table of contents
other versions
- wheezy 1:9.8.4.dfsg.P1-6+nmu2+deb7u10
- wheezy-backports 1:9.9.5.dfsg-4~bpo70+1
- jessie 1:9.9.5.dfsg-9+deb8u10
- testing 1:9.10.3.dfsg.P4-12.3
- unstable 1:9.10.3.dfsg.P4-12.3
- experimental 1:9.10.4-P5-1
| DNSSEC-SETTIME(8) | BIND9 | DNSSEC-SETTIME(8) |
NAME¶
dnssec-settime - Set the key timing metadata for a DNSSEC keySYNOPSIS¶
dnssec-settime
[ -f] [-K directory]
[-L ttl] [-P date/offset]
[ -A date/offset]
[-R date/offset] [
-I date/offset] [
-D date/offset] [ -h]
[-v level] [-E engine]
{keyfile}
DESCRIPTION¶
dnssec-settime reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, -R, -I, and -D options. The metadata can then be used by dnssec-signzone or other signing software to determine when a key is to be published, whether it should be used for signing a zone, etc. If none of these options is set on the command line, then dnssec-settime simply prints the key timing metadata already stored in the key. When key metadata fields are changed, both files of a key pair ( Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated. Metadata fields are stored in the private file. A human-readable description of the metadata is also placed in comments in the key file. The private file's permissions are always set to be inaccessible to anyone other than the owner (mode 0600).OPTIONS¶
-fForce an update of an old-format key with no
metadata fields. Without this option, dnssec-settime will fail when
attempting to update a legacy key. With this option, the key will be recreated
in the new format, but with the original key data retained. The key's creation
date will be set to the present time. If no other values are specified, then
the key's publication and activation dates will also be set to the present
time.
-K directory
Sets the directory in which the key files are
to reside.
-L ttl
Sets the default TTL to use for this key when
it is converted into a DNSKEY RR. If the key is imported into a zone, this is
the TTL that will be used for it, unless there was already a DNSKEY RRset in
place, in which case the existing TTL would take precedence. Setting the
default TTL to 0 or none removes it.
-h
Emit usage message and exit.
-v level
Sets the debugging level.
-E engine
Use the given OpenSSL engine. When compiled
with PKCS#11 support it defaults to pkcs11; the empty name resets it to no
engine.
TIMING OPTIONS¶
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a '+' or '-', it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is computed in years (defined as 365 24-hour days, ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To unset a date, use 'none'. -P date/offsetSets the date on which a key is to be
published to the zone. After that date, the key will be included in the zone
but will not be used to sign it.
-A date/offset
Sets the date on which the key is to be
activated. After that date, the key will be included in the zone and used to
sign it.
-R date/offset
Sets the date on which the key is to be
revoked. After that date, the key will be flagged as revoked. It will be
included in the zone and will be used to sign it.
-I date/offset
Sets the date on which the key is to be
retired. After that date, the key will still be included in the zone, but it
will not be used to sign it.
-D date/offset
Sets the date on which the key is to be
deleted. After that date, the key will no longer be included in the zone. (It
may remain in the key repository, however.)
-S predecessor key
Select a key for which the key being modified
will be an explicit successor. The name, algorithm, size, and type of the
predecessor key must exactly match those of the key being modified. The
activation date of the successor key will be set to the inactivation date of
the predecessor. The publication date will be set to the activation date minus
the prepublication interval, which defaults to 30 days.
-i interval
Sets the prepublication interval for a key. If
set, then the publication and activation dates must be separated by at least
this much time. If the activation date is specified but the publication date
isn't, then the publication date will default to this much time before the
activation date; conversely, if the publication date is specified but
activation date isn't, then activation will be set to this much time after
publication.
If the key is being set to be an explicit successor to another key, then the
default prepublication interval is 30 days; otherwise it is zero.
As with date offsets, if the argument is followed by one of the suffixes 'y',
'mo', 'w', 'd', 'h', or 'mi', then the interval is measured in years, months,
weeks, days, hours, or minutes, respectively. Without a suffix, the interval
is measured in seconds.
PRINTING OPTIONS¶
dnssec-settime can also be used to print the timing metadata associated with a key. -uPrint times in UNIX epoch format.
-p C/P/A/R/I/D/all
Print a specific metadata value or set of
metadata values. The -p option may be followed by one or more of the
following letters to indicate which value or values to print: C for the
creation date, P for the publication date, A for the activation
date, R for the revocation date, I for the inactivation date, or
D for the deletion date. To print all of the metadata, use -p
all.
SEE ALSO¶
dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference Manual, RFC 5011.AUTHOR¶
Internet Systems ConsortiumCOPYRIGHT¶
Copyright © 2009-2011 Internet Systems Consortium, Inc. ("ISC")| July 15, 2009 | BIND9 |