man.dnssec-settime.html revision 78ec962d9828200d18cd0e41b7d6b9792a74923d
990d0e893f5b70e735cdf990af66e9ec6e91fa78Tinderbox User - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
3e02c9e33656dcd9c364633d42dd785d3e6fdd66Automatic Updater - Copyright (C) 2000-2003 Internet Software Consortium.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - purpose with or without fee is hereby granted, provided that the above
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - copyright notice and this permission notice appear in all copies.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3e02c9e33656dcd9c364633d42dd785d3e6fdd66Automatic Updater - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater - PERFORMANCE OF THIS SOFTWARE.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<table width="100%" summary="Navigation header">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<th width="60%" align="center">Manual pages</th>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a name="man.dnssec-settime"></a><div class="titlepage"></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
6f1205897504b8f50b1785975482c995888dd630Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<p><span><strong class="command">dnssec-settime</strong></span>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater reads a DNSSEC private key file and sets the key timing metadata
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater options. The metadata can then be used by
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater determine when a key is to be published, whether it should be
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater used for signing a zone, etc.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater If none of these options is set on the command line,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater metadata already stored in the key.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater When key metadata fields are changed, both files of a key
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Metadata fields are stored in the private file. A human-readable
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater description of the metadata is also placed in comments in the key
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater file. The private file's permissions are always set to be
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater inaccessible to anyone other than the owner (mode 0600).
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Force an update of an old-format key with no metadata fields.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Without this option, <span><strong class="command">dnssec-settime</strong></span> will
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater fail when attempting to update a legacy key. With this option,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater the key will be recreated in the new format, but with the
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater original key data retained. The key's creation date will be
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater set to the present time. If no other values are specified,
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater then the key's publication and activation dates will also
7717ec7a6a898cdd3c35cbfba66010b7304ffd9bAutomatic Updater be set to the present time.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the directory in which the key files are to reside.
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater Sets the default TTL to use for this key when it is converted
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater into a DNSKEY RR. If the key is imported into a zone,
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater this is the TTL that will be used for it, unless there was
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater already a DNSKEY RRset in place, in which case the existing TTL
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater would take precedence. Setting the default TTL to
a3f8c8e20780e488141d200acdfea6c5f3303513Automatic Updater <code class="literal">0</code> or <code class="literal">none</code> removes it.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Emit usage message and exit.
6f1205897504b8f50b1785975482c995888dd630Tinderbox User Prints version information.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the debugging level.
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Specifies the cryptographic hardware to use, when applicable.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User to the string "pkcs11", which identifies an OpenSSL engine
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User that can drive a cryptographic accelerator or hardware service
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User module. When BIND is built with native PKCS#11 cryptography
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User provider library specified via "--with-pkcs11".
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User<a name="id2631253"></a><h2>TIMING OPTIONS</h2>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater If the argument begins with a '+' or '-', it is interpreted as
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater an offset from the present time. For convenience, if such an offset
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater then the offset is computed in years (defined as 365 24-hour days,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater ignoring leap years), months (defined as 30 24-hour days), weeks,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater days, hours, or minutes, respectively. Without a suffix, the offset
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User is computed in seconds. To unset a date, use 'none' or 'never'.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which a key is to be published to the zone.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater After that date, the key will be included in the zone but will
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater not be used to sign it.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which the key is to be activated. After that
5a24d24c8fba3480d707c0c902379ddb36501e12Automatic Updater date, the key will be included in the zone and used to sign
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which the key is to be revoked. After that
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater date, the key will be flagged as revoked. It will be included
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater in the zone and will be used to sign it.
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater Sets the date on which the key is to be retired. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will still be included in the zone, but it
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater will not be used to sign it.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater Sets the date on which the key is to be deleted. After that
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater date, the key will no longer be included in the zone. (It
f8e3e03cacd16ffb923a9603fca23a9e1a1fee07Automatic Updater may remain in the key repository, however.)
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater Select a key for which the key being modified will be an
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater explicit successor. The name, algorithm, size, and type of the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater predecessor key must exactly match those of the key being
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater modified. The activation date of the successor key will be set
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater to the inactivation date of the predecessor. The publication
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater date will be set to the activation date minus the prepublication
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater interval, which defaults to 30 days.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater Sets the prepublication interval for a key. If set, then
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication and activation dates must be separated by at least
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater this much time. If the activation date is specified but the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater publication date isn't, then the publication date will default
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater to this much time before the activation date; conversely, if
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the publication date is specified but activation date isn't,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater then activation will be set to this much time after publication.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater If the key is being set to be an explicit successor to another
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater key, then the default prepublication interval is 30 days;
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater otherwise it is zero.
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater As with date offsets, if the argument is followed by one of
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater interval is measured in years, months, weeks, days, hours,
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater or minutes, respectively. Without a suffix, the interval is
3acf5eb97cebc2ba868e6ac4a4e01e6d1be0c892Automatic Updater measured in seconds.
78ec962d9828200d18cd0e41b7d6b9792a74923dTinderbox User<a name="id2635146"></a><h2>PRINTING OPTIONS</h2>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater timing metadata associated with a key.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Print times in UNIX epoch format.
83f43b00a50c9c932c81691a3828041643a0d6f6Automatic Updater<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater Print a specific metadata value or set of metadata values.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater The <code class="option">-p</code> option may be followed by one or more
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater of the following letters to indicate which value or values to print:
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">C</code> for the creation date,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">P</code> for the publication date,
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">A</code> for the activation date,
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater <code class="option">R</code> for the revocation date,
83f43b00a50c9c932c81691a3828041643a0d6f6Automatic Updater <code class="option">I</code> for the inactivation date, or
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater <code class="option">D</code> for the deletion date.
2895f101b5585a19015ac2c2c1e1812ac467fa12Automatic Updater To print all of the metadata, use <code class="option">-p all</code>.
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<table width="100%" summary="Navigation footer">
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<span class="application">dnssec-revoke</span>�</td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
590c12cfe3b9a179ab2faa1be791a069c81882e0Automatic Updater<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
5fa6a064b8301e4f274bd132fd577def59e4fb4cTinderbox User<p style="text-align: center;">BIND Version 9.11</p>