dnssec-settime.docbook revision dcfca6f18d5069155ae50025aaeead0cc8c04730
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley<!DOCTYPE book PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
acb4f5236966c2b680b949c1eda826948b24fc23Mark Andrews "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews [<!ENTITY mdash "—">]>
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley - Permission to use, copy, modify, and/or distribute this software for any
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - purpose with or without fee is hereby granted, provided that the above
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
bf43fdafa3bff9e84cb03f1a19aca74514d2516eBob Halley - PERFORMANCE OF THIS SOFTWARE.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<!-- $Id: dnssec-settime.docbook,v 1.8 2010/02/03 01:02:37 each Exp $ -->
e419f613d8591885df608cb73065921be07dd12eBob Halley <refentryinfo>
1a69a1a78cfaa86f3b68bbc965232b7876d4da2aDavid Lawrence </refentryinfo>
e419f613d8591885df608cb73065921be07dd12eBob Halley <refentrytitle><application>dnssec-settime</application></refentrytitle>
e419f613d8591885df608cb73065921be07dd12eBob Halley <refname><application>dnssec-settime</application></refname>
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley <refpurpose>Set the key timing metadata for a DNSSEC key</refpurpose>
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington <holder>Internet Systems Consortium, Inc. ("ISC")</holder>
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley </copyright>
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence <refsynopsisdiv>
09f22ac5b09e70bc526015f37168ba33e21ea91fDavid Lawrence <cmdsynopsis>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <arg><option>-E <replaceable class="parameter">engine</replaceable></option></arg>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews </cmdsynopsis>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews </refsynopsisdiv>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews reads a DNSSEC private key file and sets the key timing metadata
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews as specified by the <option>-P</option>, <option>-A</option>,
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <option>-R</option>, <option>-I</option>, and <option>-D</option>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews options. The metadata can then be used by
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <command>dnssec-signzone</command> or other signing software to
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews determine when a key is to be published, whether it should be
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews used for signing a zone, etc.
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews If none of these options is set on the command line,
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews then <command>dnssec-settime</command> simply prints the key timing
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews metadata already stored in the key.
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews When key metadata fields are changed, both files of a key
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews pair (<filename>Knnnn.+aaa+iiiii.key</filename> and
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <filename>Knnnn.+aaa+iiiii.private</filename>) are regenerated.
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews Metadata fields are stored in the private file. A human-readable
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews description of the metadata is also placed in comments in the key
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <variablelist>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <varlistentry>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews Force an update of an old-format key with no metadata fields.
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrews Without this option, <command>dnssec-settime</command> will
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews fail when attempting to update a legacy key. With this option,
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews the key will be recreated in the new format, but with the
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews original key data retained. The key's creation date will be
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrews set to the present time.
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrews </varlistentry>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <varlistentry>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <term>-K <replaceable class="parameter">directory</replaceable></term>
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrews Sets the directory in which the key files are to reside.
35541328a8c18ba1f984300dfe30ec8713c90031Mark Andrews </varlistentry>
50105afc551903541608b11851d73278b23579a3Mark Andrews <varlistentry>
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrence Emit usage message and exit.
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington </varlistentry>
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrence <varlistentry>
ca9af3aaf798f98624fc1dc69d8c7d51bf01334dBrian Wellington <term>-v <replaceable class="parameter">level</replaceable></term>
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrence Sets the debugging level.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews </varlistentry>
93d6dfaf66258337985427c86181f01fc51f0bb4Mark Andrews <varlistentry>
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrence <term>-E <replaceable class="parameter">engine</replaceable></term>
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrence Use the given OpenSSL engine. When compiled with PKCS#11 support
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington it defaults to pkcs11; the empty name resets it to no engine.
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington </varlistentry>
23e4260821eefa5019808e18e14e2b366461aad7Brian Wellington </variablelist>
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews If the argument begins with a '+' or '-', it is interpreted as
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews an offset from the present time. For convenience, if such an offset
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
50105afc551903541608b11851d73278b23579a3Mark Andrews then the offset is computed in years (defined as 365 24-hour days,
50105afc551903541608b11851d73278b23579a3Mark Andrews ignoring leap years), months (defined as 30 24-hour days), weeks,
50105afc551903541608b11851d73278b23579a3Mark Andrews days, hours, or minutes, respectively. Without a suffix, the offset
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews is computed in seconds. To unset a date, use 'none'.
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews <variablelist>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews <varlistentry>
6fac7ff1f9ec9c3873d3b55c5079fa79aba1f146Mark Andrews <term>-P <replaceable class="parameter">date/offset</replaceable></term>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews Sets the date on which a key is to be published to the zone.
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews After that date, the key will be included in the zone but will
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews not be used to sign it.
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews </varlistentry>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <varlistentry>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <term>-A <replaceable class="parameter">date/offset</replaceable></term>
5be3685b0e57677c0cc03113099cb8f99f9a070bMark Andrews Sets the date on which the key is to be activated. After that
5be3685b0e57677c0cc03113099cb8f99f9a070bMark Andrews date, the key will be included in the zone and used to sign
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews </varlistentry>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <varlistentry>
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <term>-R <replaceable class="parameter">date/offset</replaceable></term>
5be3685b0e57677c0cc03113099cb8f99f9a070bMark Andrews Sets the date on which the key is to be revoked. After that
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley date, the key will be flagged as revoked. It will be included
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley in the zone and will be used to sign it.
9cd6710f91bdffef5aed68ab02533e398f6134d7Brian Wellington </varlistentry>
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley <varlistentry>
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley <term>-I <replaceable class="parameter">date/offset</replaceable></term>
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley Sets the date on which the key is to be retired. After that
b5debbe212097d1c573a2ba3bd9a3d526d86b0aeBrian Wellington date, the key will still be included in the zone, but it
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff will not be used to sign it.
e44487bfc23599b6b240e09d83d1c862fecfcc82Michael Graff </varlistentry>
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley <varlistentry>
0ec4b862c9abd11c82c88ed62438f0cf06fed25dBob Halley <term>-D <replaceable class="parameter">date/offset</replaceable></term>
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews Sets the date on which the key is to be deleted. After that
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews date, the key will no longer be included in the zone. (It
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews may remain in the key repository, however.)
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews </varlistentry>
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews </variablelist>
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews <command>dnssec-settime</command> can also be used to print the
0b09763c354ec91fb352b6b4cea383bd0195b2d8Mark Andrews timing metadata associated with a key.
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews <variablelist>
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington <varlistentry>
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington Print times in UNIX epoch format.
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington </varlistentry>
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington <varlistentry>
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington <term>-p <replaceable class="parameter">C/P/A/R/U/D/all</replaceable></term>
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington Print a specific metadata value or set of metadata values.
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington The <option>-p</option> option may be followed by one or more
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington of the following letters to indicate which value or values to print:
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington <option>P</option> for the publication date,
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington <option>A</option> for the activation date,
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington <option>R</option> for the revocation date,
98d010a24a9f1b4b45ce9791845941ef90426d0cBrian Wellington <option>U</option> for the unpublication date, or
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews To print all of the metadata, use <option>-p all</option>.
60ab03125c137c48a6b2ed6df1d2c8657757e09dMark Andrews </varlistentry>
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews </variablelist>
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews <refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews </citerefentry>,
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews <citerefentry>
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews <refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews </citerefentry>,
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews <citetitle>BIND 9 Administrator Reference Manual</citetitle>,
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews <para><corpauthor>Internet Systems Consortium</corpauthor>
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews - Local variables:
ff30cdeb783ca7ffe69b222c56197828e882c229Mark Andrews - mode: sgml