man.dnssec-settime.html 14.5 KB
Newer Older
Tinderbox User's avatar
Tinderbox User committed
1 2
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<!--
Tinderbox User's avatar
Tinderbox User committed
3
 - Copyright (C) 2000-2019 Internet Systems Consortium, Inc. ("ISC")
Tinderbox User's avatar
Tinderbox User committed
4 5 6 7 8 9 10 11 12
 - 
 - This Source Code Form is subject to the terms of the Mozilla Public
 - License, v. 2.0. If a copy of the MPL was not distributed with this
 - file, You can obtain one at http://mozilla.org/MPL/2.0/.
-->
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<title>dnssec-settime</title>
Tinderbox User's avatar
Tinderbox User committed
13
<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
Tinderbox User's avatar
Tinderbox User committed
14
<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
15
<link rel="up" href="Bv9ARM.ch12.html" title="Manual pages">
Tinderbox User's avatar
Tinderbox User committed
16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34
<link rel="prev" href="man.dnssec-revoke.html" title="dnssec-revoke">
<link rel="next" href="man.dnssec-signzone.html" title="dnssec-signzone">
</head>
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
<div class="navheader">
<table width="100%" summary="Navigation header">
<tr><th colspan="3" align="center"><span class="application">dnssec-settime</span></th></tr>
<tr>
<td width="20%" align="left">
<a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
<th width="60%" align="center">Manual pages</th>
<td width="20%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
</td>
</tr>
</table>
<hr>
</div>
<div class="refentry">
<a name="man.dnssec-settime"></a><div class="titlepage"></div>
Tinderbox User's avatar
Tinderbox User committed
35 36 37 38 39 40
  
  

  

  <div class="refnamediv">
Tinderbox User's avatar
Tinderbox User committed
41
<h2>Name</h2>
Tinderbox User's avatar
Tinderbox User committed
42 43 44 45
<p>
    <span class="application">dnssec-settime</span>
     &#8212; set the key timing metadata for a DNSSEC key
  </p>
Tinderbox User's avatar
Tinderbox User committed
46
</div>
Tinderbox User's avatar
Tinderbox User committed
47 48 49 50

  

  <div class="refsynopsisdiv">
Tinderbox User's avatar
Tinderbox User committed
51
<h2>Synopsis</h2>
Tinderbox User's avatar
Tinderbox User committed
52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74
    <div class="cmdsynopsis"><p>
      <code class="command">dnssec-settime</code> 
       [<code class="option">-f</code>]
       [<code class="option">-K <em class="replaceable"><code>directory</code></em></code>]
       [<code class="option">-L <em class="replaceable"><code>ttl</code></em></code>]
       [<code class="option">-P <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-P sync <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-A <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-R <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-I <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-D <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-D sync <em class="replaceable"><code>date/offset</code></em></code>]
       [<code class="option">-S <em class="replaceable"><code>key</code></em></code>]
       [<code class="option">-i <em class="replaceable"><code>interval</code></em></code>]
       [<code class="option">-h</code>]
       [<code class="option">-V</code>]
       [<code class="option">-v <em class="replaceable"><code>level</code></em></code>]
       [<code class="option">-E <em class="replaceable"><code>engine</code></em></code>]
       {keyfile}
    </p></div>
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
75
<a name="id-1.13.15.7"></a><h2>DESCRIPTION</h2>
Tinderbox User's avatar
Tinderbox User committed
76 77

