceable></term>
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont Sets the date on which the key is to be activated. After that
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont date, the key will be included and the zone and used to sign
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt </varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <varlistentry>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <term>-R <replaceable class="parameter">date/offset</replaceable></term>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt Sets the date on which the key is to be revoked. After that
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt date, the key will be flagged as revoked. It will be included
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt in the zone and will be used to sign it.
8b78c993cb475cc94e88560941b28c37684789d9Francis Dupont </varlistentry>
50105afc551903541608b11851d73278b23579a3Mark Andrews <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-I <replaceable class="parameter">date/offset</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be retired. After that
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt date, the key will still be included in the zone, but it
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt will not be used to sign it.
50105afc551903541608b11851d73278b23579a3Mark Andrews </varlistentry>
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <term>-D <replaceable class="parameter">date/offset</replaceable></term>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be deleted. After that
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt date, the key will no longer be included in the zone. (It
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein may remain in the key repository, however.)
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington </varlistentry>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt </variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <command>dnssec-settime</command> can also be used to print the
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt timing metadata associated with a key.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <variablelist>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <varlistentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein Print times in UNIX epoch format.
bf7f253e306d0ced8ae24d7a0598773950da11f4Mark Andrews </varlistentry>
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt <varlistentry>
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt <term>-p <replaceable class="parameter">C/P/A/R/U/D/all</replaceable></term>
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt Print a specific metadata value or set of metadata values.
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt The <option>-p</option> option may be followed by one or more
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt of the following letters to indicate which value or values to print:
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt To print all of the metadata, use <option>-p all</option>.
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt </varlistentry>
35f6a21f5f8114542c050bfcb484b39ce513d4bdEvan Hunt </variablelist>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </citerefentry>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <citerefentry>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein </citerefentry>,
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
0b062f4990db5cc6db2fe3398926f71b92a67407Brian Wellington <para><corpauthor>Internet Systems Consortium</corpauthor>
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - Local variables:
268a4475065fe6a8cd7cc707820982cf5e98f430Rob Austein - mode: sgml