man.dnssec-keygen.html revision bbbf2e27d3a981163dab139497d6b2dc85449db0
842ae4bd224140319ae7feec1872b93dfd491143fielding - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
842ae4bd224140319ae7feec1872b93dfd491143fielding - Copyright (C) 2000-2003 Internet Software Consortium.
842ae4bd224140319ae7feec1872b93dfd491143fielding - Permission to use, copy, modify, and/or distribute this software for any
842ae4bd224140319ae7feec1872b93dfd491143fielding - purpose with or without fee is hereby granted, provided that the above
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding - copyright notice and this permission notice appear in all copies.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ce9621257ef9e54c1bbe5ad8a5f445a1f211c2dcnd - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding - PERFORMANCE OF THIS SOFTWARE.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<!-- $Id$ -->
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<link rel="prev" href="man.dnssec-keyfromlabel.html" title="dnssec-keyfromlabel">
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<link rel="next" href="man.dnssec-revoke.html" title="dnssec-revoke">
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
b8dd12594991e5c275d82fca865d13c5f9775f4efielding<tr><th colspan="3" align="center"><span class="application">dnssec-keygen</span></th></tr>
be3223a6a18d9a3a3cf7155d5430a5d92bcddceegstein<a accesskey="p" href="man.dnssec-keyfromlabel.html">Prev</a>�</td>
cccd31fa4a72fe23cc3249c06db181b274a55a69gstein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-revoke.html">Next</a>
d4df29f26b7bda144ffc4c2e0d2965a7d86207e9rbb<a name="man.dnssec-keygen"></a><div class="titlepage"></div>
be3223a6a18d9a3a3cf7155d5430a5d92bcddceegstein<p><span class="application">dnssec-keygen</span> — DNSSEC key generation tool</p>
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<div class="cmdsynopsis"><p><code class="command">dnssec-keygen</code> [<code class="option">-a <em class="replaceable"><code>algorithm</code></em></code>] [<code class="option">-b <em class="replaceable"><code>keysize</code></em></code>] [<code class="option">-n <em class="replaceable"><code>nametype</code></em></code>] [<code class="option">-3</code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-C</code>] [<code class="option">-c <em class="replaceable"><code>class</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] [<code class="option">-f <em class="replaceable"><code>flag</code></em></code>] [<code class="option">-G</code>] [<code class="option">-g <em class="replaceable"><code>generator</code></em></code>] [<code class="option">-h</code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-k</code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-p <em class="replaceable"><code>protocol</code></em></code>] [<code class="option">-q</code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-r <em class="replaceable"><code>randomdev</code></em></code>] [<code class="option">-S <em class="replaceable"><code>key</code></em></code>] [<code class="option">-s <em class="replaceable"><code>strength</code></em></code>] [<code class="option">-t <em class="replaceable"><code>type</code></em></code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-z</code>] {name}</p></div>
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<p><span><strong class="command">dnssec-keygen</strong></span>
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding and RFC 4034. It can also generate keys for use with
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding TSIG (Transaction Signatures) as defined in RFC 2845, or TKEY
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding (Transaction Key) as defined in RFC 2930.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The <code class="option">name</code> of the key is specified on the command
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding line. For DNSSEC keys, this must match the name of the zone for
edd066ff15b401bdda270704bc982029586ff8c2jwoolley which the key is being generated.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<dt><span class="term">-a <em class="replaceable"><code>algorithm</code></em></span></dt>
bfb54bd96690887dcdf184fd9083c2e167898ce2nd Selects the cryptographic algorithm. For DNSSEC keys, the value
ef7e63639347988498cc18f4beda85e73146cb28bnicholes of <code class="option">algorithm</code> must be one of RSAMD5, RSASHA1,
bfb54bd96690887dcdf184fd9083c2e167898ce2nd DSA, NSEC3RSASHA1, NSEC3DSA, RSASHA256, RSASHA512, ECCGOST,
bfb54bd96690887dcdf184fd9083c2e167898ce2nd ECDSAP256SHA256 or ECDSAP384SHA384.
bfb54bd96690887dcdf184fd9083c2e167898ce2nd be DH (Diffie Hellman), HMAC-MD5, HMAC-SHA1, HMAC-SHA224,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding HMAC-SHA256, HMAC-SHA384, or HMAC-SHA512. These values are
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding case insensitive.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding If no algorithm is specified, then RSASHA1 will be used by
ef7e63639347988498cc18f4beda85e73146cb28bnicholes default, unless the <code class="option">-3</code> option is specified,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding in which case NSEC3RSASHA1 will be used instead. (If
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding <code class="option">-3</code> is used and an algorithm is specified,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding that algorithm will be checked for compatibility with NSEC3.)
