bin/dnssec/dnssec-settime.html

	dnssec-settime.html revision 3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<!--
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - Copyright (C) 2009, 2010 Internet Systems Consortium, Inc. ("ISC")
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin -
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin - Permission to use, copy, modify, and/or distribute this software for any
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - purpose with or without fee is hereby granted, provided that the above
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - copyright notice and this permission notice appear in all copies.
7c2fbfb345896881c631598ee3852ce9ce33fb07April Chin -
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin - PERFORMANCE OF THIS SOFTWARE.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin-->
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<!-- $Id: dnssec-settime.html,v 1.14 2010/08/17 01:15:26 tbox Exp $ -->
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<html>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<head>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<title>dnssec-settime</title>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin</head>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="man.dnssec-settime"></a><div class="titlepage"></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="refnamediv">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<h2>Name</h2>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin</div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="refsynopsisdiv">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<h2>Synopsis</h2>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code>  [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin</div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="refsect1" lang="en">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="id2543419"></a><h2>DESCRIPTION</h2>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<p><span><strong class="command">dnssec-settime</strong></span>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      reads a DNSSEC private key file and sets the key timing metadata
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      options.  The metadata can then be used by
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      determine when a key is to be published, whether it should be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      used for signing a zone, etc.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin    </p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      If none of these options is set on the command line,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      metadata already stored in the key.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin    </p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      When key metadata fields are changed, both files of a key
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      Metadata fields are stored in the private file.  A human-readable
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      description of the metadata is also placed in comments in the key
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      file.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin    </p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin</div>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="refsect1" lang="en">
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<a name="id2543467"></a><h2>OPTIONS</h2>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<div class="variablelist"><dl>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-f</span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dd><p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin        Force an update of an old-format key with no metadata fields.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin            Without this option, <span><strong class="command">dnssec-settime</strong></span> will
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin            fail when attempting to update a legacy key.  With this option,
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin            the key will be recreated in the new format, but with the
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin            original key data retained.  The key's creation date will be
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin            set to the present time.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      </p></dd>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dd><p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin            Sets the directory in which the key files are to reside.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin          </p></dd>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-h</span></dt>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dd><p>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin        Emit usage message and exit.
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin      </p></dd>
da2e3ebdc1edfbc5028edf1354e7dd2fa69a7968chin<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
            Sets the debugging level.
          </p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
            Use the given OpenSSL engine. When compiled with PKCS#11 support
            it defaults to pkcs11; the empty name resets it to no engine.
          </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543559"></a><h2>TIMING OPTIONS</h2>
<p>
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
      an offset from the present time.  For convenience, if such an offset
      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
      then the offset is computed in years (defined as 365 24-hour days,
      ignoring leap years), months (defined as 30 24-hour days), weeks,
      days, hours, or minutes, respectively.  Without a suffix, the offset
      is computed in seconds.  To unset a date, use 'none'.
    </p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
            Sets the date on which a key is to be published to the zone.
            After that date, the key will be included in the zone but will
            not be used to sign it.
          </p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
            Sets the date on which the key is to be activated.  After that
            date, the key will be included in the zone and used to sign
            it.
          </p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
            Sets the date on which the key is to be revoked.  After that
            date, the key will be flagged as revoked.  It will be included
            in the zone and will be used to sign it.
          </p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
            Sets the date on which the key is to be retired.  After that
            date, the key will still be included in the zone, but it
            will not be used to sign it.
          </p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
            Sets the date on which the key is to be deleted.  After that
            date, the key will no longer be included in the zone.  (It
            may remain in the key repository, however.)
          </p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
            Select a key for which the key being modified will be an
            explicit successor.  The name, algorithm, size, and type of the
            predecessor key must exactly match those of the key being
            modified.  The activation date of the successor key will be set
            to the inactivation date of the predecessor.  The publication
            date will be set to the activation date minus the prepublication
            interval, which defaults to 30 days.
          </p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
            Sets the prepublication interval for a key.  If set, then
            the publication and activation dates must be separated by at least
            this much time.  If the activation date is specified but the
            publication date isn't, then the publication date will default
            to this much time before the activation date; conversely, if
            the publication date is specified but activation date isn't,
            then activation will be set to this much time after publication.
          </p>
<p>
            If the key is being set to be an explicit successor to another
            key, then the default prepublication interval is 30 days;
            otherwise it is zero.
          </p>
<p>
            As with date offsets, if the argument is followed by one of
            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
            interval is measured in years, months, weeks, days, hours,
            or minutes, respectively.  Without a suffix, the interval is
            measured in seconds.
          </p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543698"></a><h2>PRINTING OPTIONS</h2>
<p>
      <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
      timing metadata associated with a key.
    </p>
<div class="variablelist"><dl>
<dt><span class="term">-u</span></dt>
<dd><p>
        Print times in UNIX epoch format.
      </p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
<dd><p>
        Print a specific metadata value or set of metadata values.
            The <code class="option">-p</code> option may be followed by one or more
            of the following letters to indicate which value or values to print:
            <code class="option">C</code> for the creation date,
            <code class="option">P</code> for the publication date,
            <code class="option">A</code> for the activation date,
            <code class="option">R</code> for the revocation date,
            <code class="option">I</code> for the inactivation date, or
            <code class="option">D</code> for the deletion date.
            To print all of the metadata, use <code class="option">-p all</code>.
      </p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2543912"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
      <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 5011</em>.
    </p>
</div>
<div class="refsect1" lang="en">
<a name="id2543945"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
    </p>
</div>
</div></body>
</html>