man.dnssec-settime.html revision 71cef386fae61275b03e203825680b39fedaa8c6
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<table width="100%" summary="Navigation header">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<th width="60%" align="center">Manual pages</th>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="man.dnssec-settime"></a><div class="titlepage"></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="application">dnssec-settime</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User — set the key timing metadata for a DNSSEC key
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
3b0259a9571e91b39929b9306e74c20db07d9101Tinderbox User [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
3b0259a9571e91b39929b9306e74c20db07d9101Tinderbox User [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.15.7"></a><h2>DESCRIPTION</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <p><span class="command"><strong>dnssec-settime</strong></span>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater reads a DNSSEC private key file and sets the key timing metadata
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater options. The metadata can then be used by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dnssec-signzone</strong></span> or other signing software to
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater determine when a key is to be published, whether it should be
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater used for signing a zone, etc.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater If none of these options is set on the command line,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater metadata already stored in the key.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater When key metadata fields are changed, both files of a key
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Metadata fields are stored in the private file. A human-readable
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater description of the metadata is also placed in comments in the key
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater file. The private file's permissions are always set to be
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater inaccessible to anyone other than the owner (mode 0600).
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Force an update of an old-format key with no metadata fields.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater fail when attempting to update a legacy key. With this option,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater the key will be recreated in the new format, but with the
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater original key data retained. The key's creation date will be
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User set to the present time. If no other values are specified,
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User then the key's publication and activation dates will also
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater be set to the present time.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the directory in which the key files are to reside.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Sets the default TTL to use for this key when it is converted
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater into a DNSKEY RR. If the key is imported into a zone,
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater this is the TTL that will be used for it, unless there was
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater already a DNSKEY RRset in place, in which case the existing TTL
ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User would take precedence. If this value is not set and there
ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User is no existing DNSKEY RRset, the TTL will default to the
ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User SOA TTL. Setting the default TTL to <code class="literal">0</code>
ef8014e56f35bb36daa5fd2c313f5e7963e97aa1Tinderbox User or <code class="literal">none</code> removes it from the key.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Emit usage message and exit.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Prints version information.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the debugging level.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Specifies the cryptographic hardware to use, when applicable.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User that can drive a cryptographic accelerator or hardware service
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User module. When BIND is built with native PKCS#11 cryptography
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User provider library specified via "--with-pkcs11".
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.15.9"></a><h2>TIMING OPTIONS</h2>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater an offset from the present time. For convenience, if such an offset
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater then the offset is computed in years (defined as 365 24-hour days,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User is computed in seconds. To unset a date, use 'none' or 'never'.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which a key is to be published to the zone.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater After that date, the key will be included in the zone but will
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater not be used to sign it.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which CDS and CDNSKEY records that match this
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User key are to be published to the zone.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which the key is to be activated. After that
5a24d24c8fba3480d707c0c902379ddb36501e12Automatic Updater date, the key will be included in the zone and used to sign
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which the key is to be revoked. After that
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater date, the key will be flagged as revoked. It will be included
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater in the zone and will be used to sign it.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Sets the date on which the key is to be retired. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will still be included in the zone, but it
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater will not be used to sign it.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which the key is to be deleted. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will no longer be included in the zone. (It
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater may remain in the key repository, however.)
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Sets the date on which the CDS and CDNSKEY records that match this
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User key are to be deleted.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater Select a key for which the key being modified will be an
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater explicit successor. The name, algorithm, size, and type of the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater predecessor key must exactly match those of the key being
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater modified. The activation date of the successor key will be set
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater to the inactivation date of the predecessor. The publication
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater date will be set to the activation date minus the prepublication
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater interval, which defaults to 30 days.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater Sets the prepublication interval for a key. If set, then
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication and activation dates must be separated by at least
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater this much time. If the activation date is specified but the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater publication date isn't, then the publication date will default
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater to this much time before the activation date; conversely, if
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication date is specified but activation date isn't,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater then activation will be set to this much time after publication.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater If the key is being set to be an explicit successor to another
9d557856c2a19ec95ee73245f60a92f8675cf5baTinderbox User key, then the default prepublication interval is 30 days;
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater otherwise it is zero.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater As with date offsets, if the argument is followed by one of
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater interval is measured in years, months, weeks, days, hours,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater or minutes, respectively. Without a suffix, the interval is
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater measured in seconds.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User<a name="id-1.14.15.10"></a><h2>PRINTING OPTIONS</h2>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater timing metadata associated with a key.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="variablelist"><dl class="variablelist">
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Print times in UNIX epoch format.
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User Print a specific metadata value or set of metadata values.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater The <code class="option">-p</code> option may be followed by one or more
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User of the following letters or strings to indicate which value
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User or values to print:
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">C</code> for the creation date,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">P</code> for the publication date,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">Psync</code> for the CDS and CDNSKEY publication date,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">A</code> for the activation date,
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater <code class="option">R</code> for the revocation date,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">I</code> for the inactivation date,
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">D</code> for the deletion date, and
e62b9c9ce6413fb183c8116381e75dcd07ca5517Tinderbox User <code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater To print all of the metadata, use <code class="option">-p all</code>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-keygen</span>(8)
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="refentrytitle">dnssec-signzone</span>(8)
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<table width="100%" summary="Navigation footer">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<span class="application">dnssec-revoke</span>�</td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
350e5eecadfc5ee72b11b2cc46828c9a0bcd717cTinderbox User<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.2 (Extended Support Version)</p>