dnssec-settime.docbook revision eec29cfd40361662b25bad50e1b94f7738a8fea0
5beae861ede7eba138c7140f195ae77ba3106cbffielding<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
5beae861ede7eba138c7140f195ae77ba3106cbffielding "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
5beae861ede7eba138c7140f195ae77ba3106cbffielding [<!ENTITY mdash "—">]>
5beae861ede7eba138c7140f195ae77ba3106cbffielding - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
5beae861ede7eba138c7140f195ae77ba3106cbffielding - Permission to use, copy, modify, and/or distribute this software for any
5beae861ede7eba138c7140f195ae77ba3106cbffielding - purpose with or without fee is hereby granted, provided that the above
5beae861ede7eba138c7140f195ae77ba3106cbffielding - copyright notice and this permission notice appear in all copies.
5beae861ede7eba138c7140f195ae77ba3106cbffielding - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5beae861ede7eba138c7140f195ae77ba3106cbffielding - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5beae861ede7eba138c7140f195ae77ba3106cbffielding - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5beae861ede7eba138c7140f195ae77ba3106cbffielding - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5beae861ede7eba138c7140f195ae77ba3106cbffielding - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5beae861ede7eba138c7140f195ae77ba3106cbffielding - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5beae861ede7eba138c7140f195ae77ba3106cbffielding - PERFORMANCE OF THIS SOFTWARE.
5beae861ede7eba138c7140f195ae77ba3106cbffielding<!-- $Id: dnssec-settime.docbook,v 1.6 2009/10/16 15:37:01 jreed Exp $ -->
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refentryinfo>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refentryinfo>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refentrytitle><application>dnssec-settime</application></refentrytitle>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refnamediv>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refname><application>dnssec-settime</application></refname>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refnamediv>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <copyright>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </copyright>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refsynopsisdiv>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <cmdsynopsis>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </cmdsynopsis>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refsynopsisdiv>
5beae861ede7eba138c7140f195ae77ba3106cbffielding reads a DNSSEC private key file and sets the key timing metadata
5beae861ede7eba138c7140f195ae77ba3106cbffielding as specified by the <option>-P</option>, <option>-A</option>,
5beae861ede7eba138c7140f195ae77ba3106cbffielding <option>-R</option>, <option>-I</option>, and <option>-D</option>
5beae861ede7eba138c7140f195ae77ba3106cbffielding options. The metadata can then be used by
5beae861ede7eba138c7140f195ae77ba3106cbffielding <command>dnssec-signzone</command> or other signing software to
5beae861ede7eba138c7140f195ae77ba3106cbffielding determine when a key is to be published, whether it should be
5beae861ede7eba138c7140f195ae77ba3106cbffielding used for signing a zone, etc.
e38f3ccb1d1368339739ba98be433ec16b1967e4aaron If none of these options is set on the command line,
5beae861ede7eba138c7140f195ae77ba3106cbffielding then <command>dnssec-settime</command> simply prints the key timing
342322367642446713ef0f6e6421a41aec242425gregames metadata already stored in the key.
5beae861ede7eba138c7140f195ae77ba3106cbffielding When key metadata fields are changed, both files of a key
5beae861ede7eba138c7140f195ae77ba3106cbffielding pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
5beae861ede7eba138c7140f195ae77ba3106cbffielding <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
d26b056e312c0ba8e5fbf59da61a71a02cb3be44lars Metadata fields are stored in the private file. A human-readable
9b12a8c4735e90e88bb42f2b03569c852834ef36rse description of the metadata is also placed in comments in the key
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refsect1>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <variablelist>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Force an update of an old-format key with no metadata fields.
5beae861ede7eba138c7140f195ae77ba3106cbffielding Without this option, <command>dnssec-settime</command> will
5beae861ede7eba138c7140f195ae77ba3106cbffielding fail when attempting to update a legacy key. With this option,
5beae861ede7eba138c7140f195ae77ba3106cbffielding the key will be recreated in the new format, but with the
5beae861ede7eba138c7140f195ae77ba3106cbffielding original key data retained. The key's creation date will be
5beae861ede7eba138c7140f195ae77ba3106cbffielding set to the present time.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
2342e783a2f2e1d69c46c6fa3e8d987069d53046wrowe </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <term>-K <replaceable class="parameter">directory</replaceable></term>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Sets the directory in which the key files are to reside.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
acf47691e4f2e788ea89e30f27015402f4bf9075trawick </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Emit usage message and exit.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <term>-v <replaceable class="parameter">level</replaceable></term>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Sets the debugging level.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <term>-E <replaceable class="parameter">engine</replaceable></term>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Use the given OpenSSL engine. When compiled with PKCS#11 support
5beae861ede7eba138c7140f195ae77ba3106cbffielding it defaults to pcks11, the empty name resets it to no engine.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </variablelist>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refsect1>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
5beae861ede7eba138c7140f195ae77ba3106cbffielding If the argument begins with a '+' or '-', it is interpreted as
5beae861ede7eba138c7140f195ae77ba3106cbffielding an offset from the present time. For convenience, if such an offset
5beae861ede7eba138c7140f195ae77ba3106cbffielding is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
fd2db14d870ff9aa9795841360f6e3d562ad69a2jerenkrantz then the offset is computed in years (defined as 365 24-hour days,
209d30d974f66f7f62c5888827d4cc0b95de40c0lars ignoring leap years), months (defined as 30 24-hour days), weeks,
209d30d974f66f7f62c5888827d4cc0b95de40c0lars days, hours, or minutes, respectively. Without a suffix, the offset
209d30d974f66f7f62c5888827d4cc0b95de40c0lars is computed in seconds. To unset a date, use 'none'.
