man.dnssec-settime.html revision dd1ce8b52478fa98c844720af9e77fae2978f18d
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC")
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - PERFORMANCE OF THIS SOFTWARE.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<!-- $Id$ -->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="up" href="Bv9ARM.ch10.html" title="Manual pages">
0c6ada0a814f3c5417daa1654129bc2af56ed504Automatic Updater<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<th width="60%" align="center">Manual pages</th>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<td width="20%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="man.dnssec-settime"></a><div class="titlepage"></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<p><span class="application">dnssec-settime</span> — Set the key timing metadata for a DNSSEC key</p>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="cmdsynopsis"><p><code class="command">dnssec-settime</code> [<code class="option">-f</code>] [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>] [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>] [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>] [<code class="option">-h</code>] [<code class="option">-v <em class="replaceable"><code>level</code></em></code>] [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>] {keyfile}</p></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<p><span><strong class="command">dnssec-settime</strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User reads a DNSSEC private key file and sets the key timing metadata
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User options. The metadata can then be used by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">dnssec-signzone</strong></span> or other signing software to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User determine when a key is to be published, whether it should be
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User used for signing a zone, etc.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User If none of these options is set on the command line,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User then <span><strong class="command">dnssec-settime</strong></span> simply prints the key timing
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User metadata already stored in the key.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User When key metadata fields are changed, both files of a key
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Metadata fields are stored in the private file. A human-readable
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews description of the metadata is also placed in comments in the key
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt file. The private file's permissions are always set to be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews inaccessible to anyone other than the owner (mode 0600).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Force an update of an old-format key with no metadata fields.
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User Without this option, <span><strong class="command">dnssec-settime</strong></span> will
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User fail when attempting to update a legacy key. With this option,
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User the key will be recreated in the new format, but with the
b2f07642fd712c8fda81a116bcdde229ab291f33Tinderbox User original key data retained. The key's creation date will be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews set to the present time. If no other values are specified,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews then the key's publication and activation dates will also
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews be set to the present time.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Sets the directory in which the key files are to reside.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Sets the default TTL to use for this key when it is converted
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User into a DNSKEY RR. If the key is imported into a zone,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User this is the TTL that will be used for it, unless there was
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User already a DNSKEY RRset in place, in which case the existing TTL
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User would take precedence. Setting the default TTL to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="literal">0</code> or <code class="literal">none</code> removes it.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Emit usage message and exit.
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User Sets the debugging level.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Specifies the cryptographic hardware to use, when applicable.
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User When BIND is built with OpenSSL PKCS#11 support, this defaults
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User to the string "pkcs11", which identifies an OpenSSL engine
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User that can drive a cryptographic accelerator or hardware service
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews module. When BIND is built with native PKCS#11 cryptography
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User (--enable-native-pkcs11), it defaults to the path of the PKCS#11
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User provider library specified via "--with-pkcs11".
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<a name="id2619833"></a><h2>TIMING OPTIONS</h2>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User If the argument begins with a '+' or '-', it is interpreted as
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews an offset from the present time. For convenience, if such an offset
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User then the offset is computed in years (defined as 365 24-hour days,
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User ignoring leap years), months (defined as 30 24-hour days), weeks,
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User days, hours, or minutes, respectively. Without a suffix, the offset
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is computed in seconds. To unset a date, use 'none'.
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Sets the date on which a key is to be published to the zone.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews After that date, the key will be included in the zone but will
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User not be used to sign it.
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User Sets the date on which the key is to be activated. After that
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User date, the key will be included in the zone and used to sign
d3ddafd7469d1f3430ccd1b0fe0d13ccbbaf5debTinderbox User<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Sets the date on which the key is to be revoked. After that
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User date, the key will be flagged as revoked. It will be included
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User in the zone and will be used to sign it.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Sets the date on which the key is to be retired. After that
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User date, the key will still be included in the zone, but it
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt will not be used to sign it.
6d45011a65dfc43f476ca15c3fd9ee5227eb968fTinderbox User<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Sets the date on which the key is to be deleted. After that
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews date, the key will no longer be included in the zone. (It
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User may remain in the key repository, however.)