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Note 1: that for DNSSEC, RSASHA1 is a mandatory to implement
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithm, and DSA is recommended. For TSIG, HMAC-MD5 is
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Note 2: DH, HMAC-MD5, and HMAC-SHA1 through HMAC-SHA512
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding automatically set the -T KEY option.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<dt><span class="term">-b <em class="replaceable"><code>keysize</code></em></span></dt>
7cc9511b8f1fff69439041327dc55e3423ccf439stoddard Specifies the number of bits in the key. The choice of key
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding size depends on the algorithm used. RSA keys must be
7cc9511b8f1fff69439041327dc55e3423ccf439stoddard between 512 and 2048 bits. Diffie Hellman keys must be between
7cc9511b8f1fff69439041327dc55e3423ccf439stoddard 128 and 4096 bits. DSA keys must be between 512 and 1024
7cc9511b8f1fff69439041327dc55e3423ccf439stoddard bits and an exact multiple of 64. HMAC keys must be
7cc9511b8f1fff69439041327dc55e3423ccf439stoddard between 1 and 512 bits. Elliptic curve algorithms don't need
e8f95a682820a599fe41b22977010636be5c2717jim this parameter.
7cc9511b8f1fff69439041327dc55e3423ccf439stoddard The key size does not need to be specified if using a default
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithm. The default key size is 1024 bits for zone signing
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding keys (ZSK's) and 2048 bits for key signing keys (KSK's,
1ccd992d37d62c8cb2056126f2234f64ec189bfddougm generated with <code class="option">-f KSK</code>). However, if an
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding algorithm is explicitly specified with the <code class="option">-a</code>,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding then there is no default key size, and the <code class="option">-b</code>
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding must be used.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<dt><span class="term">-n <em class="replaceable"><code>nametype</code></em></span></dt>
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Specifies the owner type of the key. The value of
563fa6715f6ad5703d30354644d61968a8460804wrowe <code class="option">nametype</code> must either be ZONE (for a DNSSEC
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding zone key (KEY/DNSKEY)), HOST or ENTITY (for a key associated with
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding a host (KEY)),
10a4cdd68ef1ca0e54af296fe1d08ac00150c90bwrowe USER (for a key associated with a user(KEY)) or OTHER (DNSKEY).
d4df29f26b7bda144ffc4c2e0d2965a7d86207e9rbb These values are case insensitive. Defaults to ZONE for DNSKEY
296a81701dd29b7e347a73eef3e71a65fc957106sf generation.
58fd79b56eb624bf011772994e9761d3c2e228c1orlikowski Use an NSEC3-capable algorithm to generate a DNSSEC key.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding If this option is used and no algorithm is explicitly
066877f1a045103acfdd376d48cdd473c33f409bdougm set on the command line, NSEC3RSASHA1 will be used by
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes default. Note that RSASHA256, RSASHA512, ECCGOST,
ef7e63639347988498cc18f4beda85e73146cb28bnicholes ECDSAP256SHA256 and ECDSAP384SHA384 algorithms
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding are NSEC3-capable.
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes Compatibility mode: generates an old-style key, without
bfb54bd96690887dcdf184fd9083c2e167898ce2nd any metadata. By default, <span><strong class="command">dnssec-keygen</strong></span>
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding will include the key's creation date in the metadata stored
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding with the private key, and other dates may be set there as well
066877f1a045103acfdd376d48cdd473c33f409bdougm (publication date, activation date, etc). Keys that include
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding this data may be incompatible with older versions of BIND; the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding <code class="option">-C</code> option suppresses them.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<dt><span class="term">-c <em class="replaceable"><code>class</code></em></span></dt>
db3fa7db7c7910f2f23c3e3ffe0cf9f41a1899b9trawick Indicates that the DNS record containing the key should have
066877f1a045103acfdd376d48cdd473c33f409bdougm the specified class. If not specified, class IN is used.
066877f1a045103acfdd376d48cdd473c33f409bdougm<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
d4df29f26b7bda144ffc4c2e0d2965a7d86207e9rbb Specifies the cryptographic hardware to use, when applicable.
