dnssec-settime Command
Purpose
Sets the key timing metadata for a domain name system security extensions (DNSSEC) key.
Syntax
dnssec-settime [-f] [-K directory] [-L ttl] [-P date/offset] [-P ds date/offset] [-P sync date/offset] [-A date/offset] [-R date/offset] [-I date/offset] [-D date/offset] [-D ds date/offset] [-D sync date/offset] [-S key] [-i interval] [-h] [-V] [-v level] [-E engine] {keyfile} [-s] [-g state] [-d state date/offset] [-k state date/offset] [-r state date/offset] [-z state date/offset]
Description
The dnssec-settime command reads a DNSSEC private key file and sets the key timing metadata as specified by the -P, -A, -R, -I, and -D options. The metadata used by the dnssec-signzone command or other signing software determines when a key must be published, whether it must be used for signing a zone, and other details.
If none of these options are set, the dnssec-settime command prints the key timing metadata that is already stored in the key. When key metadata fields are changed, both files of a key pair (Knnnn.+aaa+iiiii.key and Knnnn.+aaa+iiiii.private) are regenerated.
Metadata fields are stored in the private file. A human-readable description of the metadata is also placed as comments in the key file. The permissions of the private file are always set to be inaccessible to everyone other than the owner (mode 0600).
When working with state files, you can update the timing metadata for those files by using the
-s flag. With this option, you can also update key states by using the
-d (DS), -k (DNSKEY), -r (RRSIG of
KSK), or -z (RRSIG of ZSK) flags. Allowed states are HIDDEN,
RUMOURED, OMNIPRESENT, and UNRETENTIVE.
The goal state of the key can also be set by using the -g flag. This value
must be either HIDDEN or OMNIPRESENT that represents whether the
key must be removed from the zone or published.
Flags
| Item | Description |
|---|---|
| -f | Forces an update of an old-format key with no metadata fields. Without this option, the dnssec-settime command fails when it attempts to update a legacy key. With this option, the key is re-created in the new format, but the original key data is retained. The creation date of the key is set to the present time. If no other values are specified, the publication and activation dates of the key are also set to the present time. |
| -K directory | Sets the directory in which the key files must reside. |
| -L ttl | Sets the default time-to-live (TTL) that must be used for this key when it is
converted into a DNSKEY RR. This TTL is used when the key is imported into a zone, unless a DNSKEY
RRset exists, in which case the existing TTL takes precedence. If this value is not set and the
DNSKEY RRset is not available, the TTL defaults to the SOA TTL. If you set the default TTL to
0 or none, TTL is removed from the key. |
| -h | Displays a usage message and exits. |
| -V | Prints version information. |
| -v level | Sets the debugging level. |
| -E engine |
Specifies the cryptographic hardware that must be used, when applicable. When BIND 9 is built with OpenSSL, this flag must be set to the OpenSSL engine identifier that drives the cryptographic accelerator or hardware service module (usually pkcs11). |
Timing flags
YYYYMMDDorYYYYMMDDHHMMSS, which is the format that is used inside the key files.Day Mon DD HH:MM:SS YYYYas printed by thednssec-settime -pcommand.- UNIX epoch time as printed by the
dnssec-settime -upcommand. - Literal
now.
If the argument begins with a plus sign (+) or minus sign (-),
it is interpreted as an offset from the present time. The literal now can be
omitted before an offset. If such an offset is followed by one of the suffixes y,
mo, w, d, h, or
mi, then the offset is computed in years (defined as 365 24-hour days, ignoring
leap years), months (defined as 30 24-hour days), weeks, days, hours, or minutes. Without a suffix,
the offset is computed in seconds. To explicitly prevent a date from being set, use
none, never, or unset.
| Item | Description |
|---|---|
| -P date/offset | Sets the date on which a key must be published to the zone. After that date, the key is included in the zone but it is not used to sign the zone. |
| -P ds date/offset | Sets the date on which DS records that match this key were available in the parent zone. |
| -P sync date/offset | Sets the date on which the CDS and CDNSKEY records that match this key must be published to the zone. |
| -A date/offset | Sets the date on which the key must be activated. After that date, the key is included in the zone and is used to sign the zone. |
| -R date/offset | Sets the date on which the key must be revoked. After that date, the key is flagged as revoked. It is still included in the zone and is used to sign the zone. |
| -I date/offset | Sets the date on which the key must be retired. After that date, the key is still included in the zone, but it is not used to sign the zone. |
| -D date/offset | Sets the date on which the key is to be deleted. After that date, the key is no longer included in the zone. However, it might remain in the key repository. |
| -D ds date/offset | Sets the date on which the DS records that match this key were removed from the parent zone. |
| -D sync date/offset | Sets the date on which the CDS and CDNSKEY records that match this key must be deleted. |
| -S key | Selects a key for which the key modified is an explicit successor. The name, algorithm, size, and type of the predecessor key must exactly match the values of the key that is modified. The activation date of the successor key is set to the inactivation date of the predecessor. The publication date is set to the activation date minus the pre-publication interval, which defaults to 30 days. |
| -i interval |
Sets the pre-publication interval for a key. If set, the publication and activation dates must be separated by at least the specified time. If the activation date is specified but the publication date is not specified, the publication date defaults to the specified time before the activation date. If the publication date is specified but the activation date is not specified, activation is set to the specified time after publication. If the key is created as an explicit successor to another key, the default pre-publication interval is 30 days, else it is zero. As with date offsets, if the argument is followed by one of the suffixes |
Key state flags
To test dnssec-policy, you must construct keys with artificial state
information. These options are used by the testing framework for testing purpose but these options
must never be used in production.
The key states are HIDDEN, RUMOURED,
OMNIPRESENT, and UNRETENTIVE.
| Item | Description |
|---|---|
| -s | Indicates that when setting key timing data, the state file must also be updated. |
| -g state | Sets the goal state for this key. Must be HIDDEN or
OMNIPRESENT. |
| -d state date/offset | Sets the DS state for this key as of the specified date, offset from the current date. |
| -k state date/offset | Sets the DNSKEY state for this key as per the specified date, offset from the current date. |
| -r state date/offset | Sets the RRSIG (KSK) state for this key per of the specified date, offset from the current date. |
| -z state date/offset | Sets the RRSIG (ZSK) state for this key per of the specified date, offset from the current date. |
Printing flags
dnssec-settime Is used to print the timing metadata associated with a key.
| Item | Description |
|---|---|
| -u | Indicates that the time must be printed in UNIX epoch format. |
| -p C/P/Pds/Psync/A/R/I/D/Dds/Dsync/all | Prints a specific metadata value or set of metadata values. The -p
option might be followed by one or more of the following letters or strings to indicate which value
or values to print:
|