Commit b843f577 authored by Evan Hunt's avatar Evan Hunt

2677. [func] Changes to key metadata behavior:

			- Keys without "publish" or "active" dates set will
			  no longer be used for smart signing.  However,
			  those dates will be set to "now" by default when
			  a key is created; to generate a key but not use
			  it yet, use dnssec-keygen -G.
			- New "inactive" date (dnssec-keygen/settime -I)
			  sets the time when a key is no longer used for
			  signing but is still published.
			- The "unpublished" date (-U) is deprecated in
			  favor of "deleted" (-D).
			[rt20247]
parent d00827da
2677. [func] Changes to key metadata behavior:
- Keys without "publish" or "active" dates set will
no longer be used for smart signing. However,
those dates will be set to "now" by default when
a key is created; to generate a key but not use
it yet, use dnssec-keygen -G.
- New "inactive" date (dnssec-keygen/settime -I)
sets the time when a key is no longer used for
signing but is still published.
- The "unpublished" date (-U) is deprecated in
favor of "deleted" (-D).
[rt20247]
2676. [bug] --with-export-installdir should have been
--with-export-includedir. [RT #20252]
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keyfromlabel.c,v 1.13 2009/09/07 23:11:48 fdupont Exp $ */
/* $Id: dnssec-keyfromlabel.c,v 1.14 2009/09/14 18:45:45 each Exp $ */
/*! \file */
......@@ -78,10 +78,11 @@ usage(void) {
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting"
" dates\n");
" all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
......@@ -114,14 +115,15 @@ main(int argc, char **argv) {
int options = DST_TYPE_PRIVATE | DST_TYPE_PUBLIC;
char *label = NULL, *engine = NULL;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t unpublish = 0, delete = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE;
if (argc == 1)
usage();
......@@ -135,7 +137,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"a:Cc:f:K:kl:n:p:t:v:FhP:A:R:U:D:")) != -1)
"a:Cc:f:K:kl:n:p:t:v:FhGP:A:R:I:D:")) != -1)
{
switch (ch) {
case 'a':
......@@ -182,6 +184,9 @@ main(int argc, char **argv) {
if (*endp != '\0')
fatal("-v must be followed by a number");
break;
case 'G':
genonly = ISC_TRUE;
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
......@@ -218,16 +223,16 @@ main(int argc, char **argv) {
unsetrev = ISC_TRUE;
}
break;
case 'U':
if (setunpub || unsetunpub)
fatal("-U specified more than once");
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setunpub = ISC_TRUE;
unpublish = strtotime(isc_commandline_argument,
now, now);
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetunpub = ISC_TRUE;
unsetinact = ISC_TRUE;
}
break;
case 'D':
......@@ -381,26 +386,40 @@ main(int argc, char **argv) {
/*
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default, but
* can be overridden. Creation date is always set to "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
if (genonly && (setpub || setact))
fatal("cannot use -G together with -P or -A options");
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH, publish);
else if (!genonly)
dst_key_settime(key, DST_TIME_PUBLISH, now);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE, activate);
else if (!genonly)
dst_key_settime(key, DST_TIME_ACTIVATE, now);
if (setrev)
dst_key_settime(key, DST_TIME_REVOKE, revoke);
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH, unpublish);
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inactive);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
if (setpub || setact || setrev || setunpub ||
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetunpub || unsetdel)
unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
"-P, -A, -R, -U, or -D options");
"-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.9 2009/09/07 12:54:59 fdupont Exp $ -->
<!-- $Id: dnssec-keyfromlabel.docbook,v 1.10 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-keyfromlabel">
<refentryinfo>
<date>February 8, 2008</date>
......@@ -51,6 +51,8 @@
<arg><option>-c <replaceable class="parameter">class</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-n <replaceable class="parameter">nametype</replaceable></option></arg>
......@@ -58,7 +60,6 @@
<arg><option>-p <replaceable class="parameter">protocol</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg choice="req">name</arg>
</cmdsynopsis>
......@@ -160,6 +161,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-h</term>
<listitem>
......@@ -245,7 +256,8 @@
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
......@@ -256,7 +268,8 @@
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included and the zone and used to sign
it.
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
......@@ -276,9 +289,9 @@
<term>-U <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be unpublished. After that
date, the key will no longer be included in the zone, but it
may remain in the key repository.
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
......@@ -288,10 +301,8 @@
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key can be removed from the key repository.
NOTE: Keys are not currently deleted automatically; this field
is included for informational purposes and for future
development.
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
......