    <p><span class="command"><strong>dnssec-settime</strong></span>
Tinderbox User's avatar
Tinderbox User committed
78 79 80 81 82 83 84 85
      reads a DNSSEC private key file and sets the key timing metadata
      as specified by the <code class="option">-P</code>, <code class="option">-A</code>,
      <code class="option">-R</code>, <code class="option">-I</code>, and <code class="option">-D</code>
      options.  The metadata can then be used by
      <span class="command"><strong>dnssec-signzone</strong></span> or other signing software to
      determine when a key is to be published, whether it should be
      used for signing a zone, etc.
    </p>
Tinderbox User's avatar
Tinderbox User committed
86
    <p>
Tinderbox User's avatar
Tinderbox User committed
87 88 89 90
      If none of these options is set on the command line,
      then <span class="command"><strong>dnssec-settime</strong></span> simply prints the key timing
      metadata already stored in the key.
    </p>
Tinderbox User's avatar
Tinderbox User committed
91
    <p>
Tinderbox User's avatar
Tinderbox User committed
92 93 94 95 96 97 98 99
      When key metadata fields are changed, both files of a key
      pair (<code class="filename">Knnnn.+aaa+iiiii.key</code> and
      <code class="filename">Knnnn.+aaa+iiiii.private</code>) are regenerated.
      Metadata fields are stored in the private file.  A human-readable
      description of the metadata is also placed in comments in the key
      file.  The private file's permissions are always set to be
      inaccessible to anyone other than the owner (mode 0600).
    </p>
Tinderbox User's avatar
Tinderbox User committed
100 101 102
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
103
<a name="id-1.13.15.8"></a><h2>OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
104 105 106


    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
107
<dt><span class="term">-f</span></dt>
Tinderbox User's avatar
Tinderbox User committed
108 109
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
110 111 112 113 114 115 116 117
            Force an update of an old-format key with no metadata fields.
            Without this option, <span class="command"><strong>dnssec-settime</strong></span> will
            fail when attempting to update a legacy key.  With this option,
            the key will be recreated in the new format, but with the
            original key data retained.  The key's creation date will be
            set to the present time.  If no other values are specified,
            then the key's publication and activation dates will also
            be set to the present time.
Tinderbox User's avatar
Tinderbox User committed
118 119
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
120
<dt><span class="term">-K <em class="replaceable"><code>directory</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
121 122
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
123
            Sets the directory in which the key files are to reside.
Tinderbox User's avatar
Tinderbox User committed
124 125
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
126
<dt><span class="term">-L <em class="replaceable"><code>ttl</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
127 128
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
129 130 131 132 133 134 135 136
            Sets the default TTL to use for this key when it is converted
            into a DNSKEY RR.  If the key is imported into a zone,
            this is the TTL that will be used for it, unless there was
            already a DNSKEY RRset in place, in which case the existing TTL
            would take precedence.  If this value is not set and there
            is no existing DNSKEY RRset, the TTL will default to the
            SOA TTL. Setting the default TTL to <code class="literal">0</code>
            or <code class="literal">none</code> removes it from the key.
Tinderbox User's avatar
Tinderbox User committed
137 138
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
139
<dt><span class="term">-h</span></dt>
Tinderbox User's avatar
Tinderbox User committed
140 141
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
142
            Emit usage message and exit.
Tinderbox User's avatar
Tinderbox User committed
143 144
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
145
<dt><span class="term">-V</span></dt>
Tinderbox User's avatar
Tinderbox User committed
146 147
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
148
            Prints version information.
Tinderbox User's avatar
Tinderbox User committed
149 150
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
151
<dt><span class="term">-v <em class="replaceable"><code>level</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
152 153
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
154
            Sets the debugging level.
Tinderbox User's avatar
Tinderbox User committed
155 156
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
157 158
<dt><span class="term">-E <em class="replaceable"><code>engine</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
159
          <p>
Tinderbox User's avatar
Tinderbox User committed
160 161
            Specifies the cryptographic hardware to use, when applicable.
          </p>
Tinderbox User's avatar
Tinderbox User committed
162
          <p>
Tinderbox User's avatar
Tinderbox User committed
163 164 165 166 167 168 169
            When BIND is built with OpenSSL PKCS#11 support, this defaults
            to the string "pkcs11", which identifies an OpenSSL engine
            that can drive a cryptographic accelerator or hardware service
            module.  When BIND is built with native PKCS#11 cryptography
            (--enable-native-pkcs11), it defaults to the path of the PKCS#11
            provider library specified via "--with-pkcs11".
          </p>
Tinderbox User's avatar
Tinderbox User committed
170
        </dd>
Tinderbox User's avatar
Tinderbox User committed
171
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
172 173 174
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
175
<a name="id-1.13.15.9"></a><h2>TIMING OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
176 177

