1DNSSEC-SETTIME(8) BIND9 DNSSEC-SETTIME(8)
2
6 dnssec-settime - Set the key timing metadata for a DNSSEC key
7
9 dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset]
10 [-A date/offset] [-R date/offset] [-I date/offset]
11 [-D date/offset] [-h] [-v level] [-E engine] {keyfile}
12
14 dnssec-settime reads a DNSSEC private key file and sets the key timing
15 metadata as specified by the -P, -A, -R, -I, and -D options. The
16 metadata can then be used by dnssec-signzone or other signing software
17 to determine when a key is to be published, whether it should be used
18 for signing a zone, etc.
19 If none of these options is set on the command line, then
21 dnssec-settime simply prints the key timing metadata already stored in
22 the key.
23 When key metadata fields are changed, both files of a key pair
25 (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated.
26 Metadata fields are stored in the private file. A human-readable
27 description of the metadata is also placed in comments in the key file.
28 The private file's permissions are always set to be inaccessible to
29 anyone other than the owner (mode 0600).
30
32 -f
33 Force an update of an old-format key with no metadata fields.
34 Without this option, dnssec-settime will fail when attempting to
35 update a legacy key. With this option, the key will be recreated in
36 the new format, but with the original key data retained. The key's
37 creation date will be set to the present time. If no other values
38 are specified, then the key's publication and activation dates will
39 also be set to the present time.
40 -K directory
42 Sets the directory in which the key files are to reside.
43 -L ttl
45 Sets the default TTL to use for this key when it is converted into
46 a DNSKEY RR. If the key is imported into a zone, this is the TTL
47 that will be used for it, unless there was already a DNSKEY RRset
48 in place, in which case the existing TTL would take precedence.
49 Setting the default TTL to 0 or none removes it.
50 -h
52 Emit usage message and exit.
53 -v level
55 Sets the debugging level.
56 -E engine
58 Use the given OpenSSL engine. When compiled with PKCS#11 support it
59 defaults to pkcs11; the empty name resets it to no engine.
60
62 Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the
63 argument begins with a '+' or '-', it is interpreted as an offset from
64 the present time. For convenience, if such an offset is followed by one
65 of the suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the offset is
66 computed in years (defined as 365 24-hour days, ignoring leap years),
67 months (defined as 30 24-hour days), weeks, days, hours, or minutes,
68 respectively. Without a suffix, the offset is computed in seconds. To
69 unset a date, use 'none'.
70 -P date/offset
72 Sets the date on which a key is to be published to the zone. After
73 that date, the key will be included in the zone but will not be
74 used to sign it.
75 -A date/offset
77 Sets the date on which the key is to be activated. After that date,
78 the key will be included in the zone and used to sign it.
79 -R date/offset
81 Sets the date on which the key is to be revoked. After that date,
82 the key will be flagged as revoked. It will be included in the zone
83 and will be used to sign it.
84 -I date/offset
86 Sets the date on which the key is to be retired. After that date,
87 the key will still be included in the zone, but it will not be used
88 to sign it.
89 -D date/offset
91 Sets the date on which the key is to be deleted. After that date,
92 the key will no longer be included in the zone. (It may remain in
93 the key repository, however.)
94 -S predecessor key
96 Select a key for which the key being modified will be an explicit
97 successor. The name, algorithm, size, and type of the predecessor
98 key must exactly match those of the key being modified. The
99 activation date of the successor key will be set to the
100 inactivation date of the predecessor. The publication date will be
101 set to the activation date minus the prepublication interval, which
102 defaults to 30 days.
103 -i interval
105 Sets the prepublication interval for a key. If set, then the
106 publication and activation dates must be separated by at least this
107 much time. If the activation date is specified but the publication
108 date isn't, then the publication date will default to this much
109 time before the activation date; conversely, if the publication
110 date is specified but activation date isn't, then activation will
111 be set to this much time after publication.
112 If the key is being set to be an explicit successor to another key,
114 then the default prepublication interval is 30 days; otherwise it
115 is zero.
116 As with date offsets, if the argument is followed by one of the
118 suffixes 'y', 'mo', 'w', 'd', 'h', or 'mi', then the interval is
119 measured in years, months, weeks, days, hours, or minutes,
120 respectively. Without a suffix, the interval is measured in
121 seconds.
122
124 dnssec-settime can also be used to print the timing metadata associated
125 with a key.
126 -u
128 Print times in UNIX epoch format.
129 -p C/P/A/R/I/D/all
131 Print a specific metadata value or set of metadata values. The -p
132 option may be followed by one or more of the following letters to
133 indicate which value or values to print: C for the creation date, P
134 for the publication date, A for the activation date, R for the
135 revocation date, I for the inactivation date, or D for the deletion
136 date. To print all of the metadata, use -p all.
137
139 dnssec-keygen(8), dnssec-signzone(8), BIND 9 Administrator Reference
140 Manual, RFC 5011.
141
143 Internet Systems Consortium
144
146 Copyright © 2009-2011 Internet Systems Consortium, Inc. ("ISC")
147BIND9 July 15, 2009 DNSSEC-SETTIME(8)