......@@ -29,7 +29,7 @@
* IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-keygen.c,v 1.94 2009/09/07 12:54:59 fdupont Exp $ */
/* $Id: dnssec-keygen.c,v 1.95 2009/09/14 18:45:45 each Exp $ */
/*! \file */
......@@ -131,13 +131,16 @@ usage(void) {
fprintf(stderr, " usage | trace | record | size | mctx\n");
fprintf(stderr, " -v <level>: set verbosity level (0 - 10)\n");
fprintf(stderr, "Date options:\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date\n");
fprintf(stderr, " -P date/[+-]offset: set key publication date "
"(default: now)\n");
fprintf(stderr, " -A date/[+-]offset: set key activation date "
"(default: now)\n");
fprintf(stderr, " -R date/[+-]offset: set key revocation date\n");
fprintf(stderr, " -U date/[+-]offset: set key unpublication date\n");
fprintf(stderr, " -I date/[+-]offset: set key inactivation date\n");
fprintf(stderr, " -D date/[+-]offset: set key deletion date\n");
fprintf(stderr, " -G: generate key only; do not set -P or -A\n");
fprintf(stderr, " -C: generate a backward-compatible key, omitting "
"dates\n");
"all dates\n");
fprintf(stderr, "Output:\n");
fprintf(stderr, " K<name>+<alg>+<id>.key, "
"K<name>+<alg>+<id>.private\n");
......@@ -172,14 +175,15 @@ main(int argc, char **argv) {
int dbits = 0;
isc_boolean_t use_default = ISC_FALSE, use_nsec3 = ISC_FALSE;
isc_stdtime_t publish = 0, activate = 0, revoke = 0;
isc_stdtime_t unpublish = 0, delete = 0;
isc_stdtime_t inactive = 0, delete = 0;
isc_stdtime_t now;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t genonly = ISC_FALSE;
if (argc == 1)
usage();
......@@ -191,7 +195,7 @@ main(int argc, char **argv) {
/*
* Process memory debugging argument first.
*/
#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hP:A:R:U:D:"
#define CMDLINE_FLAGS "3a:b:Cc:d:eFf:g:K:km:n:p:r:s:T:t:v:hGP:A:R:I:D:"
while ((ch = isc_commandline_parse(argc, argv, CMDLINE_FLAGS)) != -1) {
switch (ch) {
case 'm':
......@@ -310,6 +314,9 @@ main(int argc, char **argv) {
case 'z':
/* already the default */
break;
case 'G':
genonly = ISC_TRUE;
break;
case 'P':
if (setpub || unsetpub)
fatal("-P specified more than once");
......@@ -346,16 +353,16 @@ main(int argc, char **argv) {
unsetrev = ISC_TRUE;
}
break;
case 'U':
if (setunpub || unsetunpub)
fatal("-U specified more than once");
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
if (strcasecmp(isc_commandline_argument, "none")) {
setunpub = ISC_TRUE;
unpublish = strtotime(isc_commandline_argument,
now, now);
setinact = ISC_TRUE;
inactive = strtotime(isc_commandline_argument,
now, now);
} else {
unsetunpub = ISC_TRUE;
unsetinact = ISC_TRUE;
}
break;
case 'D':
......@@ -665,31 +672,44 @@ main(int argc, char **argv) {
/*
* Set key timing metadata (unless using -C)
*
* Publish and activation dates are set to "now" by default,
* but can be overridden. Creation date is always set to
* "now".
*/
if (!oldstyle) {
dst_key_settime(key, DST_TIME_CREATED, now);
if (genonly && (setpub || setact))
fatal("cannot use -G together with "
"-P or -A options");
if (setpub)
dst_key_settime(key, DST_TIME_PUBLISH,
publish);
dst_key_settime(key, DST_TIME_PUBLISH, publish);
else if (!genonly)
dst_key_settime(key, DST_TIME_PUBLISH, now);
if (setact)
dst_key_settime(key, DST_TIME_ACTIVATE,
activate);
else if (!genonly)
dst_key_settime(key, DST_TIME_ACTIVATE, now);
if (setrev)
dst_key_settime(key, DST_TIME_REVOKE,
revoke);
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH,
unpublish);
dst_key_settime(key, DST_TIME_REVOKE, revoke);
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE,
inactive);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE,
delete);
dst_key_settime(key, DST_TIME_DELETE, delete);
} else {
if (setpub || setact || setrev || setunpub ||
if (setpub || setact || setrev || setinact ||
setdel || unsetpub || unsetact ||
unsetrev || unsetunpub || unsetdel)
unsetrev || unsetinact || unsetdel || genonly)
fatal("cannot use -C together with "
"-P, -A, -R, -U, or -D options");
"-P, -A, -R, -I, -D, or -G options");
/*
* Compatibility mode: Private-key-format
* should be set to 1.2.
