dnssec-settime(8)
DNSSEC-SETTIME(8) BIND9 DNSSEC-SETTIME(8)
NAME
dnssec-settime - set the key timing metadata for a DNSSEC
key
SYNOPSIS
dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset]
[-A date/offset] [-R date/offset]
[-I date/offset] [-D date/offset] [-h] [-V]
[-v level] [-E engine] {keyfile}
DESCRIPTION
dnssec-settime reads a DNSSEC private key file and sets the
key timing metadata as specified by the -P, -A, -R, -I, and
-D options. The metadata can then be used by dnssec-signzone
or other signing software to determine when a key is to be
published, whether it should be used for signing a zone,
etc.
If none of these options is set on the command line, then
dnssec-settime simply prints the key timing metadata already
stored in the key.
When key metadata fields are changed, both files of a key
pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are
regenerated. Metadata fields are stored in the private file.
A human-readable description of the metadata is also placed
in comments in the key file. The private file's permissions
are always set to be inaccessible to anyone other than the
owner (mode 0600).
OPTIONS
-f
Force an update of an old-format key with no metadata
fields. Without this option, dnssec-settime will fail
when attempting to update a legacy key. With this
option, the key will be recreated in the new format, but
with the original key data retained. The key's creation
date will be set to the present time. If no other values
are specified, then the key's publication and activation
dates will also be set to the present time.
-K directory
Sets the directory in which the key files are to reside.
-L ttl
Sets the default TTL to use for this key when it is
converted into a DNSKEY RR. If the key is imported into
a zone, this is the TTL that will be used for it, unless
there was already a DNSKEY RRset in place, in which case
the existing TTL would take precedence. If this value is
not set and there is no existing DNSKEY RRset, the TTL
will default to the SOA TTL. Setting the default TTL to
ISC Last change: 2014-02-06 1
DNSSEC-SETTIME(8) BIND9 DNSSEC-SETTIME(8)
0 or none removes it from the key.
-h
Emit usage message and exit.
-V
Prints version information.
-v level
Sets the debugging level.
-E engine
Specifies the cryptographic hardware to use, when
applicable.
When BIND is built with OpenSSL PKCS#11 support, this
defaults to the string "pkcs11", which identifies an
OpenSSL engine that can drive a cryptographic
accelerator or hardware service module. When BIND is
built with native PKCS#11 cryptography
(--enable-native-pkcs11), it defaults to the path of the
PKCS#11 provider library specified via "--with-pkcs11".
TIMING OPTIONS
Dates can be expressed in the format YYYYMMDD or
YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it
is interpreted as an offset from the present time. For
convenience, if such an offset is followed by one of the
suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset
is computed in years (defined as 365 24-hour days, ignoring
leap years), months (defined as 30 24-hour days), weeks,
days, hours, or minutes, respectively. Without a suffix, the
offset is computed in seconds. To unset a date, use 'none'
or 'never'.
-P date/offset
Sets the date on which a key is to be published to the
zone. After that date, the key will be included in the
zone but will not be used to sign it.
-A date/offset
Sets the date on which the key is to be activated. After
that date, the key will be included in the zone and used
to sign it.
-R date/offset
Sets the date on which the key is to be revoked. After
that date, the key will be flagged as revoked. It will
be included in the zone and will be used to sign it.
-I date/offset
Sets the date on which the key is to be retired. After
ISC Last change: 2014-02-06 2
DNSSEC-SETTIME(8) BIND9 DNSSEC-SETTIME(8)
that date, the key will still be included in the zone,
but it will not be used to sign it.
-D date/offset
Sets the date on which the key is to be deleted. After
that date, the key will no longer be included in the
zone. (It may remain in the key repository, however.)
-S predecessor key
Select a key for which the key being modified will be an
explicit successor. The name, algorithm, size, and type
of the predecessor key must exactly match those of the
key being modified. The activation date of the successor
key will be set to the inactivation date of the
predecessor. The publication date will be set to the
activation date minus the prepublication interval, which
defaults to 30 days.
-i interval
Sets the prepublication interval for a key. If set, then
the publication and activation dates must be separated
by at least this much time. If the activation date is
specified but the publication date isn't, then the
publication date will default to this much time before
the activation date; conversely, if the publication date
is specified but activation date isn't, then activation
will be set to this much time after publication.
If the key is being set to be an explicit successor to
another key, then the default prepublication interval is
30 days; otherwise it is zero.
As with date offsets, if the argument is followed by one
of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then
the interval is measured in years, months, weeks, days,
hours, or minutes, respectively. Without a suffix, the
interval is measured in seconds.
PRINTING OPTIONS
dnssec-settime can also be used to print the timing metadata
associated with a key.
-u
Print times in UNIX epoch format.
-p C/P/A/R/I/D/all
Print a specific metadata value or set of metadata
values. The -p option may be followed by one or more of
the following letters to indicate which value or values
to print: C for the creation date, P for the
publication date, A for the activation date, R for the
revocation date, I for the inactivation date, or D for
ISC Last change: 2014-02-06 3
DNSSEC-SETTIME(8) BIND9 DNSSEC-SETTIME(8)
the deletion date. To print all of the metadata, use -p
all.
SEE ALSO
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator
Reference Manual, RFC 5011.
AUTHOR
Internet Systems Consortium, Inc.
COPYRIGHT
Copyright �8c�9 2009-2011, 2014-2016 Internet Systems
Consortium, Inc. ("ISC")
ISC Last change: 2014-02-06 4
Man(1) output converted with
man2html