dnssec-settime.html revision 3b0259a9571e91b39929b9306e74c20db07d9101
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
205c10066a0acfeac52d1a135671f41d207b8557Automatic Updater - Copyright (C) 2009-2011, 2014-2017 Internet Systems Consortium, Inc. ("ISC")
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater - This Source Code Form is subject to the terms of the Mozilla Public
46da3117812814a29432a8d9a9ccf8acdbfdadceAutomatic Updater - License, v. 2.0. If a copy of the MPL was not distributed with this
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater - file, You can obtain one at http://mozilla.org/MPL/2.0/.
78cb74fab4665da2e2641ba909c6f59f74cc4193Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
90ff38a0d8deaf5f9c2aa5916d99b2e572d28738Automatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
ac4e70ff8955669341f435bc0a734a17c01af124Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry">
6c6a121295b30772cbf3dd75a51fb9d883051a0eAutomatic Updater<a name="man.dnssec-settime"></a><div class="titlepage"></div>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="application">dnssec-settime</span>
96713299d08c0735c18ebe8772dd2cc1ecd4356aAutomatic Updater — set the key timing metadata for a DNSSEC key
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <code class="command">dnssec-settime</code>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
2d2dc37599979c83495510f8af8d1756753aa2c5Automatic Updater [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater <p><span class="command"><strong>dnssec-settime</strong></span>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater reads a DNSSEC private key file and sets the key timing metadata
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews options. The metadata can then be used by
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>dnssec-signzone</strong></span> or other signing software to
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater determine when a key is to be published, whether it should be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews used for signing a zone, etc.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews If none of these options is set on the command line,
d7a77415c13bb2fc2d1acb857486d97e4466e3b8Automatic Updater then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews metadata already stored in the key.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews When key metadata fields are changed, both files of a key
1a06700908f5a1d9f4a8d51285a0fd971e2f9117Automatic Updater pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
db5b7e2cdf150c46e8242d3e2e3ad3f5c7300258Automatic Updater Metadata fields are stored in the private file. A human-readable
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updater description of the metadata is also placed in comments in the key
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews file. The private file's permissions are always set to be
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater inaccessible to anyone other than the owner (mode 0600).
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <div class="variablelist"><dl class="variablelist">
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater Force an update of an old-format key with no metadata fields.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
b1265b5a06df36d490d4bdf54284fb133a1f5a84Automatic Updater fail when attempting to update a legacy key. With this option,
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updater the key will be recreated in the new format, but with the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews original key data retained. The key's creation date will be
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont set to the present time. If no other values are specified,
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater then the key's publication and activation dates will also
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater be set to the present time.
f9119ad8f6114b2255e7545bf5cd187f4db0a89bAutomatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Sets the directory in which the key files are to reside.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
418cc932318b1d67f88a36904d88d8a5a0a2ba09Automatic Updater Sets the default TTL to use for this key when it is converted
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews into a DNSKEY RR. If the key is imported into a zone,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews this is the TTL that will be used for it, unless there was
0977f3f39ef6728516be7976452b9122c8f5607aAutomatic Updater already a DNSKEY RRset in place, in which case the existing TTL
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater would take precedence. If this value is not set and there
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews is no existing DNSKEY RRset, the TTL will default to the
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater SOA TTL. Setting the default TTL to <code class="literal">0</code>
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater or <code class="literal">none</code> removes it from the key.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater Emit usage message and exit.
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews Prints version information.
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater Sets the debugging level.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater Specifies the cryptographic hardware to use, when applicable.
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater When BIND is built with OpenSSL PKCS#11 support, this defaults
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater to the string "pkcs11", which identifies an OpenSSL engine
2bb3422dc683c013db7042f5736240de6b86f182Automatic Updater that can drive a cryptographic accelerator or hardware service
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater module. When BIND is built with native PKCS#11 cryptography
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater (--enable-native-pkcs11), it defaults to the path of the PKCS#11
3b6e4c84a525b0b3fc9e8affd8bb9fa5c000345fAutomatic Updater provider library specified via "--with-pkcs11".