......
......@@ -18,7 +18,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-keygen.docbook,v 1.27 2009/09/02 06:29:00 each Exp $ -->
<!-- $Id: dnssec-keygen.docbook,v 1.28 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-keygen">
<refentryinfo>
<date>June 30, 2000</date>
......@@ -66,8 +66,10 @@
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-e</option></arg>
<arg><option>-f <replaceable class="parameter">flag</replaceable></option></arg>
<arg><option>-G</option></arg>
<arg><option>-g <replaceable class="parameter">generator</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-k</option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
......@@ -76,7 +78,6 @@
<arg><option>-r <replaceable class="parameter">randomdev</replaceable></option></arg>
<arg><option>-s <replaceable class="parameter">strength</replaceable></option></arg>
<arg><option>-t <replaceable class="parameter">type</replaceable></option></arg>
<arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
<arg><option>-z</option></arg>
<arg choice="req">name</arg>
......@@ -224,6 +225,16 @@
</listitem>
</varlistentry>
<varlistentry>
<term>-G</term>
<listitem>
<para>
Generate a key, but do not publish it or sign with it. This
option is incompatible with -P and -A.
</para>
</listitem>
</varlistentry>
<varlistentry>
<term>-g <replaceable class="parameter">generator</replaceable></term>
<listitem>
......@@ -365,7 +376,8 @@
<para>
Sets the date on which a key is to be published to the zone.
After that date, the key will be included in the zone but will
not be used to sign it.
not be used to sign it. If not set, and if the -G option has
not been used, the default is "now".
</para>
</listitem>
</varlistentry>
......@@ -376,7 +388,8 @@
<para>
Sets the date on which the key is to be activated. After that
date, the key will be included and the zone and used to sign
it.
it. If not set, and if the -G option has not been used, the
default is "now".
</para>
</listitem>
</varlistentry>
......@@ -393,12 +406,12 @@
</varlistentry>
<varlistentry>
<term>-U <replaceable class="parameter">date/offset</replaceable></term>
<term>-I <replaceable class="parameter">date/offset</replaceable></term>
<listitem>
<para>
Sets the date on which the key is to be unpublished. After that
date, the key will no longer be included in the zone, but it
may remain in the key repository.
Sets the date on which the key is to be retired. After that
date, the key will still be included in the zone, but it
will not be used to sign it.
</para>
</listitem>
</varlistentry>
......@@ -408,10 +421,8 @@
<listitem>
<para>
Sets the date on which the key is to be deleted. After that
date, the key can be removed from the key repository.
NOTE: Keys are not currently deleted automatically; this field
is included for informational purposes and for future
development.
date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
</para>
</listitem>
</varlistentry>
......
......@@ -14,7 +14,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: dnssec-settime.c,v 1.11 2009/09/04 16:57:22 each Exp $ */
/* $Id: dnssec-settime.c,v 1.12 2009/09/14 18:45:45 each Exp $ */
/*! \file */
......@@ -66,8 +66,8 @@ usage(void) {
"activation date\n");
fprintf(stderr, " -R date/[+-]offset/none: set key "
"revocation date\n");
fprintf(stderr, " -U date/[+-]offset/none: set key "
"unpublication date\n");
fprintf(stderr, " -I date/[+-]offset/none: set key "
"inactivation date\n");
fprintf(stderr, " -D date/[+-]offset/none: set key "
"deletion date\n");
fprintf(stderr, "Printing options:\n");
......@@ -119,16 +119,16 @@ main(int argc, char **argv) {
isc_buffer_t buf;
int major, minor;
isc_stdtime_t now;
isc_stdtime_t pub = 0, act = 0, rev = 0, unpub = 0, del = 0;
isc_stdtime_t pub = 0, act = 0, rev = 0, inact = 0, del = 0;
isc_boolean_t setpub = ISC_FALSE, setact = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setunpub = ISC_FALSE;
isc_boolean_t setrev = ISC_FALSE, setinact = ISC_FALSE;
isc_boolean_t setdel = ISC_FALSE;
