dnssec-settime.html revision f8e3e03cacd16ffb923a9603fca23a9e1a1fee07
69fe9aaafdd6a141610e86a777d325db75422070Mark Andrews - Copyright (C) 2009 Internet Systems Consortium, Inc. ("ISC")
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Permission to use, copy, modify, and/or distribute this software for any
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - purpose with or without fee is hereby granted, provided that the above
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - copyright notice and this permission notice appear in all copies.
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<!-- $Id: dnssec-settime.html,v 1.6 2009/09/15 01:14:41 tbox Exp $ -->
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="refentry" lang="en">
9a4ce0c25809073f31226faa6ed94c70474cf363Bob Halley<a name="man.dnssec-settime"></a><div class="titlepage"></div>
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] {keyfile}</p></div>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<a name="id2543408"></a><h2>DESCRIPTION</h2>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson<p><span><strong class="command">dnssec-settime</strong></span>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson reads a DNSSEC private key file and sets the key timing metadata
d1dc805692ff816e28849396577affa9b4890e41Andreas Gustafsson as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson options. The metadata can then be used by
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson determine when a key is to be published, whether it should be
9afcd92352224325ed65919f69f7f58282fc6623Andreas Gustafsson used for signing a zone, etc.
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley If none of these options is set on the command line,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington metadata already stored in the key.
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington When key metadata fields are changed, both files of a key
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
01956482905dd861a9b07d417d469955466b728dDamien Neil Metadata fields are stored in the private file. A human-readable
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil description of the metadata is also placed in comments in the key
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil Force an update of an old-format key with no metadata fields.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil Without this option, <span><strong class="command">dnssec-settime</strong></span> will
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington fail when attempting to update a legacy key. With this option,
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington the key will be recreated in the new format, but with the
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil original key data retained. The key's creation date will be
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil set to the present time.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff Sets the directory in which the key files are to reside.
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley Emit usage message and exit.
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff Sets the debugging level.
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<a name="id2543530"></a><h2>TIMING OPTIONS</h2>
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley If the argument begins with a '+' or '-', it is interpreted as
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington an offset from the present time. For convenience, if such an offset
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil then the offset is computed in years (defined as 365 24-hour days,
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil ignoring leap years), months (defined as 30 24-hour days), weeks,
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil days, hours, or minutes, respectively. Without a suffix, the offset
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil is computed in seconds. To unset a date, use 'none'.
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil Sets the date on which a key is to be published to the zone.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil After that date, the key will be included in the zone but will
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil not be used to sign it.
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
f671a5c51cc59e266620c0c4026b054908fdd80cBob Halley Sets the date on which the key is to be activated. After that
e4b9761b0ef03597c35d1ef1d86e12514c621f90Michael Graff date, the key will be included and the zone and used to sign
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil Sets the date on which the key is to be revoked. After that
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil date, the key will be flagged as revoked. It will be included
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil in the zone and will be used to sign it.
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley Sets the date on which the key is to be retired. After that
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil date, the key will still be included in the zone, but it
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley will not be used to sign it.
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington Sets the date on which the key is to be deleted. After that
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington date, the key will no longer be included in the zone. (It
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington may remain in the key repository, however.)
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil<a name="id2543628"></a><h2>PRINTING OPTIONS</h2>
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
e9453d609db9aed9efd2bb4fd287ff3ad11da0b2Damien Neil timing metadata associated with a key.
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff Print times in UNIX epoch format.
8f7b56e275abdaaec08ccac32ffc6174841ae60eMichael Graff<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/U/D/all</code></em></span></dt>
26d20cd51c968e111b4122536825368a17b5ca82Brian Wellington Print a specific metadata value or set of metadata values.
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews The <code class="option">-p</code> option may be followed by one or more
bf6d2e39124ab3d51c253f7acad9a4abef059be6Bob Halley of the following letters to indicate which value or values to print: