man.dnssec-settime.html revision d0d1dbab0fe2b940ffb4354dcadb30885f160770
5051b59af15dfa3ae44b4bf4f10981649d37ff0eSebastian Wüst<!--
405210bcba3f03624d5cbfaa76087005566d28fcapenner - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - Copyright (C) 2000-2003 Internet Software Consortium.
5051b59af15dfa3ae44b4bf4f10981649d37ff0eSebastian Wüst -
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - Permission to use, copy, modify, and/or distribute this software for any
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - purpose with or without fee is hereby granted, provided that the above
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - copyright notice and this permission notice appear in all copies.
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm -
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm - PERFORMANCE OF THIS SOFTWARE.
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm-->
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm<!-- $Id$ -->
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm<html>
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm<head>
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst<title>dnssec-settime</title>
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5051b59af15dfa3ae44b4bf4f10981649d37ff0eSebastian Wüst<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5051b59af15dfa3ae44b4bf4f10981649d37ff0eSebastian Wüst<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
5051b59af15dfa3ae44b4bf4f10981649d37ff0eSebastian Wüst<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst</head>
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c522aa2d433cedd1a43132de33943c1cc3939564Sebastian Wüst<div class="navheader">
5051b59af15dfa3ae44b4bf4f10981649d37ff0eSebastian Wüst<table width="100%" summary="Navigation header">
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm<tr>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<td width="20%" align="left">
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<th width="60%" align="center">Manual pages</th>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst</td>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst</tr>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst</table>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<hr>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst</div>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<div class="refentry" lang="en">
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<a name="man.dnssec-settime"></a><div class="titlepage"></div>
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<div class="refnamediv">
b584ec166ed0f23e1460e3ad88e8a2511ad85975Sebastian Wüst<h2>Name</h2>
13d234a753a7a47bbff357781b823ba61c663150Sebastian Wüst<p><span class="application">dnssec-settime</span> &#8212; Set the key timing metadata for a DNSSEC key</p>
ca994f8c108648e5d3046901a54beafc21d98d6aSebastian Wüst</div>
5051b59af15dfa3ae44b4bf4f10981649d37ff0eSebastian Wüst<div class="refsynopsisdiv">
405210bcba3f03624d5cbfaa76087005566d28fcapenner<h2>Synopsis</h2>
678dbf4b287cee5ba0d0793e8e8eadefd9342153Sebastian Wüst<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst</div>
4354413a982779e8d426afe9aec8d4b4ff8b92aaSebastian Wüst<div class="refsect1" lang="en">
5bf6bf536c7233edb2913dbc4102e946a88c9851Sebastian Wüst<a name="id2619315"></a><h2>DESCRIPTION</h2>
678dbf4b287cee5ba0d0793e8e8eadefd9342153Sebastian Wüst<p><span><strong class="command">dnssec-settime</strong></span>
5bf6bf536c7233edb2913dbc4102e946a88c9851Sebastian Wüst reads a DNSSEC private key file and sets the key timing metadata
5bf6bf536c7233edb2913dbc4102e946a88c9851Sebastian Wüst as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
5bf6bf536c7233edb2913dbc4102e946a88c9851Sebastian Wüst <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
5bf6bf536c7233edb2913dbc4102e946a88c9851Sebastian Wüst options. The metadata can then be used by
7cc5285e0a99d8e121e75abfdfea3474dcd6a86dSebastian Wüst <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
7cc5285e0a99d8e121e75abfdfea3474dcd6a86dSebastian Wüst determine when a key is to be published, whether it should be
5bf6bf536c7233edb2913dbc4102e946a88c9851Sebastian Wüst used for signing a zone, etc.
933dce1d63c0de5b9b9323e3c6ac3ed6fc50c342Sebastian Wüst </p>
933dce1d63c0de5b9b9323e3c6ac3ed6fc50c342Sebastian Wüst<p>
00b855fb5f564860f60b54b55af7e53d51a7b069Sebastian Wüst If none of these options is set on the command line,
5467796eae5fdb074a83cfa86c9ca4c7f7373113Sebastian Wüst then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
00b855fb5f564860f60b54b55af7e53d51a7b069Sebastian Wüst metadata already stored in the key.
00b855fb5f564860f60b54b55af7e53d51a7b069Sebastian Wüst </p>
00b855fb5f564860f60b54b55af7e53d51a7b069Sebastian Wüst<p>
00b855fb5f564860f60b54b55af7e53d51a7b069Sebastian Wüst When key metadata fields are changed, both files of a key
5467796eae5fdb074a83cfa86c9ca4c7f7373113Sebastian Wüst pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
405210bcba3f03624d5cbfaa76087005566d28fcapenner <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
405210bcba3f03624d5cbfaa76087005566d28fcapenner Metadata fields are stored in the private file. A human-readable
405210bcba3f03624d5cbfaa76087005566d28fcapenner description of the metadata is also placed in comments in the key
7cc5285e0a99d8e121e75abfdfea3474dcd6a86dSebastian Wüst file. The private file's permissions are always set to be
7cc5285e0a99d8e121e75abfdfea3474dcd6a86dSebastian Wüst inaccessible to anyone other than the owner (mode 0600).
