0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<html>

0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<head>

0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

250b1eec71b074acdff1c5f6b5a1f0d7d2c20b77Stéphane Graber<title>dnssec-settime</title>

0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">

0ad19a3fc3de5592e2453070a818a5a41687900edlezcano<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">

61a1d519f472c1ac95c641d974401c932f82be66Christian Seiler</head>

d0386d66058fbd62ee99415ee8f4475a011b7b8cChristian Seiler<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler<div class="navheader">

ec346ea11f76d0797035c476794104a3230531f9Stéphane Graber<table width="100%" summary="Navigation header">

c797a220d51d2796355fd60eca50523ffd6fb45eChristian Seiler<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>

9c4693b853c5a9ab2156544ee3334a082cdba420Christian Seiler<tr>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<td width="20%" align="left">

c797a220d51d2796355fd60eca50523ffd6fb45eChristian Seiler<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>

60bf62d4ae36a48342fb8aee680fbd4b423810b1Serge Hallyn<th width="60%" align="center">Manual pages</th>

60bf62d4ae36a48342fb8aee680fbd4b423810b1Serge Hallyn<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>

6e4bb2e01f407fbecc7fc82496ac96065352a053Michel Normand</td>

7c11d57a22668c838ecec57372a3534b5c956400Stéphane Graber</tr>

1b09f2c057205db6f31caa76c3605eb0dc7eec86Daniel Lezcano</table>

9e60f51d0d1d295bdd77f2fa848f3046e04e6804Dwight Engen<hr>

9e60f51d0d1d295bdd77f2fa848f3046e04e6804Dwight Engen</div>

2a59a68183e55e38beedb6442938e31eb7d4749cSerge Hallyn<div class="refentry" lang="en">

d0386d66058fbd62ee99415ee8f4475a011b7b8cChristian Seiler<a name="man.dnssec-settime"></a><div class="titlepage"></div>

d0386d66058fbd62ee99415ee8f4475a011b7b8cChristian Seiler<div class="refnamediv">

2a59a68183e55e38beedb6442938e31eb7d4749cSerge Hallyn<h2>Name</h2>

d0386d66058fbd62ee99415ee8f4475a011b7b8cChristian Seiler<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>

67e571de63a8e465dc8f1b17e16744a1d3fb552cStéphane Graber</div>

31a95fecd2e0b1408e9a97e3ae36a7770544d1a2Serge Hallyn<div class="refsynopsisdiv">

31a95fecd2e0b1408e9a97e3ae36a7770544d1a2Serge Hallyn<h2>Synopsis</h2>

307cf2a670fc8979b84d888f2720a827bcfa5291Jian Xiao<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen</div>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<div class="refsect1" lang="en">

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<a name="id2609131"></a><h2>DESCRIPTION</h2>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<p><span><strong class="command">dnssec-settime</strong></span>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen reads a DNSSEC private key file and sets the key timing metadata

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen as specified by the <code class="option">-P</code>, <code class="option">-A</code>,

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen options. The metadata can then be used by

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen <span><strong class="command">dnssec-signzone</strong></span> or other signing software to

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen determine when a key is to be published, whether it should be

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen used for signing a zone, etc.

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen </p>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<p>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen If none of these options is set on the command line,

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen metadata already stored in the key.

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen </p>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<p>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen When key metadata fields are changed, both files of a key

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen Metadata fields are stored in the private file. A human-readable

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen description of the metadata is also placed in comments in the key

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen file.

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen </p>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen</div>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<div class="refsect1" lang="en">

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<a name="id2609190"></a><h2>OPTIONS</h2>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<div class="variablelist"><dl>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<dt><span class="term">-f</span></dt>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen<dd><p>

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen Force an update of an old-format key with no metadata fields.

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen Without this option, <span><strong class="command">dnssec-settime</strong></span> will

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen fail when attempting to update a legacy key. With this option,

6a44839f5973f41553349f1b5e77d8db809e60ebDwight Engen the key will be recreated in the new format, but with the

b515981702133b9aaea1aff378493f054c14d46cDwight Engen original key data retained. The key's creation date will be

b515981702133b9aaea1aff378493f054c14d46cDwight Engen set to the present time.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Sets the directory in which the key files are to reside.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-h</span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Emit usage message and exit.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Sets the debugging level.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Use the given OpenSSL engine. When compiled with PKCS#11 support

b515981702133b9aaea1aff378493f054c14d46cDwight Engen it defaults to pkcs11; the empty name resets it to no engine.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen</dl></div>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen</div>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<div class="refsect1" lang="en">

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<a name="id2609625"></a><h2>TIMING OPTIONS</h2>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen If the argument begins with a '+' or '-', it is interpreted as

b515981702133b9aaea1aff378493f054c14d46cDwight Engen an offset from the present time. For convenience, if such an offset

b515981702133b9aaea1aff378493f054c14d46cDwight Engen is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',

b515981702133b9aaea1aff378493f054c14d46cDwight Engen then the offset is computed in years (defined as 365 24-hour days,

b515981702133b9aaea1aff378493f054c14d46cDwight Engen ignoring leap years), months (defined as 30 24-hour days), weeks,

b515981702133b9aaea1aff378493f054c14d46cDwight Engen days, hours, or minutes, respectively. Without a suffix, the offset

b515981702133b9aaea1aff378493f054c14d46cDwight Engen is computed in seconds. To unset a date, use 'none'.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<div class="variablelist"><dl>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

180edd67022017351a6546b4aa79bcaefada01c8Stéphane Graber Sets the date on which a key is to be published to the zone.

