dnssec-settime.html revision a3f8c8e20780e488141d200acdfea6c5f3303513
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - Permission to use, copy, modify, and/or distribute this software for any
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - purpose with or without fee is hereby granted, provided that the above
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - copyright notice and this permission notice appear in all copies.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny - PERFORMANCE OF THIS SOFTWARE.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<!-- $Id: dnssec-settime.html,v 1.15 2011/03/18 01:14:33 tbox Exp $ -->
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<a name="man.dnssec-settime"></a><div class="titlepage"></div>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<p><span><strong class="command">dnssec-settime</strong></span>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny reads a DNSSEC private key file and sets the key timing metadata
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny options. The metadata can then be used by
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny determine when a key is to be published, whether it should be
bd92e8ee315d4da9350b9ef0358c88a7b54aeebeStephen Gallagher used for signing a zone, etc.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny If none of these options is set on the command line,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny metadata already stored in the key.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny When key metadata fields are changed, both files of a key
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Metadata fields are stored in the private file. A human-readable
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny description of the metadata is also placed in comments in the key
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Force an update of an old-format key with no metadata fields.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Without this option, <span><strong class="command">dnssec-settime</strong></span> will
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny fail when attempting to update a legacy key. With this option,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny the key will be recreated in the new format, but with the
bd92e8ee315d4da9350b9ef0358c88a7b54aeebeStephen Gallagher original key data retained. The key's creation date will be
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny set to the present time.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the directory in which the key files are to reside.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the default TTL to use for this key when it is converted
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny into a DNSKEY RR. If the key is imported into a zone,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny this is the TTL that will be used for it, unless there was
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny already a DNSKEY RRset in place, in which case the existing TTL
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny would take precedence. Setting the default TTL to
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="literal">0</code> or <code class="literal">none</code> removes it.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Emit usage message and exit.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the debugging level.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Use the given OpenSSL engine. When compiled with PKCS#11 support
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny it defaults to pkcs11; the empty name resets it to no engine.
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov<a name="id2543594"></a><h2>TIMING OPTIONS</h2>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov If the argument begins with a '+' or '-', it is interpreted as
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov an offset from the present time. For convenience, if such an offset
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny then the offset is computed in years (defined as 365 24-hour days,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny ignoring leap years), months (defined as 30 24-hour days), weeks,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny days, hours, or minutes, respectively. Without a suffix, the offset
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny is computed in seconds. To unset a date, use 'none'.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the date on which a key is to be published to the zone.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny After that date, the key will be included in the zone but will
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny not be used to sign it.
a3c8390d19593b1e5277d95bfb4ab206d4785150Nikolai Kondrashov<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
3e1c814a7ca3a0e4086e0822d6b4df23b8465bc8Jan Zeleny Sets the date on which the key is to be activated. After that
3e1c814a7ca3a0e4086e0822d6b4df23b8465bc8Jan Zeleny date, the key will be included in the zone and used to sign
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the date on which the key is to be revoked. After that
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny date, the key will be flagged as revoked. It will be included
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny in the zone and will be used to sign it.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the date on which the key is to be retired. After that
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny date, the key will still be included in the zone, but it
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny will not be used to sign it.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the date on which the key is to be deleted. After that
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny date, the key will no longer be included in the zone. (It
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny may remain in the key repository, however.)
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Select a key for which the key being modified will be an
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov explicit successor. The name, algorithm, size, and type of the
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov predecessor key must exactly match those of the key being
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny modified. The activation date of the successor key will be set
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny to the inactivation date of the predecessor. The publication
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny date will be set to the activation date minus the prepublication
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny interval, which defaults to 30 days.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Sets the prepublication interval for a key. If set, then
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny the publication and activation dates must be separated by at least
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny this much time. If the activation date is specified but the
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny publication date isn't, then the publication date will default
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny to this much time before the activation date; conversely, if
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny the publication date is specified but activation date isn't,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny then activation will be set to this much time after publication.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny If the key is being set to be an explicit successor to another
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny key, then the default prepublication interval is 30 days;
83bf46f4066e3d5e838a32357c201de9bd6ecdfdNikolai Kondrashov otherwise it is zero.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny As with date offsets, if the argument is followed by one of
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny interval is measured in years, months, weeks, days, hours,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny or minutes, respectively. Without a suffix, the interval is
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny measured in seconds.
bd92e8ee315d4da9350b9ef0358c88a7b54aeebeStephen Gallagher<a name="id2543733"></a><h2>PRINTING OPTIONS</h2>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny timing metadata associated with a key.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Print times in UNIX epoch format.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny Print a specific metadata value or set of metadata values.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny The <code class="option">-p</code> option may be followed by one or more
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny of the following letters to indicate which value or values to print:
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="option">C</code> for the creation date,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="option">P</code> for the publication date,
bd92e8ee315d4da9350b9ef0358c88a7b54aeebeStephen Gallagher <code class="option">A</code> for the activation date,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="option">R</code> for the revocation date,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="option">I</code> for the inactivation date, or
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <code class="option">D</code> for the deletion date.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny To print all of the metadata, use <code class="option">-p all</code>.
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
e526b608657f229f7486b3aa8c53b0f2c53b42b1Jan Zeleny<p><span class="corpauthor">Internet Systems Consortium</span>