5beae861ede7eba138c7140f195ae77ba3106cbffielding <variablelist>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
711d4b43c1e5c33611ac1b938cf7b944c3aa77b7jerenkrantz <term>-P <replaceable class="parameter">date/offset</replaceable></term>
0729ed19effa96566e715392dd17440bb5a107d6jwoolley Sets the date on which a key is to be published to the zone.
0729ed19effa96566e715392dd17440bb5a107d6jwoolley After that date, the key will be included in the zone but will
5beae861ede7eba138c7140f195ae77ba3106cbffielding not be used to sign it.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
209d30d974f66f7f62c5888827d4cc0b95de40c0lars <varlistentry>
209d30d974f66f7f62c5888827d4cc0b95de40c0lars <term>-A <replaceable class="parameter">date/offset</replaceable></term>
209d30d974f66f7f62c5888827d4cc0b95de40c0lars <listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Sets the date on which the key is to be activated. After that
5beae861ede7eba138c7140f195ae77ba3106cbffielding date, the key will be included in the zone and used to sign
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <term>-R <replaceable class="parameter">date/offset</replaceable></term>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Sets the date on which the key is to be revoked. After that
5beae861ede7eba138c7140f195ae77ba3106cbffielding date, the key will be flagged as revoked. It will be included
5beae861ede7eba138c7140f195ae77ba3106cbffielding in the zone and will be used to sign it.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <term>-I <replaceable class="parameter">date/offset</replaceable></term>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Sets the date on which the key is to be retired. After that
5beae861ede7eba138c7140f195ae77ba3106cbffielding date, the key will still be included in the zone, but it
5beae861ede7eba138c7140f195ae77ba3106cbffielding will not be used to sign it.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <term>-D <replaceable class="parameter">date/offset</replaceable></term>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Sets the date on which the key is to be deleted. After that
5beae861ede7eba138c7140f195ae77ba3106cbffielding date, the key will no longer be included in the zone. (It
5beae861ede7eba138c7140f195ae77ba3106cbffielding may remain in the key repository, however.)
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </variablelist>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refsect1>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <command>dnssec-settime</command> can also be used to print the
5beae861ede7eba138c7140f195ae77ba3106cbffielding timing metadata associated with a key.
5beae861ede7eba138c7140f195ae77ba3106cbffielding <variablelist>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Print times in UNIX epoch format.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <term>-p <replaceable class="parameter">C/P/A/R/U/D/all</replaceable></term>
5beae861ede7eba138c7140f195ae77ba3106cbffielding Print a specific metadata value or set of metadata values.
5beae861ede7eba138c7140f195ae77ba3106cbffielding The <option>-p</option> option may be followed by one or more
5beae861ede7eba138c7140f195ae77ba3106cbffielding of the following letters to indicate which value or values to print:
5beae861ede7eba138c7140f195ae77ba3106cbffielding To print all of the metadata, use <option>-p all</option>.
5beae861ede7eba138c7140f195ae77ba3106cbffielding </listitem>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </varlistentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </variablelist>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refsect1>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </citerefentry>,
5beae861ede7eba138c7140f195ae77ba3106cbffielding <citerefentry>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </citerefentry>,
5beae861ede7eba138c7140f195ae77ba3106cbffielding <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refsect1>
5beae861ede7eba138c7140f195ae77ba3106cbffielding <para><corpauthor>Internet Systems Consortium</corpauthor>
5beae861ede7eba138c7140f195ae77ba3106cbffielding </refsect1>
5beae861ede7eba138c7140f195ae77ba3106cbffielding - Local variables:
5beae861ede7eba138c7140f195ae77ba3106cbffielding - mode: sgml