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Select a key for which the key being modified will be an
c247e3f281613fabe1af362e9f3157e35ebbe52cMark Andrews explicit successor. The name, algorithm, size, and type of the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User predecessor key must exactly match those of the key being
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User modified. The activation date of the successor key will be set
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User to the inactivation date of the predecessor. The publication
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User date will be set to the activation date minus the prepublication
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User interval, which defaults to 30 days.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Sets the prepublication interval for a key. If set, then
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User the publication and activation dates must be separated by at least
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User this much time. If the activation date is specified but the
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User publication date isn't, then the publication date will default
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User to this much time before the activation date; conversely, if
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User the publication date is specified but activation date isn't,
659d063f23a35d77ad5826e6556d3137672bb937Tinderbox User then activation will be set to this much time after publication.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User If the key is being set to be an explicit successor to another
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews key, then the default prepublication interval is 30 days;
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User otherwise it is zero.
7e71f05d8643aca84914437c900cb716444507e4Tinderbox User As with date offsets, if the argument is followed by one of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User interval is measured in years, months, weeks, days, hours,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt or minutes, respectively. Without a suffix, the interval is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt measured in seconds.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="id2620108"></a><h2>PRINTING OPTIONS</h2>
395c95214142142854509945adf3293c0270e1c5Tinderbox User <span><strong class="command">dnssec-settime</strong></span> can also be used to print the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User timing metadata associated with a key.
395c95214142142854509945adf3293c0270e1c5Tinderbox User Print times in UNIX epoch format.
395c95214142142854509945adf3293c0270e1c5Tinderbox User<dt><span class="term">-p <em class="replaceable"><code>C/P/A/R/I/D/all</code></em></span></dt>
395c95214142142854509945adf3293c0270e1c5Tinderbox User Print a specific metadata value or set of metadata values.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User The <code class="option">-p</code> option may be followed by one or more
395c95214142142854509945adf3293c0270e1c5Tinderbox User of the following letters to indicate which value or values to print:
395c95214142142854509945adf3293c0270e1c5Tinderbox User <code class="option">C</code> for the creation date,
395c95214142142854509945adf3293c0270e1c5Tinderbox User <code class="option">P</code> for the publication date,
395c95214142142854509945adf3293c0270e1c5Tinderbox User <code class="option">A</code> for the activation date,
395c95214142142854509945adf3293c0270e1c5Tinderbox User <code class="option">R</code> for the revocation date,
395c95214142142854509945adf3293c0270e1c5Tinderbox User <code class="option">I</code> for the inactivation date, or
395c95214142142854509945adf3293c0270e1c5Tinderbox User <code class="option">D</code> for the deletion date.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt To print all of the metadata, use <code class="option">-p all</code>.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<p><span class="citerefentry"><span class="refentrytitle">dnssec-keygen</span>(8)</span>,
395c95214142142854509945adf3293c0270e1c5Tinderbox User <span class="citerefentry"><span class="refentrytitle">dnssec-signzone</span>(8)</span>,
395c95214142142854509945adf3293c0270e1c5Tinderbox User <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
395c95214142142854509945adf3293c0270e1c5Tinderbox User<p><span class="corpauthor">Internet Systems Consortium</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<table width="100%" summary="Navigation footer">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a accesskey="p" href="man.dnssec-revoke.html">Prev</a>�</td>
395c95214142142854509945adf3293c0270e1c5Tinderbox User<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch10.html">Up</a></td>
395c95214142142854509945adf3293c0270e1c5Tinderbox User<td width="40%" align="right">�<a accesskey="n" href="man.dnssec-signzone.html">Next</a>
395c95214142142854509945adf3293c0270e1c5Tinderbox User<span class="application">dnssec-revoke</span>�</td>
395c95214142142854509945adf3293c0270e1c5Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
395c95214142142854509945adf3293c0270e1c5Tinderbox User<td width="40%" align="right" valign="top">�<span class="application">dnssec-signzone</span>