xref: /netbsd-src/external/mpl/bind/dist/bin/dnssec/dnssec-settime.rst (revision 8aaca124c0ad52af9550477f296b63debc7b4c98) 
1.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
2..
3.. SPDX-License-Identifier: MPL-2.0
4..
5.. This Source Code Form is subject to the terms of the Mozilla Public
6.. License, v. 2.0.  If a copy of the MPL was not distributed with this
7.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
8..
9.. See the COPYRIGHT file distributed with this work for additional
10.. information regarding copyright ownership.
11
12.. highlight: console
13
14.. iscman:: dnssec-settime
15.. program:: dnssec-settime
16.. _man_dnssec-settime:
17
18dnssec-settime: set the key timing metadata for a DNSSEC key
19------------------------------------------------------------
20
21Synopsis
22~~~~~~~~
23
24:program:`dnssec-settime` [**-f**] [**-K** directory] [**-L** ttl] [**-P** date/offset] [**-P** ds date/offset] [**-P** sync date/offset] [**-A** date/offset] [**-R** date/offset] [**-I** date/offset] [**-D** date/offset] [**-D** ds date/offset] [**-D** sync date/offset] [**-S** key] [**-i** interval] [**-h**] [**-V**] [**-v** level] [**-E** engine] {keyfile} [**-s**] [**-g** state] [**-d** state date/offset] [**-k** state date/offset] [**-r** state date/offset] [**-z** state date/offset]
25
26Description
27~~~~~~~~~~~
28
29:program:`dnssec-settime` reads a DNSSEC private key file and sets the key
30timing metadata as specified by the :option:`-P`, :option:`-A`, :option:`-R`,
31:option:`-I`, and :option:`-D` options. The metadata can then be used by
32:iscman:`dnssec-signzone` or other signing software to determine when a key is
33to be published, whether it should be used for signing a zone, etc.
34
35If none of these options is set on the command line,
36:program:`dnssec-settime` simply prints the key timing metadata already stored
37in the key.
38
39When key metadata fields are changed, both files of a key pair
40(``Knnnn.+aaa+iiiii.key`` and ``Knnnn.+aaa+iiiii.private``) are
41regenerated.
42
43Metadata fields are stored in the private file. A
44human-readable description of the metadata is also placed in comments in
45the key file. The private file's permissions are always set to be
46inaccessible to anyone other than the owner (mode 0600).
47
48When working with state files, it is possible to update the timing metadata in
49those files as well with :option:`-s`.  With this option, it is also possible
50to update key states with :option:`-d` (DS), :option:`-k` (DNSKEY), :option:`-r`
51(RRSIG of KSK), or :option:`-z` (RRSIG of ZSK). Allowed states are HIDDEN,
52RUMOURED, OMNIPRESENT, and UNRETENTIVE.
53
54The goal state of the key can also be set with :option:`-g`. This should be either
55HIDDEN or OMNIPRESENT, representing whether the key should be removed from the
56zone or published.
57
58It is NOT RECOMMENDED to manipulate state files manually, except for testing
59purposes.
60
61Options
62~~~~~~~
63
64.. option:: -f
65
66   This option forces an update of an old-format key with no metadata fields. Without
67   this option, :program:`dnssec-settime` fails when attempting to update a
68   legacy key. With this option, the key is recreated in the new
69   format, but with the original key data retained. The key's creation
70   date is set to the present time. If no other values are
71   specified, then the key's publication and activation dates are also
72   set to the present time.
73
74.. option:: -K directory
75
76   This option sets the directory in which the key files are to reside.
77
78.. option:: -L ttl
79
80   This option sets the default TTL to use for this key when it is converted into a
81   DNSKEY RR. This is the TTL used when the key is imported into a zone,
82   unless there was already a DNSKEY RRset in
83   place, in which case the existing TTL takes precedence. If this
84   value is not set and there is no existing DNSKEY RRset, the TTL
85   defaults to the SOA TTL. Setting the default TTL to ``0`` or ``none``
86   removes it from the key.
87
88.. option:: -h
89
90   This option emits a usage message and exits.
91
92.. option:: -V
93
94   This option prints version information.
95
96.. option:: -v level
97
98   This option sets the debugging level.
99
100.. option:: -E engine
101
102   This option specifies the cryptographic hardware to use, when applicable.
103
104   When BIND 9 is built with OpenSSL, this needs to be set to the OpenSSL
105   engine identifier that drives the cryptographic accelerator or
106   hardware service module (usually ``pkcs11``).
107
108Timing Options
109~~~~~~~~~~~~~~
110
111Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS
112(which is the format used inside key files),
113or 'Day Mon DD HH:MM:SS YYYY' (as printed by ``dnssec-settime -p``),
114or UNIX epoch time (as printed by ``dnssec-settime -up``),
115or the literal ``now``.
116
117The argument can be followed by ``+`` or ``-`` and an offset from the
118given time. The literal ``now`` can be omitted before an offset. The
119offset can be followed by one of the suffixes ``y``, ``mo``, ``w``,
120``d``, ``h``, or ``mi``, so that it is computed in years (defined as
121365 24-hour days, ignoring leap years), months (defined as 30 24-hour
122days), weeks, days, hours, or minutes, respectively. Without a suffix,
123the offset is computed in seconds.
