DOC HOME SITE MAP MAN PAGES GNU INFO SEARCH PRINT BOOK
 

dnssec-settime(8)





NAME

       dnssec-settime - set the key timing metadata for a DNSSEC key


SYNOPSIS

       dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset]
                      [-A date/offset] [-R date/offset] [-I date/offset]
                      [-D date/offset] [-h] [-V] [-v level] [-E engine]
                      {keyfile}


DESCRIPTION

       dnssec-settime reads a DNSSEC private key file and sets the key timing
       metadata as specified by the -P, -A, -R, -I, and -D options. The
       metadata can then be used by dnssec-signzone or other signing software
       to determine when a key is to be published, whether it should be used
       for signing a zone, etc.

       If none of these options is set on the command line, then
       dnssec-settime simply prints the key timing metadata already stored in
       the key.

       When key metadata fields are changed, both files of a key pair
       (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated.
       Metadata fields are stored in the private file. A human-readable
       description of the metadata is also placed in comments in the key file.
       The private file's permissions are always set to be inaccessible to
       anyone other than the owner (mode 0600).


OPTIONS

       -f
           Force an update of an old-format key with no metadata fields.
           Without this option, dnssec-settime will fail when attempting to
           update a legacy key. With this option, the key will be recreated in
           the new format, but with the original key data retained. The key's
           creation date will be set to the present time. If no other values
           are specified, then the key's publication and activation dates will
           also be set to the present time.

       -K directory
           Sets the directory in which the key files are to reside.

       -L ttl
           Sets the default TTL to use for this key when it is converted into
           a DNSKEY RR. If the key is imported into a zone, this is the TTL
           that will be used for it, unless there was already a DNSKEY RRset
           in place, in which case the existing TTL would take precedence. If
           this value is not set and there is no existing DNSKEY RRset, the
           TTL will default to the SOA TTL. Setting the default TTL to 0 or
           none removes it from the key.

       -h
           Emit usage message and exit.

       -V
           Prints version information.

       -v level
           Sets the debugging level.

       -E engine
           Specifies the cryptographic hardware to use, when applicable.

           When BIND is built with OpenSSL PKCS#11 support, this defaults to
           the string "pkcs11", which identifies an OpenSSL engine that can
           drive a cryptographic accelerator or hardware service module. When
           BIND is built with native PKCS#11 cryptography
           (--enable-native-pkcs11), it defaults to the path of the PKCS#11
           provider library specified via "--with-pkcs11".


TIMING OPTIONS

       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
       argument begins with a '+' or '-', it is interpreted as an offset from
       the present time. For convenience, if such an offset is followed by one
       of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
       computed in years (defined as 365 24-hour days, ignoring leap years),
       months (defined as 30 24-hour days), weeks, days, hours, or minutes,
       respectively. Without a suffix, the offset is computed in seconds. To
       unset a date, use 'none' or 'never'.

       -P date/offset
           Sets the date on which a key is to be published to the zone. After
           that date, the key will be included in the zone but will not be
           used to sign it.

       -A date/offset
           Sets the date on which the key is to be activated. After that date,
           the key will be included in the zone and used to sign it.

       -R date/offset
           Sets the date on which the key is to be revoked. After that date,
           the key will be flagged as revoked. It will be included in the zone
           and will be used to sign it.

       -I date/offset
           Sets the date on which the key is to be retired. After that date,
           the key will still be included in the zone, but it will not be used
           to sign it.

       -D date/offset
           Sets the date on which the key is to be deleted. After that date,
           the key will no longer be included in the zone. (It may remain in
           the key repository, however.)

       -S predecessor key
           Select a key for which the key being modified will be an explicit
           successor. The name, algorithm, size, and type of the predecessor
           key must exactly match those of the key being modified. The
           activation date of the successor key will be set to the
           inactivation date of the predecessor. The publication date will be
           set to the activation date minus the prepublication interval, which
           defaults to 30 days.

       -i interval
           Sets the prepublication interval for a key. If set, then the
           publication and activation dates must be separated by at least this
           much time. If the activation date is specified but the publication
           date isn't, then the publication date will default to this much
           time before the activation date; conversely, if the publication
           date is specified but activation date isn't, then activation will
           be set to this much time after publication.

           If the key is being set to be an explicit successor to another key,
           then the default prepublication interval is 30 days; otherwise it
           is zero.

           As with date offsets, if the argument is followed by one of the
           suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is
           measured in years, months, weeks, days, hours, or minutes,
           respectively. Without a suffix, the interval is measured in
           seconds.


PRINTING OPTIONS

       dnssec-settime can also be used to print the timing metadata associated
       with a key.

       -u
           Print times in UNIX epoch format.

       -p C/P/A/R/I/D/all
           Print a specific metadata value or set of metadata values. The -p
           option may be followed by one or more of the following letters to
           indicate which value or values to print: C for the creation date, P
           for the publication date, A for the activation date, R for the
           revocation date, I for the inactivation date, or D for the deletion
           date. To print all of the metadata, use -p all.


SEE ALSO

       dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
       Manual, RFC 5011.


AUTHOR

       Internet Systems Consortium, Inc.


COPYRIGHT

       Copyright (C) 2009-2011, 2014-2016 Internet Systems Consortium, Inc.
       ("ISC")

ISC                               2014-02-06                 DNSSEC-SETTIME(8)

Man(1) output converted with man2html