    <p>
Tinderbox User's avatar
Tinderbox User committed
178 179 180 181 182 183 184 185 186
      Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
      If the argument begins with a '+' or '-', it is interpreted as
      an offset from the present time.  For convenience, if such an offset
      is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
      then the offset is computed in years (defined as 365 24-hour days,
      ignoring leap years), months (defined as 30 24-hour days), weeks,
      days, hours, or minutes, respectively.  Without a suffix, the offset
      is computed in seconds.  To unset a date, use 'none' or 'never'.
    </p>
Tinderbox User's avatar
Tinderbox User committed
187 188

    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
189
<dt><span class="term">-P <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
190 191
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
192 193 194
            Sets the date on which a key is to be published to the zone.
            After that date, the key will be included in the zone but will
            not be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
195 196
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
197
<dt><span class="term">-P sync <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
198 199
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
200 201
            Sets the date on which CDS and CDNSKEY records that match this
            key are to be published to the zone.
Tinderbox User's avatar
Tinderbox User committed
202 203
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
204
<dt><span class="term">-A <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
205 206
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
207 208 209
            Sets the date on which the key is to be activated.  After that
            date, the key will be included in the zone and used to sign
            it.
Tinderbox User's avatar
Tinderbox User committed
210 211
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
212
<dt><span class="term">-R <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
213 214
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
215 216 217
            Sets the date on which the key is to be revoked.  After that
            date, the key will be flagged as revoked.  It will be included
            in the zone and will be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
218 219
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
220
<dt><span class="term">-I <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
221 222
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
223 224 225
            Sets the date on which the key is to be retired.  After that
            date, the key will still be included in the zone, but it
            will not be used to sign it.
Tinderbox User's avatar
Tinderbox User committed
226 227
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
228
<dt><span class="term">-D <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
229 230
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
231 232 233
            Sets the date on which the key is to be deleted.  After that
            date, the key will no longer be included in the zone.  (It
            may remain in the key repository, however.)
Tinderbox User's avatar
Tinderbox User committed
234 235
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
236
<dt><span class="term">-D sync <em class="replaceable"><code>date/offset</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
237 238
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
239 240
            Sets the date on which the CDS and CDNSKEY records that match this
            key are to be deleted.
Tinderbox User's avatar
Tinderbox User committed
241 242
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
243
<dt><span class="term">-S <em class="replaceable"><code>predecessor key</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
244 245
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
246 247 248 249 250 251 252
            Select a key for which the key being modified will be an
            explicit successor.  The name, algorithm, size, and type of the
            predecessor key must exactly match those of the key being
            modified.  The activation date of the successor key will be set
            to the inactivation date of the predecessor.  The publication
            date will be set to the activation date minus the prepublication
            interval, which defaults to 30 days.
Tinderbox User's avatar
Tinderbox User committed
253 254
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
255 256
<dt><span class="term">-i <em class="replaceable"><code>interval</code></em></span></dt>
<dd>
Tinderbox User's avatar
Tinderbox User committed
257
          <p>
Tinderbox User's avatar
Tinderbox User committed
258 259 260 261 262 263 264 265
            Sets the prepublication interval for a key.  If set, then
            the publication and activation dates must be separated by at least
            this much time.  If the activation date is specified but the
            publication date isn't, then the publication date will default
            to this much time before the activation date; conversely, if
            the publication date is specified but activation date isn't,
            then activation will be set to this much time after publication.
          </p>
Tinderbox User's avatar
Tinderbox User committed
266
          <p>
Tinderbox User's avatar
Tinderbox User committed
267 268 269 270
            If the key is being set to be an explicit successor to another
            key, then the default prepublication interval is 30 days;
            otherwise it is zero.
          </p>
Tinderbox User's avatar
Tinderbox User committed
271
          <p>
Tinderbox User's avatar
Tinderbox User committed
272 273 274 275 276 277
            As with date offsets, if the argument is followed by one of
            the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the
            interval is measured in years, months, weeks, days, hours,
            or minutes, respectively.  Without a suffix, the interval is
            measured in seconds.
          </p>
Tinderbox User's avatar
Tinderbox User committed
278
        </dd>
Tinderbox User's avatar
Tinderbox User committed
279
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
280 281 282
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
283
<a name="id-1.13.15.10"></a><h2>PRINTING OPTIONS</h2>
Tinderbox User's avatar
Tinderbox User committed
284 285