isc_boolean_t unsetpub = ISC_FALSE, unsetact = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetunpub = ISC_FALSE;
isc_boolean_t unsetrev = ISC_FALSE, unsetinact = ISC_FALSE;
isc_boolean_t unsetdel = ISC_FALSE;
isc_boolean_t printcreate = ISC_FALSE, printpub = ISC_FALSE;
isc_boolean_t printact = ISC_FALSE, printrev = ISC_FALSE;
isc_boolean_t printunpub = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t printinact = ISC_FALSE, printdel = ISC_FALSE;
isc_boolean_t forceupdate = ISC_FALSE;
isc_boolean_t epoch = ISC_FALSE;
isc_boolean_t changed = ISC_FALSE;
......@@ -147,7 +147,7 @@ main(int argc, char **argv) {
isc_stdtime_get(&now);
while ((ch = isc_commandline_parse(argc, argv,
"fK:uhp:v:P:A:R:U:D:")) != -1) {
"fK:uhp:v:P:A:R:I:D:")) != -1) {
switch (ch) {
case 'f':
forceupdate = ISC_TRUE;
......@@ -159,7 +159,7 @@ main(int argc, char **argv) {
printpub = ISC_TRUE;
printact = ISC_TRUE;
printrev = ISC_TRUE;
printunpub = ISC_TRUE;
printinact = ISC_TRUE;
printdel = ISC_TRUE;
break;
}
......@@ -178,8 +178,8 @@ main(int argc, char **argv) {
case 'R':
printrev = ISC_TRUE;
break;
case 'U':
printunpub = ISC_TRUE;
case 'I':
printinact = ISC_TRUE;
break;
case 'D':
printdel = ISC_TRUE;
......@@ -251,16 +251,16 @@ main(int argc, char **argv) {
now, now);
}
break;
case 'U':
if (setunpub || unsetunpub)
fatal("-U specified more than once");
case 'I':
if (setinact || unsetinact)
fatal("-I specified more than once");
changed = ISC_TRUE;
if (!strcasecmp(isc_commandline_argument, "none")) {
unsetunpub = ISC_TRUE;
unsetinact = ISC_TRUE;
} else {
setunpub = ISC_TRUE;
unpub = strtotime(isc_commandline_argument,
setinact = ISC_TRUE;
inact = strtotime(isc_commandline_argument,
now, now);
}
break;
......@@ -360,7 +360,7 @@ main(int argc, char **argv) {
dst_key_unsettime(key, DST_TIME_ACTIVATE);
if (setrev) {
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0 && rev > now)
if ((dst_key_flags(key) & DNS_KEYFLAG_REVOKE) != 0)
fprintf(stderr, "%s: warning: Key %s is already "
"revoked; changing the revocation date "
"will not affect this.\n",
......@@ -375,10 +375,10 @@ main(int argc, char **argv) {
dst_key_unsettime(key, DST_TIME_REVOKE);
}
if (setunpub)
dst_key_settime(key, DST_TIME_UNPUBLISH, unpub);
else if (unsetunpub)
dst_key_unsettime(key, DST_TIME_UNPUBLISH);
if (setinact)
dst_key_settime(key, DST_TIME_INACTIVE, inact);
else if (unsetinact)
dst_key_unsettime(key, DST_TIME_INACTIVE);
if (setdel)
dst_key_settime(key, DST_TIME_DELETE, del);
......@@ -400,8 +400,8 @@ main(int argc, char **argv) {
if (printrev)
printtime(key, DST_TIME_REVOKE, "Revoke", epoch, stdout);
if (printunpub)
printtime(key, DST_TIME_UNPUBLISH, "Unpublish", epoch, stdout);
if (printinact)
printtime(key, DST_TIME_INACTIVE, "Inactive", epoch, stdout);
if (printdel)
printtime(key, DST_TIME_DELETE, "Delete", epoch, stdout);
......
......@@ -17,7 +17,7 @@
- PERFORMANCE OF THIS SOFTWARE.
-->
<!-- $Id: dnssec-settime.docbook,v 1.3 2009/09/02 06:29:00 each Exp $ -->
<!-- $Id: dnssec-settime.docbook,v 1.4 2009/09/14 18:45:45 each Exp $ -->
<refentry id="man.dnssec-settime">
<refentryinfo>
<date>July 15, 2009</date>
......@@ -44,12 +44,12 @@
<refsynopsisdiv>
<cmdsynopsis>
<command>dnssec-settime</command>
<arg><option>-fr</option></arg>
<arg><option>-f</option></arg>
<arg><option>-K <replaceable class="parameter">directory</replaceable></option></arg>
<arg><option>-P <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-A <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-R <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-U <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-I <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-D <replaceable class="parameter">date/offset</replaceable></option></arg>
<arg><option>-h</option></arg>
<arg><option>-v <replaceable class="parameter">level</replaceable></option></arg>
......@@ -62,7 +62,7 @@
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
<option>-R</option>, <option>-U</option>, and <option>-D</option>
<option>-R</option>, <option>-I</option>, and <option>-D</option>
options. The metadata can then be used by
<