man.dnssec-settime.html revision 78ec962d9828200d18cd0e41b7d6b9792a74923d
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<!--
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - Copyright (C) 2000-2003 Internet Software Consortium.
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn -
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - Permission to use, copy, modify, and/or distribute this software for any
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - purpose with or without fee is hereby granted, provided that the above
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - copyright notice and this permission notice appear in all copies.
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn -
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn - PERFORMANCE OF THIS SOFTWARE.
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn-->
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<!-- $Id$ -->
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<html>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<head>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<title>dnssec-settime</title>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
62ecec3a82a8b838ee76c1f6610902d8fd7015cbmatthew_swift<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d5af1880773b35da2da505be54be517b746e7410ludovicp<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
d5af1880773b35da2da505be54be517b746e7410ludovicp<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
d5af1880773b35da2da505be54be517b746e7410ludovicp<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn</head>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<div class="navheader">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<table width="100%" summary="Navigation header">
d5af1880773b35da2da505be54be517b746e7410ludovicp<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<tr>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<td width="20%" align="left">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<th width="60%" align="center">Manual pages</th>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn</td>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn</tr>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn</table>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<hr>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn</div>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<div class="refentry" lang="en">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<a name="man.dnssec-settime"></a><div class="titlepage"></div>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<div class="refnamediv">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<h2>Name</h2>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn</div>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<div class="refsynopsisdiv">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<h2>Synopsis</h2>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn</div>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<div class="refsect1" lang="en">
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<a name="id2623000"></a><h2>DESCRIPTION</h2>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<p><span><strong class="command">dnssec-settime</strong></span>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn reads a DNSSEC private key file and sets the key timing metadata
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn options. The metadata can then be used by
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn determine when a key is to be published, whether it should be
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn used for signing a zone, etc.
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn </p>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<p>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn If none of these options is set on the command line,
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn metadata already stored in the key.
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn </p>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn<p>
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn When key metadata fields are changed, both files of a key
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
9def8137e705ec92bc3a2881a8457795c860fdb1shankar_mbn <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
62ecec3a82a8b838ee76c1f6610902d8fd7015cbmatthew_swift Metadata fields are stored in the private file. A human-readable
62ecec3a82a8b838ee76c1f6610902d8fd7015cbmatthew_swift description of the metadata is also placed in comments in the key
62ecec3a82a8b838ee76c1f6610902d8fd7015cbmatthew_swift file. The private file's permissions are always set to be
62ecec3a82a8b838ee76c1f6610902d8fd7015cbmatthew_swift inaccessible to anyone other than the owner (mode 0600).
d5af1880773b35da2da505be54be517b746e7410ludovicp </p>
d5af1880773b35da2da505be54be517b746e7410ludovicp</div>
<div class="refsect1" lang="en">
<a name="id2623127"></a><h2>OPTIONS</h2>
<div class="variablelist"><dl>
<dt><span class="term">-f</span></dt>
<dd><p>
Force an update of an old-format key with no metadata fields.
Without this option, <span><strong class="command">dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-V</span></dt>
<dd><p>
Prints version information.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
<p>
Specifies the cryptographic hardware to use, when applicable.
</p>
<p>
When BIND is built with OpenSSL PKCS#11 support, this defaults
to the string "pkcs11", which identifies an OpenSSL engine
that can drive a cryptographic accelerator or hardware service
module. When BIND is built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the PKCS#11
provider library specified via "--with-pkcs11".
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2631253"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none' or 'never'.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2635146"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2635294"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2643246"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-revoke</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
</td>
</tr>
</table>
</div>
<p style="text-align: center;">BIND Version 9.11</p>
</body>
</html>