0df8ead472f207020f8da22a185fe4b945248ab8Automatic Updater<a name="id-1.9"></a><h2>TIMING OPTIONS</h2>
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater an offset from the present time. For convenience, if such an offset
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater then the offset is computed in years (defined as 365 24-hour days,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater is computed in seconds. To unset a date, use 'none' or 'never'.
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater <div class="variablelist"><dl class="variablelist">
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater Sets the date on which a key is to be published to the zone.
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater After that date, the key will be included in the zone but will
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater not be used to sign it.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Sets the date on which CDS and CDNSKEY records that match this
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater key are to be published to the zone.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater Sets the date on which the key is to be activated. After that
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews date, the key will be included in the zone and used to sign
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Sets the date on which the key is to be revoked. After that
c453a50776145e9c1c3fc9c846cfa11f42505081Automatic Updater date, the key will be flagged as revoked. It will be included
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews in the zone and will be used to sign it.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater Sets the date on which the key is to be retired. After that
995eaa289ba9709c64ef89b3776e53c36adc0010Automatic Updater date, the key will still be included in the zone, but it
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater will not be used to sign it.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
bf9b61c7904437745aeeb0f7d5036b35dad2a8a5Automatic Updater Sets the date on which the key is to be deleted. After that
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater date, the key will no longer be included in the zone. (It
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater may remain in the key repository, however.)
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
48b36fa08b2b5bc0d552dc2a4425b3f7007b3d59Automatic Updater Sets the date on which the CDS and CDNSKEY records that match this
0ce87e5749aabb8eef1e0a37e4bd6e6ffa1d7196Automatic Updater key are to be deleted.
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrews<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Select a key for which the key being modified will be an
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updater explicit successor. The name, algorithm, size, and type of the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson predecessor key must exactly match those of the key being
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater modified. The activation date of the successor key will be set
56e7dc0c24b04210dcbffb180a9e35644fb820daAutomatic Updater to the inactivation date of the predecessor. The publication
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater date will be set to the activation date minus the prepublication
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews interval, which defaults to 30 days.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews Sets the prepublication interval for a key. If set, then
b109432c3a939bff66a463be86c371bd88efe3aaAutomatic Updater the publication and activation dates must be separated by at least
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater this much time. If the activation date is specified but the
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews publication date isn't, then the publication date will default
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews to this much time before the activation date; conversely, if
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews the publication date is specified but activation date isn't,
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater then activation will be set to this much time after publication.
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews If the key is being set to be an explicit successor to another
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater key, then the default prepublication interval is 30 days;
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews otherwise it is zero.
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater As with date offsets, if the argument is followed by one of
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater interval is measured in years, months, weeks, days, hours,
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater or minutes, respectively. Without a suffix, the interval is
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater measured in seconds.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater<a name="id-1.10"></a><h2>PRINTING OPTIONS</h2>
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater timing metadata associated with a key.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <div class="variablelist"><dl class="variablelist">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Print times in UNIX epoch format.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Print a specific metadata value or set of metadata values.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews The <code class="option">-p</code> option may be followed by one or more
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews of the following letters or strings to indicate which value
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews or values to print:
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <code class="option">C</code> for the creation date,
06f5acb11f1c32228d93eefd1eb841dbfb1c7f4dAutomatic Updater <code class="option">P</code> for the publication date,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater <code class="option">Psync</code> for the CDS and CDNSKEY publication date,
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater <code class="option">A</code> for the activation date,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <code class="option">R</code> for the revocation date,
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson <code class="option">I</code> for the inactivation date,
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <code class="option">D</code> for the deletion date, and
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews <code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews To print all of the metadata, use <code class="option">-p all</code>.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater <span class="refentrytitle">dnssec-keygen</span>(8)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="refentrytitle">dnssec-signzone</span>(8)
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <em class="citetitle">BIND 9 Administrator Reference Manual</em>,