180edd67022017351a6546b4aa79bcaefada01c8Stéphane Graber After that date, the key will be included in the zone but will

b515981702133b9aaea1aff378493f054c14d46cDwight Engen not be used to sign it.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Sets the date on which the key is to be activated. After that

b515981702133b9aaea1aff378493f054c14d46cDwight Engen date, the key will be included in the zone and used to sign

b515981702133b9aaea1aff378493f054c14d46cDwight Engen it.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Sets the date on which the key is to be revoked. After that

b515981702133b9aaea1aff378493f054c14d46cDwight Engen date, the key will be flagged as revoked. It will be included

b515981702133b9aaea1aff378493f054c14d46cDwight Engen in the zone and will be used to sign it.

180edd67022017351a6546b4aa79bcaefada01c8Stéphane Graber </p></dd>

180edd67022017351a6546b4aa79bcaefada01c8Stéphane Graber<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Sets the date on which the key is to be retired. After that

b515981702133b9aaea1aff378493f054c14d46cDwight Engen date, the key will still be included in the zone, but it

b515981702133b9aaea1aff378493f054c14d46cDwight Engen will not be used to sign it.

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<dd><p>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen Sets the date on which the key is to be deleted. After that

b515981702133b9aaea1aff378493f054c14d46cDwight Engen date, the key will no longer be included in the zone. (It

b515981702133b9aaea1aff378493f054c14d46cDwight Engen may remain in the key repository, however.)

b515981702133b9aaea1aff378493f054c14d46cDwight Engen </p></dd>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen</dl></div>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen</div>

b515981702133b9aaea1aff378493f054c14d46cDwight Engen<div class="refsect1" lang="en">

db27c8d70eded806da4d05183b5efcd9b834bb87Christian Seiler<a name="id2609723"></a><h2>PRINTING OPTIONS</h2>

db27c8d70eded806da4d05183b5efcd9b834bb87Christian Seiler<p>

db27c8d70eded806da4d05183b5efcd9b834bb87Christian Seiler <span><strong class="command">dnssec-settime</strong></span> can also be used to print the

b515981702133b9aaea1aff378493f054c14d46cDwight Engen timing metadata associated with a key.

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen </p>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<div class="variablelist"><dl>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<dt><span class="term">-u</span></dt>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<dd><p>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen Print times in UNIX epoch format.

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen </p></dd>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/U/D/all</code></em></span></dt>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<dd><p>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen Print a specific metadata value or set of metadata values.

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen The <code class="option">-p</code> option may be followed by one or more

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen of the following letters to indicate which value or values to print:

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <code class="option">C</code> for the creation date,

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <code class="option">P</code> for the publication date,

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <code class="option">A</code> for the activation date,

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <code class="option">R</code> for the revokation date,

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <code class="option">U</code> for the unpublication date, or

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <code class="option">D</code> for the deletion date.

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen To print all of the metadata, use <code class="option">-p all</code>.

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen </p></dd>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen</dl></div>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen</div>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<div class="refsect1" lang="en">

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<a name="id2610554"></a><h2>SEE ALSO</h2>

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,

e51d4895129209cec1c15bda2322136a03ec94b2Dwight Engen <em class="citetitle">BIND 9 Administrator Reference Manual</em>,

9be53773792fc9e8bd173edc3b7ac7e144875387Serge Hallyn <em class="citetitle">RFC 5011</em>.

9be53773792fc9e8bd173edc3b7ac7e144875387Serge Hallyn </p>

9be53773792fc9e8bd173edc3b7ac7e144875387Serge Hallyn</div>

9be53773792fc9e8bd173edc3b7ac7e144875387Serge Hallyn<div class="refsect1" lang="en">

c797a220d51d2796355fd60eca50523ffd6fb45eChristian Seiler<a name="id2610587"></a><h2>AUTHOR</h2>

9be53773792fc9e8bd173edc3b7ac7e144875387Serge Hallyn<p><span class="corpauthor">Internet Systems Consortium</span>

92f023dccced28a55ce323253f298e9825fe7da7Christian Seiler </p>

650468bb4a5c9a6c69b524f574e8d0f315f45c37Christian Seiler</div>

650468bb4a5c9a6c69b524f574e8d0f315f45c37Christian Seiler</div>

650468bb4a5c9a6c69b524f574e8d0f315f45c37Christian Seiler<div class="navfooter">

3ce746862b2a2b33f3de65aeecda0bad1a5dd27cSerge Hallyn<hr>

3ce746862b2a2b33f3de65aeecda0bad1a5dd27cSerge Hallyn<table width="100%" summary="Navigation footer">

3ce746862b2a2b33f3de65aeecda0bad1a5dd27cSerge Hallyn<tr>

3ce746862b2a2b33f3de65aeecda0bad1a5dd27cSerge Hallyn<td width="40%" align="left">

92f023dccced28a55ce323253f298e9825fe7da7Christian Seiler<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>

0e95426b238e64b04ef7b6a2f260b998ed56e6a0Christian Seiler<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>

0e95426b238e64b04ef7b6a2f260b998ed56e6a0Christian Seiler<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>

0e95426b238e64b04ef7b6a2f260b998ed56e6a0Christian Seiler</td>

0e95426b238e64b04ef7b6a2f260b998ed56e6a0Christian Seiler</tr>

61a1d519f472c1ac95c641d974401c932f82be66Christian Seiler<tr>

61a1d519f472c1ac95c641d974401c932f82be66Christian Seiler<td width="40%" align="left" valign="top">

61a1d519f472c1ac95c641d974401c932f82be66Christian Seiler<span class="application">dnssec-revoke</span>�</td>

61a1d519f472c1ac95c641d974401c932f82be66Christian Seiler<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler</td>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler</tr>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler</table>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler</div>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler</body>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler</html>

502657d5a4b3b2de6d314c491766e062c37c94d5Christian Seiler