066877f1a045103acfdd376d48cdd473c33f409bdougm When BIND is built with OpenSSL PKCS#11 support, this defaults
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding to the string "pkcs11", which identifies an OpenSSL engine
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding that can drive a cryptographic accelerator or hardware service
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding module. When BIND is built with native PKCS#11 cryptography
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding (--enable-native-pkcs11), it defaults to the path of the PKCS#11
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes provider library specified via "--with-pkcs11".
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<dt><span class="term">-f <em class="replaceable"><code>flag</code></em></span></dt>
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Set the specified flag in the flag field of the KEY/DNSKEY record.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding The only recognized flags are KSK (Key Signing Key) and REVOKE.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Generate a key, but do not publish it or sign with it. This
8707eafa84c6aab4b02a6218ea43e60504b954f1wrowe option is incompatible with -P and -A.
ef7e63639347988498cc18f4beda85e73146cb28bnicholes<dt><span class="term">-g <em class="replaceable"><code>generator</code></em></span></dt>
ea283513d76eccfc30ee79bc031188e2c2b12b0cbnicholes If generating a Diffie Hellman key, use this generator.
ea283513d76eccfc30ee79bc031188e2c2b12b0cbnicholes Allowed values are 2 and 5. If no generator
8707eafa84c6aab4b02a6218ea43e60504b954f1wrowe is specified, a known prime from RFC 2539 will be used
8707eafa84c6aab4b02a6218ea43e60504b954f1wrowe if possible; otherwise the default is 2.
1ccd992d37d62c8cb2056126f2234f64ec189bfddougm Prints a short summary of the options and arguments to
edd066ff15b401bdda270704bc982029586ff8c2jwoolley <span><strong class="command">dnssec-keygen</strong></span>.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
296a81701dd29b7e347a73eef3e71a65fc957106sf Sets the directory in which the key files are to be written.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding Deprecated in favor of -T KEY.
563fa6715f6ad5703d30354644d61968a8460804wrowe<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
066877f1a045103acfdd376d48cdd473c33f409bdougm Sets the default TTL to use for this key when it is converted
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes into a DNSKEY RR. If the key is imported into a zone,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding this is the TTL that will be used for it, unless there was
db3fa7db7c7910f2f23c3e3ffe0cf9f41a1899b9trawick already a DNSKEY RRset in place, in which case the existing TTL
b7a97b0024575459fe2534c51867411358834501martin would take precedence. Setting the default TTL to
9bd28994e3e77b7e68a1c0aa4b8e993761eaa3cftrawick <code class="literal">0</code> or <code class="literal">none</code> removes it.
1ccd992d37d62c8cb2056126f2234f64ec189bfddougm<dt><span class="term">-p <em class="replaceable"><code>protocol</code></em></span></dt>
9bd28994e3e77b7e68a1c0aa4b8e993761eaa3cftrawick Sets the protocol value for the generated key. The protocol
9bd28994e3e77b7e68a1c0aa4b8e993761eaa3cftrawick is a number between 0 and 255. The default is 3 (DNSSEC).
e8f95a682820a599fe41b22977010636be5c2717jim Other possible values for this argument are listed in
1ccd992d37d62c8cb2056126f2234f64ec189bfddougm RFC 2535 and its successors.
74cdac609499bfef9628a732008e62052d902163jorton Quiet mode: Suppresses unnecessary output, including
74cdac609499bfef9628a732008e62052d902163jorton progress indication. Without this option, when
42d788c1e0c6445846986b62092933711cbb2252trawick <span><strong class="command">dnssec-keygen</strong></span> is run interactively
42d788c1e0c6445846986b62092933711cbb2252trawick to generate an RSA or DSA key pair, it will print a string
42d788c1e0c6445846986b62092933711cbb2252trawick of symbols to <code class="filename">stderr</code> indicating the
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes progress of the key generation. A '.' indicates that a
ef7e63639347988498cc18f4beda85e73146cb28bnicholes random number has been found which passed an initial
42d788c1e0c6445846986b62092933711cbb2252trawick sieve test; '+' means a number has passed a single
ef7e63639347988498cc18f4beda85e73146cb28bnicholes round of the Miller-Rabin primality test; a space
ef7e63639347988498cc18f4beda85e73146cb28bnicholes means that the number has passed all the tests and is
46d8f3df5a564fd58591687e66cbde1e863a9a74sf a satisfactory key.
