Man Pages

dnssec-settime(8) - phpMan dnssec-settime(8) - phpMan

Command: man perldoc info search(apropos)  


DNSSEC-SETTIME(8)                    BIND9                   DNSSEC-SETTIME(8)



NAME
       dnssec-settime - Set the key timing metadata for a DNSSEC key

SYNOPSIS
       dnssec-settime [-f] [-K directory] [-P date/offset] [-A date/offset] [-R date/offset] [-I date/offset]
                      [-D date/offset] [-h] [-v level] [-E engine] {keyfile}

DESCRIPTION
       dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, -R,
       -I, and -D options. The metadata can then be used by dnssec-signzone or other signing software to determine
       when a key is to be published, whether it should be used for signing a zone, etc.

       If none of these options is set on the command line, then dnssec-settime simply prints the key timing metadata
       already stored in the key.

       When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and
       Knnnn.+aaa+iiiii.private) are regenerated. Metadata fields are stored in the private file. A human-readable
       description of the metadata is also placed in comments in the key file. The private file's permissions are
       always set to be inaccessible to anyone other than the owner (mode 0600).

OPTIONS
       -f
           Force an update of an old-format key with no metadata fields. Without this option, dnssec-settime will fail
           when attempting to update a legacy key. With this option, the key will be recreated in the new format, but
           with the original key data retained. The key's creation date will be set to the present time. If no other
           values are specified, then the key's publication and activation dates will also be set to the present time.

       -K directory
           Sets the directory in which the key files are to reside.

       -h
           Emit usage message and exit.

       -v level
           Sets the debugging level.

       -E engine
           Use the given OpenSSL engine. When compiled with PKCS#11 support it defaults to pkcs11; the empty name
           resets it to no engine.

TIMING OPTIONS
       Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it
       is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the
       suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24-hour days,
       ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively.
       Without a suffix, the offset is computed in seconds. To unset a date, use 'none'.

       -P date/offset
           Sets the date on which a key is to be published to the zone. After that date, the key will be included in
           the zone but will not be used to sign it.

       -A date/offset
           Sets the date on which the key is to be activated. After that date, the key will be included in the zone
           and used to sign it.

       -R date/offset
           Sets the date on which the key is to be revoked. After that date, the key will be flagged as revoked. It
           will be included in the zone and will be used to sign it.

       -I date/offset
           Sets the date on which the key is to be retired. After that date, the key will still be included in the
           zone, but it will not be used to sign it.

       -D date/offset
           Sets the date on which the key is to be deleted. After that date, the key will no longer be included in the
           zone. (It may remain in the key repository, however.)

       -S predecessor key
           Select a key for which the key being modified will be an explicit successor. The name, algorithm, size, and
           type of the predecessor key must exactly match those of the key being modified. The activation date of the
           successor key will be set to the inactivation date of the predecessor. The publication date will be set to
           the activation date minus the prepublication interval, which defaults to 30 days.

       -i interval
           Sets the prepublication interval for a key. If set, then the publication and activation dates must be
           separated by at least this much time. If the activation date is specified but the publication date isn't,
           then the publication date will default to this much time before the activation date; conversely, if the
           publication date is specified but activation date isn't, then activation will be set to this much time
           after publication.

           If the key is being set to be an explicit successor to another key, then the default prepublication
           interval is 30 days; otherwise it is zero.

           As with date offsets, if the argument is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi',
           then the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a
           suffix, the interval is measured in seconds.

PRINTING OPTIONS
       dnssec-settime can also be used to print the timing metadata associated with a key.

       -u
           Print times in UNIX epoch format.

       -p C/P/A/R/I/D/all
           Print a specific metadata value or set of metadata values. The -p option may be followed by one or more of
           the following letters to indicate which value or values to print: C for the creation date, P for the
           publication date, A for the activation date, R for the revocation date, I for the inactivation date, or D
           for the deletion date. To print all of the metadata, use -p all.

SEE ALSO
       dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 5011.

AUTHOR
       Internet Systems Consortium

COPYRIGHT
       Copyright (C) 2009-2011 Internet Systems Consortium, Inc. ("ISC")



BIND9                            July 15, 2009               DNSSEC-SETTIME(8)