124
125To unset a date, use ``none``, ``never``, or ``unset``.
126
127All these formats are case-insensitive.
128
129.. option:: -P date/offset
130
131   This option sets the date on which a key is to be published to the zone. After
132   that date, the key is included in the zone but is not used
133   to sign it.
134
135   .. program:: dnssec-settime -P
136   .. option:: ds date/offset
137
138      This option sets the date on which DS records that match this key have been
139      seen in the parent zone.
140
141   .. option:: sync date/offset
142
143      This option sets the date on which CDS and CDNSKEY records that match this key
144      are to be published to the zone.
145
146.. program:: dnssec-settime
147
148.. option:: -A date/offset
149
150   This option sets the date on which the key is to be activated. After that date,
151   the key is included in the zone and used to sign it.
152
153.. option:: -R date/offset
154
155   This option sets the date on which the key is to be revoked. After that date, the
156   key is flagged as revoked. It is included in the zone and
157   is used to sign it.
158
159.. option:: -I date/offset
160
161   This option sets the date on which the key is to be retired. After that date, the
162   key is still included in the zone, but it is not used to
163   sign it.
164
165.. option:: -D date/offset
166
167   This option sets the date on which the key is to be deleted. After that date, the
168   key is no longer included in the zone. (However, it may remain in the key
169   repository.)
170
171   .. program:: dnssec-settime -D
172   .. option:: ds date/offset
173
174      This option sets the date on which the DS records that match this key have
175      been seen removed from the parent zone.
176
177   .. option:: sync date/offset
178
179      This option sets the date on which the CDS and CDNSKEY records that match this
180      key are to be deleted.
181
182.. program:: dnssec-settime
183
184.. option:: -S predecessor key
185
186   This option selects a key for which the key being modified is an explicit
187   successor. The name, algorithm, size, and type of the predecessor key
188   must exactly match those of the key being modified. The activation
189   date of the successor key is set to the inactivation date of the
190   predecessor. The publication date is set to the activation date
191   minus the prepublication interval, which defaults to 30 days.
192
193.. option:: -i interval
194
195   This option sets the prepublication interval for a key. If set, then the
196   publication and activation dates must be separated by at least this
197   much time. If the activation date is specified but the publication
198   date is not, the publication date defaults to this much time
199   before the activation date; conversely, if the publication date is
200   specified but not the activation date, activation is set to
201   this much time after publication.
202
203   If the key is being created as an explicit successor to another key,
204   then the default prepublication interval is 30 days; otherwise it is
205   zero.
206
207   As with date offsets, if the argument is followed by one of the
208   suffixes ``y``, ``mo``, ``w``, ``d``, ``h``, or ``mi``, the interval is
209   measured in years, months, weeks, days, hours, or minutes,
210   respectively. Without a suffix, the interval is measured in seconds.
211
212Key State Options
213~~~~~~~~~~~~~~~~~
214
215To test dnssec-policy it may be necessary to construct keys with artificial
216state information; these options are used by the testing framework for that
217purpose, but should never be used in production.
218
219Known key states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.
220
221.. option:: -s
222
223   This option indicates that when setting key timing data, the state file should also be updated.
224
225.. option:: -g state
226
227   This option sets the goal state for this key. Must be HIDDEN or OMNIPRESENT.
228
229.. option:: -d state date/offset
230
231   This option sets the DS state for this key as of the specified date, offset from the current date.
232
233.. option:: -k state date/offset
234
235   This option sets the DNSKEY state for this key as of the specified date, offset from the current date.
236
237.. option:: -r state date/offset
238
239   This option sets the RRSIG (KSK) state for this key as of the specified date, offset from the current date.
240
241.. option:: -z state date/offset
242
243   This option sets the RRSIG (ZSK) state for this key as of the specified date, offset from the current date.
244
245Printing Options
246~~~~~~~~~~~~~~~~
247
248:program:`dnssec-settime` can also be used to print the timing metadata
249associated with a key.
250
251.. option:: -u
252
253   This option indicates that times should be printed in Unix epoch format.
254
255.. option:: -p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all
256
257   This option prints a specific metadata value or set of metadata values.
258   The :option:`-p` option may be followed by one or more of the following letters or
259   strings to indicate which value or values to print: ``C`` for the
260   creation date, ``P`` for the publication date, ``Pds` for the DS publication
261   date, ``Psync`` for the CDS and CDNSKEY publication date, ``A`` for the
262   activation date, ``R`` for the revocation date, ``I`` for the inactivation
263   date, ``D`` for the deletion date, ``Dds`` for the DS deletion date,
264   and ``Dsync`` for the CDS and CDNSKEY deletion date. To print all of the
265   metadata, use ``all``.
266
267See Also
268~~~~~~~~
269
270:iscman:`dnssec-keygen(8) <dnssec-keygen>`, :iscman:`dnssec-signzone(8) <dnssec-signzone>`, BIND 9 Administrator Reference Manual,
271:rfc:`5011`.
272