e8f95a682820a599fe41b22977010636be5c2717jim<dt><span class="term">-r <em class="replaceable"><code>randomdev</code></em></span></dt>
260956fd35708b11ad2a1ac13118f8366167e3bbsf Specifies the source of randomness. If the operating
ef7e63639347988498cc18f4beda85e73146cb28bnicholes system does not provide a <code class="filename">/dev/random</code>
ef7e63639347988498cc18f4beda85e73146cb28bnicholes or equivalent device, the default source of randomness
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding is keyboard input. <code class="filename">randomdev</code>
ef7e63639347988498cc18f4beda85e73146cb28bnicholes the name of a character device or file containing random
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding data to be used instead of the default. The special value
2af4c491603b2321aa1f73256f4f93b708a23b96bnicholes <code class="filename">keyboard</code> indicates that keyboard
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes input should be used.
2af4c491603b2321aa1f73256f4f93b708a23b96bnicholes<dt><span class="term">-S <em class="replaceable"><code>key</code></em></span></dt>
2af4c491603b2321aa1f73256f4f93b708a23b96bnicholes Create a new key which is an explicit successor to an
2af4c491603b2321aa1f73256f4f93b708a23b96bnicholes existing key. The name, algorithm, size, and type of the
686cd089cc7f4d7be5752f026490ab3016763e95bnicholes key will be set to match the existing key. The activation
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes date of the new key will be set to the inactivation date of
ef7e63639347988498cc18f4beda85e73146cb28bnicholes the existing one. The publication date will be set to the
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding activation date minus the prepublication interval, which
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding defaults to 30 days.
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes<dt><span class="term">-s <em class="replaceable"><code>strength</code></em></span></dt>
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes Specifies the strength value of the key. The strength is
ef7e63639347988498cc18f4beda85e73146cb28bnicholes a number between 0 and 15, and currently has no defined
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding purpose in DNSSEC.
5a6d8942dbe4020c9a75ed37538a0fa1eb9d6ff8thommay<dt><span class="term">-T <em class="replaceable"><code>rrtype</code></em></span></dt>
e7157eb98138148328d992336570f1d3a9002928trawick Specifies the resource record type to use for the key.
ef7e63639347988498cc18f4beda85e73146cb28bnicholes <code class="option">rrtype</code> must be either DNSKEY or KEY. The
ef7e63639347988498cc18f4beda85e73146cb28bnicholes default is DNSKEY when using a DNSSEC algorithm, but it can be
ef7e63639347988498cc18f4beda85e73146cb28bnicholes overridden to KEY for use with SIG(0).
ef7e63639347988498cc18f4beda85e73146cb28bnicholes Using any TSIG algorithm (HMAC-* or DH) forces this option
ef7e63639347988498cc18f4beda85e73146cb28bnicholes<dt><span class="term">-t <em class="replaceable"><code>type</code></em></span></dt>
ad801800f52dce3b0dcca793042b75ddec00e92fbnicholes Indicates the use of the key. <code class="option">type</code> must be
ef7e63639347988498cc18f4beda85e73146cb28bnicholes one of AUTHCONF, NOAUTHCONF, NOAUTH, or NOCONF. The default
ef7e63639347988498cc18f4beda85e73146cb28bnicholes is AUTHCONF. AUTH refers to the ability to authenticate
ef7e63639347988498cc18f4beda85e73146cb28bnicholes data, and CONF the ability to encrypt data.
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
ef7e63639347988498cc18f4beda85e73146cb28bnicholes Sets the debugging level.
ed4850c59557f69424966d866a0ef56d494c1f1ebnicholes Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
e8f95a682820a599fe41b22977010636be5c2717jim If the argument begins with a '+' or '-', it is interpreted as
ed4850c59557f69424966d866a0ef56d494c1f1ebnicholes an offset from the present time. For convenience, if such an offset
ed4850c59557f69424966d866a0ef56d494c1f1ebnicholes is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
edd066ff15b401bdda270704bc982029586ff8c2jwoolley then the offset is computed in years (defined as 365 24-hour days,
bfb54bd96690887dcdf184fd9083c2e167898ce2nd ignoring leap years), months (defined as 30 24-hour days), weeks,
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding days, hours, or minutes, respectively. Without a suffix, the offset
09fe0b69d3d1e8c8041c9ce99ee77b8b44b5e3b1fielding is computed in seconds. To explicitly prevent a date from being