dnssec-settime.html revision a3f8c8e20780e488141d200acdfea6c5f3303513
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater - Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - purpose with or without fee is hereby granted, provided that the above
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - copyright notice and this permission notice appear in all copies.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
bef75d63d74f58abc0f834ed271526672777ba29Automatic Updater - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt - PERFORMANCE OF THIS SOFTWARE.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<!-- $Id: dnssec-settime.html,v 1.15 2011/03/18 01:14:33 tbox Exp $ -->
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<a name="man.dnssec-settime"></a><div class="titlepage"></div>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<a name="id2543431"></a><h2>DESCRIPTION</h2>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<p><span><strong class="command">dnssec-settime</strong></span>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater reads a DNSSEC private key file and sets the key timing metadata
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater options. The metadata can then be used by
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater determine when a key is to be published, whether it should be
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater used for signing a zone, etc.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt If none of these options is set on the command line,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt metadata already stored in the key.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater When key metadata fields are changed, both files of a key
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Metadata fields are stored in the private file. A human-readable
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater description of the metadata is also placed in comments in the key
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Force an update of an old-format key with no metadata fields.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Without this option, <span><strong class="command">dnssec-settime</strong></span> will
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater fail when attempting to update a legacy key. With this option,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater the key will be recreated in the new format, but with the
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater original key data retained. The key's creation date will be
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater set to the present time.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the directory in which the key files are to reside.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Sets the default TTL to use for this key when it is converted
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater into a DNSKEY RR. If the key is imported into a zone,
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater this is the TTL that will be used for it, unless there was
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater already a DNSKEY RRset in place, in which case the existing TTL
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater would take precedence. Setting the default TTL to
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater <code class="literal">0</code> or <code class="literal">none</code> removes it.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Emit usage message and exit.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Sets the debugging level.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater Use the given OpenSSL engine. When compiled with PKCS#11 support
64affc54f96a2c71cbd10ed71e246ce0746259aaAutomatic Updater it defaults to pkcs11; the empty name resets it to no engine.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<a name="id2543594"></a><h2>TIMING OPTIONS</h2>
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater an offset from the present time. For convenience, if such an offset
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater then the offset is computed in years (defined as 365 24-hour days,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater is computed in seconds. To unset a date, use 'none'.
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which a key is to be published to the zone.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt After that date, the key will be included in the zone but will
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt not be used to sign it.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be activated. After that
5a24d24c8fba3480d707c0c902379ddb36501e12Automatic Updater date, the key will be included in the zone and used to sign
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be revoked. After that
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt date, the key will be flagged as revoked. It will be included
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt in the zone and will be used to sign it.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Sets the date on which the key is to be retired. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will still be included in the zone, but it
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater will not be used to sign it.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt Sets the date on which the key is to be deleted. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will no longer be included in the zone. (It
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater may remain in the key repository, however.)
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater Select a key for which the key being modified will be an
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater explicit successor. The name, algorithm, size, and type of the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater predecessor key must exactly match those of the key being
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater modified. The activation date of the successor key will be set
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater to the inactivation date of the predecessor. The publication
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater date will be set to the activation date minus the prepublication
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater interval, which defaults to 30 days.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater Sets the prepublication interval for a key. If set, then
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication and activation dates must be separated by at least
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater this much time. If the activation date is specified but the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater publication date isn't, then the publication date will default
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater to this much time before the activation date; conversely, if
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication date is specified but activation date isn't,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater then activation will be set to this much time after publication.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater If the key is being set to be an explicit successor to another
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater key, then the default prepublication interval is 30 days;
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater otherwise it is zero.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater As with date offsets, if the argument is followed by one of
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater interval is measured in years, months, weeks, days, hours,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater or minutes, respectively. Without a suffix, the interval is
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater measured in seconds.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<a name="id2543733"></a><h2>PRINTING OPTIONS</h2>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater timing metadata associated with a key.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Print times in UNIX epoch format.
83f43b00a50c9c932c81691a3828041643a0d6f6Automatic Updater<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Print a specific metadata value or set of metadata values.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater The <code class="option">-p</code> option may be followed by one or more
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater of the following letters to indicate which value or values to print:
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">C</code> for the creation date,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">P</code> for the publication date,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">A</code> for the activation date,
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater <code class="option">R</code> for the revocation date,
83f43b00a50c9c932c81691a3828041643a0d6f6Automatic Updater <code class="option">I</code> for the inactivation date, or
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">D</code> for the deletion date.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater To print all of the metadata, use <code class="option">-p all</code>.
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
0a7ed88633a680bb881868b75ded4d09a7bbbc50Automatic Updater <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
553ead32ff5b00284e574dcabc39115d4d74ec66Evan Hunt<p><span class="corpauthor">Internet Systems Consortium</span>