1ods-enforcer(8) OpenDNSSEC ods-enforcer ods-enforcer(8)
2
6 ods-enforcer - OpenDNSSEC enforcer Engine client
7
9 ods-enforcer help | start | stop | reload | running
10 ods-enforcer queue | flush | signconf | enforce | verbosity <number>
11 ods-enforcer update conf | repositorylist | all
12 ods-enforcer policy list | export | import | purge | resalt
13 ods-enforcer zone list | add | delete | set-policy
14 ods-enforcer zonelist export | import
15 ods-enforcer key list | export | import | ds-submit | ds-seen | ds-re‐
16 tract | ds-gone | generate | purge | rollover
17 ods-enforcer backup list | prepare | commit | rollback
18 ods-enforcer rollover list
19 ods-enforcer repository list
20 ods-enforcer help [COMMAND]
21
24 ods-enforcer is part of the OpenDNSSEC software. With this tool, you
25 can send commands to the enforcer engine daemon. ods-enforcer manages
26 the operation of the KASP Enforcer, which is the part of OpenDNSSEC
27 that triggers key generation and signing operations on domains based on
28 policies with user-defined timing and security requirements. Among the
29 functions of ods-enforcer are key management, import to the zone list
30 and manually rolling keys to recover from exceptional situations like
31 key loss. The following sections discuss the subcommands.
32 For more information, go to http://www.opendnssec.org and visit the
34 Documentation page.
35
37 help Show a brief list of commands.
38 start Start the engine and the process.
40 stop Stop the engine and terminate the process.
42 reload Reload the engine.
44 running
46 Return acknowledgment that the engine is running.
47 verbosity
49 Set verbosity to the given number.
50
52 queue queue shows all scheduled tasks with their time of the earliest
53 executions, as well as all tasks currently being processed.
54 flush Execute all scheduled tasks immediately.
56 enforce
58 Force the enforcer to run once for every zone.
59
61 signconf
62 Force write of signer configuration files for all zones.
63 update conf
65 Update the configuration from conf.xml and reload the enforcer.
66 update repository list
68 List repositories.
69 update all
71 Perform policy import, zonelist import, and update repository
72 list.
73
75 policy list
76 List all policies in the database.
77 policy export (--policy <policy> | --all)
79 Export a specified policy or all of them from the database.
80 policy import
82 Import policies from kasp.xml into the enforcer database.
83 policy purge
85 This command will remove any policies from the database which
86 have no associated zones. Use with caution.
87 policy resalt
89 Generate new NSEC3 salts for policies that have salts older than
90 the resalt duration.
91
93 zone list
94 List all zones currently in the database.
95 zone add --zone <zone> [--policy <policy>] [--signerconf <path>] [--in-
97 type <type>] [--input <path>] [--out-type <type>] [--output <path>]
98 [--xml] [--suspend]
99 Add a new zone to the enforcer database.
100 zone delete (--zone <zone> | --all [--xml])
102 Delete a zone or all of zones from the enforcer database.
103 zone set-policy --zone <zone> --policy <policy> [--xml]
105 Change the policy for a zone in the enforcer database.
106 zonelist export
108 Export list of zones from the database to the zonelist.xml file.
109 zonelist import [--remove-missing-zones] [--file <absolute path>]
111 Import zones from zonelist.xml into the enforcer database.
112
114 key list [--verbose] [--debug] [--full] [--parsable] [--zone]
115 [--keystate] [--all]
116 List information about keys in all zones, or in a particular
117 zone from the database.
118 key export (--zone <zone> | --all) [--keystate <state>] [--keytype
120 <type>] [--ds]
121 Export DNSKEY(s) for a given zone/all from the database.
122 key import --cka_id <CKA_ID> --repository <repository> --zone <zone>
124 --bits <size> --algorithm <algorithm> --keystate <state> --keytype
125 <type> --inception_time <time>
126 Add a key which was created outside of the OpenDNSSEC code into
127 the enforcer database.
128 key ds-submit --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
130 Issue a ds-submit to the enforcer for a KSK.
131 key ds-seen --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
133 Issue a ds-seen to the enforcer for a KSK.
134 key ds-seen --all
136 Issue a ds-seen for all ready (for ds-seen) KSKs. This command
137 indicates to OpenDNSSEC that a submitted DS record has appeared
138 in the parent zone, and thereby trigger the completion of a KSK
139 rollover.
140 key ds-retract --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
142 Issue a ds-retract to the enforcer for a KSK.
143 key ds-gone --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
145 Issue a ds-gone to the enforcer for a KSK.
146 key generate --duration <duration> (--policy <policy> | --all)
148 Pre-generate keys for all or a given policy, the duration to
149 pre-generate for can be specified or otherwise its taken from
150 the conf.xml.
151 key purge (--policy <policy> | --zone <zone> | --delete)
153 This command will remove keys from the database and HSM that are
154 dead. If the --delete (or -d) flag is given, the keys are also
155 purged from the HSM. Keys are always purged from the HSM if the
156 <Purge>
157 key rollover (--zone <zone> | --policy <policy>) [--keytype <keytype> |
159 --all]
160 Start a key rollover of the desired type *now* or all of them.
161 The process is the same as for the scheduled automated rollovers
162 however it does not wait for the keys lifetime to expire before
163 rolling. The next rollover is due after the newest key aged
164 passed its lifetime.
165 rollover list [--zone <zone>]
167 List the expected dates and times of upcoming rollovers. This
168 can be used to get an idea of upcoming works.
169
171 backup list --repository <repository>
172 Enumerate backup status of keys.
173 backup prepare --repository <repository>
175 Flag the keys found in all configured HSMs as to be backed up.
176 backup commit --repository <repository>
178 Mark flagged keys found in all configured HSMs as backed up.
179 backup rollback --repository <repository>
181 repository list
183 List repositories.
184
186 /etc/opendnssec/conf.xml
187 The main configuration file for OpenDNSSEC.
188 /etc/opendnssec/zonelist.xml
190 The list of zones as defined in conf.xml. This list is used dur‐
191 ing 'zonelist import'.
192 /etc/opendnssec/kasp.xml
194 The configuration of policies that define timing and security,
195 as defined in conf.xml.
196 /var/opendnssec/unsigned/
198 The location that is usually configured in conf.xml which con‐
199 tains unsigned zones.
200 /var/opendnssec/signed/
202 The location that is usually configured in conf.xml which con‐
203 tains signed zones.
204
206 will log all the problems via stderr.
207
209 ods-control(8), ods-enforcerd(8), ods-signerd(8), ods-signer(8),
210 ods-kasp(5), ods-kaspcheck(1), ods-timing(5), ods-hsmspeed(1),
211 ods-hsmutil(1), opendnssec(7), http://www.opendnssec.org/
212
214 ods-enforcer was written by NLnet Labs as part of the OpenDNSSEC
215 project.
216OpenDNSSEC April 2016 ods-enforcer(8)