dnssec-settime.docbook revision c5259c013bba297cb0d38b85bd1c83fc26ef268c
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
3b4098640dd85040270f39b9a5ee5e22de99d3d6Mark Andrews "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews [<!ENTITY mdash "—">]>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
285254345ce5ab270848f8c11f7be146793f1e00Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: dnssec-settime.docbook,v 1.10 2010/03/09 03:35:34 marka Exp $ -->
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refentryinfo>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle><application>dnssec-settime</application></refentrytitle>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refname><application>dnssec-settime</application></refname>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refnamediv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </copyright>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refsynopsisdiv>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <cmdsynopsis>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </cmdsynopsis>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </refsynopsisdiv>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews reads a DNSSEC private key file and sets the key timing metadata
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews as specified by the <option>-P</option>, <option>-A</option>,
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <option>-R</option>, <option>-I</option>, and <option>-D</option>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein options. The metadata can then be used by
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <command>dnssec-signzone</command> or other signing software to
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews determine when a key is to be published, whether it should be
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews used for signing a zone, etc.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews If none of these options is set on the command line,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein then <command>dnssec-settime</command> simply prints the key timing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein metadata already stored in the key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When key metadata fields are changed, both files of a key
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Metadata fields are stored in the private file. A human-readable
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein description of the metadata is also placed in comments in the key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <variablelist>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Force an update of an old-format key with no metadata fields.
7208386cd37a2092c70eddf80cf29519b16c4c80Mark Andrews Without this option, <command>dnssec-settime</command> will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein fail when attempting to update a legacy key. With this option,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the key will be recreated in the new format, but with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein original key data retained. The key's creation date will be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein set to the present time.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-K <replaceable class="parameter">directory</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the directory in which the key files are to reside.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Emit usage message and exit.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-v <replaceable class="parameter">level</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the debugging level.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-E <replaceable class="parameter">engine</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Use the given OpenSSL engine. When compiled with PKCS#11 support
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein it defaults to pkcs11; the empty name resets it to no engine.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein If the argument begins with a '+' or '-', it is interpreted as
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein an offset from the present time. For convenience, if such an offset
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein then the offset is computed in years (defined as 365 24-hour days,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ignoring leap years), months (defined as 30 24-hour days), weeks,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein days, hours, or minutes, respectively. Without a suffix, the offset
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is computed in seconds. To unset a date, use 'none'.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-P <replaceable class="parameter">date/offset</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which a key is to be published to the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews After that date, the key will be included in the zone but will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews not be used to sign it.
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews </varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <varlistentry>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <term>-A <replaceable class="parameter">date/offset</replaceable></term>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the date on which the key is to be activated. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will be included in the zone and used to sign
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-R <replaceable class="parameter">date/offset</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be revoked. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will be flagged as revoked. It will be included
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in the zone and will be used to sign it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-I <replaceable class="parameter">date/offset</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be retired. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will still be included in the zone, but it
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein will not be used to sign it.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-D <replaceable class="parameter">date/offset</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Sets the date on which the key is to be deleted. After that
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein date, the key will no longer be included in the zone. (It
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein may remain in the key repository, however.)
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <command>dnssec-settime</command> can also be used to print the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein timing metadata associated with a key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Print times in UNIX epoch format.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <term>-p <replaceable class="parameter">C/P/A/R/I/D/all</replaceable></term>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Print a specific metadata value or set of metadata values.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein The <option>-p</option> option may be followed by one or more
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of the following letters to indicate which value or values to print:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <option>I</option> for the inactivation date, or
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein To print all of the metadata, use <option>-p all</option>.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </varlistentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </variablelist>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citerefentry>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein </citerefentry>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <para><corpauthor>Internet Systems Consortium</corpauthor>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Local variables:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - mode: sgml