4fe67f94f765d19a2c1c94e455ddecb166da30ddpjrm </p>
405210bcba3f03624d5cbfaa76087005566d28fcapenner</div>
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst<div class="refsect1" lang="en">
c522aa2d433cedd1a43132de33943c1cc3939564Sebastian Wüst<a name="id2619373"></a><h2>OPTIONS</h2>
83aaf46c9feab529aeb9add871c05c3d1177afccaurium<div class="variablelist"><dl>
b8b2f3d17ea043cffe911a0290a0a275ebba402calvinpenner<dt><span class="term">-f</span></dt>
86776d459a74b8432bbeee60fe796db6403afe7eSebastian Wüst<dd><p>
Force an update of an old-format key with no metadata fields.
Without this option, <span><strong class="command">dnssec-settime</strong></span> will
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
set to the present time. If no other values are specified,
then the key's publication and activation dates will also
be set to the present time.
</p></dd>
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
<dd><p>
Sets the directory in which the key files are to reside.
</p></dd>
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
<dd><p>
Sets the default TTL to use for this key when it is converted
into a DNSKEY RR. If the key is imported into a zone,
this is the TTL that will be used for it, unless there was
already a DNSKEY RRset in place, in which case the existing TTL
would take precedence. Setting the default TTL to
<code class="literal">0</code> or <code class="literal">none</code> removes it.
</p></dd>
<dt><span class="term">-h</span></dt>
<dd><p>
Emit usage message and exit.
</p></dd>
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
<dd><p>
Sets the debugging level.
</p></dd>
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd><p>
Use the given OpenSSL engine. When compiled with PKCS#11 support
it defaults to pkcs11; the empty name resets it to no engine.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2620041"></a><h2>TIMING OPTIONS</h2>
<p>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
an offset from the present time. For convenience, if such an offset
is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
then the offset is computed in years (defined as 365 24-hour days,
ignoring leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the offset
is computed in seconds. To unset a date, use 'none'.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
</p></dd>
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be activated. After that
date, the key will be included in the zone and used to sign
it.
</p></dd>
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be revoked. After that
date, the key will be flagged as revoked. It will be included
in the zone and will be used to sign it.
</p></dd>
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</p></dd>
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
<dd><p>
Sets the date on which the key is to be deleted. After that
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</p></dd>
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
<dd><p>
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being
modified. The activation date of the successor key will be set
to the inactivation date of the predecessor. The publication
date will be set to the activation date minus the prepublication
interval, which defaults to 30 days.
</p></dd>
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
<p>
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the
publication date isn't, then the publication date will default
to this much time before the activation date; conversely, if
the publication date is specified but activation date isn't,
then activation will be set to this much time after publication.
</p>
<p>
If the key is being set to be an explicit successor to another
key, then the default prepublication interval is 30 days;
otherwise it is zero.
</p>
<p>
As with date offsets, if the argument is followed by one of
the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
interval is measured in years, months, weeks, days, hours,
or minutes, respectively. Without a suffix, the interval is
measured in seconds.
</p>
</dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2620658"></a><h2>PRINTING OPTIONS</h2>
<p>
<span><strong class="command">dnssec-settime</strong></span> can also be used to print the
timing metadata associated with a key.
</p>
<div class="variablelist"><dl>
<dt><span class="term">-u</span></dt>
<dd><p>
Print times in UNIX epoch format.
</p></dd>
<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
<dd><p>
Print a specific metadata value or set of metadata values.
The <code class="option">-p</code> option may be followed by one or more
of the following letters to indicate which value or values to print:
<code class="option">C</code> for the creation date,
<code class="option">P</code> for the publication date,
<code class="option">A</code> for the activation date,
<code class="option">R</code> for the revocation date,
<code class="option">I</code> for the inactivation date, or
<code class="option">D</code> for the deletion date.
To print all of the metadata, use <code class="option">-p all</code>.
</p></dd>
</dl></div>
</div>
<div class="refsect1" lang="en">
<a name="id2620738"></a><h2>SEE ALSO</h2>
<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
<span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
<em class="citetitle">BIND 9 Administrator Reference Manual</em>,
<em class="citetitle">RFC 5011</em>.
</p>
</div>
<div class="refsect1" lang="en">
<a name="id2620771"></a><h2>AUTHOR</h2>
<p><span class="corpauthor">Internet Systems Consortium</span>
</p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-revoke</span>�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>
</td>
</tr>
</table>
</div>
</body>
</html>