man.dnssec-settime.html revision 335c82aebd0da12b401cfac28bd305da95a4d052
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id$ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.ch13.html" title="Manual pages">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<table width="100%" summary="Navigation header">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="man.dnssec-settime"></a><div class="titlepage"></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-V</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<p><span><strong class="command">dnssec-settime</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein reads a DNSSEC private key file and sets the key timing metadata
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein options. The metadata can then be used by
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater determine when a key is to be published, whether it should be
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User used for signing a zone, etc.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt If none of these options is set on the command line,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein metadata already stored in the key.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein When key metadata fields are changed, both files of a key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Metadata fields are stored in the private file. A human-readable
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein description of the metadata is also placed in comments in the key
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein file. The private file's permissions are always set to be
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User inaccessible to anyone other than the owner (mode 0600).
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Force an update of an old-format key with no metadata fields.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Without this option, <span><strong class="command">dnssec-settime</strong></span> will
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User fail when attempting to update a legacy key. With this option,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the key will be recreated in the new format, but with the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein original key data retained. The key's creation date will be
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater set to the present time. If no other values are specified,
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater then the key's publication and activation dates will also
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater be set to the present time.
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the directory in which the key files are to reside.
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the default TTL to use for this key when it is converted
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce into a DNSKEY RR. If the key is imported into a zone,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce this is the TTL that will be used for it, unless there was
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce already a DNSKEY RRset in place, in which case the existing TTL
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce would take precedence. If this value is not set and there
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce is no existing DNSKEY RRset, the TTL will default to the
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce SOA TTL. Setting the default TTL to <code class="literal">0</code>
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce or <code class="literal">none</code> removes it from the key.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Emit usage message and exit.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce Prints version information.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Sets the debugging level.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Specifies the cryptographic hardware to use, when applicable.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User to the string "pkcs11", which identifies an OpenSSL engine
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User that can drive a cryptographic accelerator or hardware service
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User module. When BIND is built with native PKCS#11 cryptography
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User provider library specified via "--with-pkcs11".
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<a name="id2637627"></a><h2>TIMING OPTIONS</h2>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User If the argument begins with a '+' or '-', it is interpreted as
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User an offset from the present time. For convenience, if such an offset
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User then the offset is computed in years (defined as 365 24-hour days,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User ignoring leap years), months (defined as 30 24-hour days), weeks,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User days, hours, or minutes, respectively. Without a suffix, the offset
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User is computed in seconds. To unset a date, use 'none' or 'never'.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Sets the date on which a key is to be published to the zone.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User After that date, the key will be included in the zone but will
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User not be used to sign it.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Sets the date on which the key is to be activated. After that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User date, the key will be included in the zone and used to sign
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Sets the date on which the key is to be revoked. After that
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User date, the key will be flagged as revoked. It will be included
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User in the zone and will be used to sign it.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Sets the date on which the key is to be retired. After that
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User date, the key will still be included in the zone, but it
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User will not be used to sign it.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Sets the date on which the key is to be deleted. After that
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User date, the key will no longer be included in the zone. (It
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User may remain in the key repository, however.)
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Select a key for which the key being modified will be an
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User explicit successor. The name, algorithm, size, and type of the
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User predecessor key must exactly match those of the key being
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User modified. The activation date of the successor key will be set
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User to the inactivation date of the predecessor. The publication
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User date will be set to the activation date minus the prepublication
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User interval, which defaults to 30 days.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Sets the prepublication interval for a key. If set, then
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User the publication and activation dates must be separated by at least
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User this much time. If the activation date is specified but the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt publication date isn't, then the publication date will default
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User to this much time before the activation date; conversely, if
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the publication date is specified but activation date isn't,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User then activation will be set to this much time after publication.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User If the key is being set to be an explicit successor to another
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User key, then the default prepublication interval is 30 days;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User otherwise it is zero.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User As with date offsets, if the argument is followed by one of
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User interval is measured in years, months, weeks, days, hours,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User or minutes, respectively. Without a suffix, the interval is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User measured in seconds.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<a name="id2637766"></a><h2>PRINTING OPTIONS</h2>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User timing metadata associated with a key.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Print times in UNIX epoch format.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Print a specific metadata value or set of metadata values.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The <code class="option">-p</code> option may be followed by one or more
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User of the following letters to indicate which value or values to print:
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <code class="option">C</code> for the creation date,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <code class="option">P</code> for the publication date,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="option">A</code> for the activation date,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <code class="option">R</code> for the revocation date,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <code class="option">I</code> for the inactivation date, or
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <code class="option">D</code> for the deletion date.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User To print all of the metadata, use <code class="option">-p all</code>.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater<p><span class="corpauthor">Internet Systems Consortium</span>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater<table width="100%" summary="Navigation footer">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch13.html">Up</a></td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<span class="application">dnssec-revoke</span>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<p style="text-align: center;">BIND 9.11.0pre-alpha</p>