    <p>
Tinderbox User's avatar
Tinderbox User committed
286 287 288
      <span class="command"><strong>dnssec-settime</strong></span> can also be used to print the
      timing metadata associated with a key.
    </p>
Tinderbox User's avatar
Tinderbox User committed
289 290

    <div class="variablelist"><dl class="variablelist">
Tinderbox User's avatar
Tinderbox User committed
291
<dt><span class="term">-u</span></dt>
Tinderbox User's avatar
Tinderbox User committed
292 293
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
294
            Print times in UNIX epoch format.
Tinderbox User's avatar
Tinderbox User committed
295 296
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
297
<dt><span class="term">-p <em class="replaceable"><code>C/P/Psync/A/R/I/D/Dsync/all</code></em></span></dt>
Tinderbox User's avatar
Tinderbox User committed
298 299
<dd>
          <p>
Tinderbox User's avatar
Tinderbox User committed
300 301 302 303 304 305 306 307 308 309 310 311 312
            Print a specific metadata value or set of metadata values.
            The <code class="option">-p</code> option may be followed by one or more
            of the following letters or strings to indicate which value
            or values to print:
            <code class="option">C</code> for the creation date,
            <code class="option">P</code> for the publication date,
            <code class="option">Psync</code> for the CDS and CDNSKEY publication date,
            <code class="option">A</code> for the activation date,
            <code class="option">R</code> for the revocation date,
            <code class="option">I</code> for the inactivation date,
            <code class="option">D</code> for the deletion date, and
            <code class="option">Dsync</code> for the CDS and CDNSKEY deletion date
            To print all of the metadata, use <code class="option">-p all</code>.
Tinderbox User's avatar
Tinderbox User committed
313 314
          </p>
        </dd>
Tinderbox User's avatar
Tinderbox User committed
315
</dl></div>
Tinderbox User's avatar
Tinderbox User committed
316 317 318
  </div>

  <div class="refsection">
Tinderbox User's avatar
Tinderbox User committed
319
<a name="id-1.13.15.11"></a><h2>SEE ALSO</h2>
Tinderbox User's avatar
Tinderbox User committed
320 321 322 323 324 325 326

    <p><span class="citerefentry">
        <span class="refentrytitle">dnssec-keygen</span>(8)
      </span>,
      <span class="citerefentry">
        <span class="refentrytitle">dnssec-signzone</span>(8)
      </span>,
Tinderbox User's avatar
Tinderbox User committed
327 328 329
      <em class="citetitle">BIND 9 Administrator Reference Manual</em>,
      <em class="citetitle">RFC 5011</em>.
    </p>
Tinderbox User's avatar
Tinderbox User committed
330 331
  </div>

Tinderbox User's avatar
Tinderbox User committed
332 333 334 335 336 337 338
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="man.dnssec-revoke.html">Prev</a> </td>
339
<td width="20%" align="center"><a accesskey="u" href="Bv9ARM.ch12.html">Up</a></td>
Tinderbox User's avatar
Tinderbox User committed
340 341 342 343 344 345 346 347 348 349 350 351
<td width="40%" align="right"> <a accesskey="n" href="man.dnssec-signzone.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">
<span class="application">dnssec-revoke</span> </td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top"> <span class="application">dnssec-signzone</span>
</td>
</tr>
</table>
</div>
Tinderbox User's avatar
Tinderbox User committed
352
<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.14.0 (Stable Release)</p>
Tinderbox User's avatar
Tinderbox User committed
353 354
</body>
</html>