start of change

dnssec-settime Command

Edit online

Purpose

Sets the key timing metadata for a DNSSEC key.

Syntax

dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P ds date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-D ds date/offset] [-D sync date/offset] [-S key] [-i interval] [-h] [-V] [-v level] [-E engine] {keyfile} [-s] [-g state] [-d state date/offset] [-k state date/offset] [-r state date/offset] [-z state date/offset]

Description

The dnssec-settime command reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, -R, -I, and -D options. The metadata can then be used by dnssec-signzone or other signing software to determine when a key must be published, whether it must be used for signing a zone, and so on.

If none of these options is set, the dnssec-settime command prints the key timing metadata that is already stored in the key. When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated.

Metadata fields are stored in the private file. A human-readable description of the metadata is also placed as comments in the key file. The private file’s permissions are always set to be inaccessible other than the owner (mode 0600).

When working with state files, you can also update the timing metadata for those files by using the -s flag. With this option, you can also update key states by using the -d (DS), -k (DNSKEY), -r (RRSIG of KSK), or -z (RRSIG of ZSK) flags. Allowed states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.

The goal state of the key can also be set by using the -g flag. This value should be either HIDDEN or OMNIPRESENT, representing whether the key should be removed from the zone or published.

Note: It is not recommended to manipulate state files manually, except for testing purposes.

Flags

-f

Forces an update of an old-format key with no metadata fields. Without this option, dnssec-settime command fails when attempting to update a legacy key. With this option, the key is recreated in the new format, but the original key data is retained. The key’s creation date is set to the present time. If no other values are specified, the key’s publication and activation dates are also set to the present time.

-K directory

Sets the directory in which the key files must reside.

-L ttl

Sets the default TTL that must be used for this key when it is converted into a DNSKEY RR. This TTL is used when the key is imported into a zone, unless a DNSKEY RRset exists, in which case the existing TTL takes precedence. If this value is not set and the DNSKEY RRset is not available, the TTL defaults to the SOA TTL. If you set the default TTL to 0 or none, TTL is removed from the key.

-h

Displays a usage message and exits.

-V

Prints version information.

-v level

Sets the debugging level.

-E engine

Specifies the cryptographic hardware that must be used, when applicable.

When BIND 9 is built with OpenSSL, this flag must be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11). When BIND is built with native PKCS#11 cryptography (--enable-native-pkcs11), this flag defaults to the path of the PKCS#11 provider library that is specified via --with-pkcs11.

Timing flags

Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS. If the argument begins with a + or -, it is interpreted as an offset from the present time. For convenience, if such an offset is followed by one of the suffixes y, mo, w, d, h, or mi, then the offset is computed in years (defined as 365 24-hour days, ignoring leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes, respectively. Without a suffix, the offset is computed in seconds. To explicitly prevent a date from being set, use none or never.

-P date/offset
Sets the date on which a key must be published to the zone. After that date, the key is included in the zone but it is not used to sign the zone.
-P ds date/offset
Sets the date on which DS records that match this key were available in the parent zone.
-P sync date/offset
Sets the date on which CDS and CDNSKEY records that match this key must be published to the zone.
-A date/offset
Sets the date on which the key must be activated. After that date, the key is included in the zone and is used to sign the zone.
-R date/offset
Sets the date on which the key must be revoked. After that date, the key is flagged as revoked. It is included in the zone and is used to sign the zone.
-I date/offset
Sets the date on which the key must be retired. After that date, the key is still included in the zone, but it is not used to sign the zone.
-D date/offset
Sets the date on which the key is to be deleted. After that date, the key is no longer included in the zone. However, it may remain in the key repository.
-D ds date/offset
Sets the date on which the DS records that match this key were removed from the parent zone.
-D sync date/offset
Sets the date on which the CDS and CDNSKEY records that match this key must be deleted.
-S predecessor key
Selects a key for which the key being modified is an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match the values of the key being modified. The activation date of the successor key is set to the inactivation date of the predecessor. The publication date is set to the activation date minus the pre-publication interval, which defaults to 30 days.
-i interval

Sets the pre-publication interval for a key. If set, then the publication and activation dates must be separated by at least the specified time. If the activation date is specified but the publication date is not specified, the publication date defaults to the specified time before the activation date; conversely, if the publication date is specified but the activation date is not specified, activation is set to the specified time after publication.

If the key is being created as an explicit successor to another key, then the default pre-publication interval is 30 days; otherwise it is zero.

As with date offsets, if the argument is followed by one of the suffixes y, mo, w, d, h, or mi, the interval is measured in years, months, weeks, days, hours, or minutes, respectively. Without a suffix, the interval is measured in seconds.

Key state flags

To test dnssec-policy, you must construct keys with artificial state information; these options are used by the testing framework for testing purpose but these options must never be used in production.

Known key states are HIDDEN, RUMOURED, OMNIPRESENT, and UNRETENTIVE.

-s
Indicates that when setting key timing data, the state file should also be updated.
-g state
Sets the goal state for this key. Must be HIDDEN or OMNIPRESENT.
-d state date/offset
Sets the DS state for this key as of the specified date, offset from the current date.
-k state date/offset
Sets the DNSKEY state for this key as per the specified date, offset from the current date.
-r state date/offset
Sets the RRSIG (KSK) state for this key per of the specified date, offset from the current date.
-z state date/offset
Sets the RRSIG (ZSK) state for this key per of the specified date, offset from the current date.

Printing flags

dnssec-settime can also be used to print the timing metadata associated with a key.

-u

Indicates that times should be printed in UNIX epoch format.

-p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all

Prints a specific metadata value or set of metadata values. The -p option may be followed by one or more of the following letters or strings to indicate which value or values to print: C for the creation date, P for the publication date, Pds for the DS publication date, Psync for the CDS and CDNSKEY publication date, A for the activation date, R for the revocation date, I for the inactivation date, D for the deletion date, Dds for the DS deletion date, and Dsync for the CDS and CDNSKEY deletion date. To print all of the metadata, use all.

end of change