1ods-enforcer(8)             OpenDNSSEC ods-enforcer            ods-enforcer(8)
2
3
4

NAME

6       ods-enforcer - OpenDNSSEC enforcer Engine client
7

SYNOPSIS

9       ods-enforcer help | start | stop | reload | running
10       ods-enforcer queue | flush | signconf | enforce | verbosity <number>
11       ods-enforcer update conf | repositorylist | all
12       ods-enforcer policy list | export | import | purge | resalt
13       ods-enforcer zone list | add | delete | set-policy
14       ods-enforcer zonelist export | import
15       ods-enforcer  key list | export | import | ds-submit | ds-seen | ds-re‐
16       tract | ds-gone | generate | purge | rollover
17       ods-enforcer backup list | prepare | commit | rollback
18       ods-enforcer rollover list
19       ods-enforcer repository list
20       ods-enforcer help [COMMAND]
21
22

DESCRIPTION

24       ods-enforcer is part of the OpenDNSSEC software. With  this  tool,  you
25       can  send commands to the enforcer engine daemon.  ods-enforcer manages
26       the operation of the KASP Enforcer, which is  the  part  of  OpenDNSSEC
27       that triggers key generation and signing operations on domains based on
28       policies with user-defined timing and security requirements. Among  the
29       functions  of  ods-enforcer are key management, import to the zone list
30       and manually rolling keys to recover from exceptional  situations  like
31       key loss. The following sections discuss the subcommands.
32
33       For  more  information,  go  to http://www.opendnssec.org and visit the
34       Documentation page.
35

GENERIC OPTIONS

37       help   Show a brief list of commands.
38
39       start  Start the engine and the process.
40
41       stop   Stop the engine and terminate the process.
42
43       reload Reload the engine.
44
45       running
46              Return acknowledgment that the engine is running.
47
48       verbosity
49              Set verbosity to the given number.
50

SCHEDULING OPTIONS

52       queue  queue shows all scheduled tasks with their time of the  earliest
53              executions, as well as all tasks currently being processed.
54
55       flush  Execute all scheduled tasks immediately.
56
57       enforce
58              Force the enforcer to run once for every zone.
59

SIGNCONF AND UPDATE SUBCOMMANDS

61       signconf
62              Force write of signer configuration files for all zones.
63
64       update conf
65              Update the configuration from conf.xml and reload the enforcer.
66
67       update repository list
68              List repositories.
69
70       update all
71              Perform  policy  import,  zonelist import, and update repository
72              list.
73

POLICY ADMINISTRATION SUBCOMMNADS

75       policy list
76              List all policies in the database.
77
78       policy export (--policy <policy> | --all)
79              Export a specified policy or all of them from the database.
80
81       policy import
82              Import policies from kasp.xml into the enforcer database.
83
84       policy purge
85              This command will remove any policies from  the  database  which
86              have no associated zones. Use with caution.
87
88       policy resalt
89              Generate new NSEC3 salts for policies that have salts older than
90              the resalt duration.
91

ZONE MANAGEMENT SUBCOMMANDS

93       zone list
94              List all zones currently in the database.
95
96       zone add --zone <zone> [--policy <policy>] [--signerconf <path>] [--in-
97       type  <type>]  [--input  <path>]  [--out-type <type>] [--output <path>]
98       [--xml] [--suspend]
99              Add a new zone to the enforcer database.
100
101       zone delete (--zone <zone> | --all [--xml])
102              Delete a zone or all of zones from the enforcer database.
103
104       zone set-policy --zone <zone> --policy <policy> [--xml]
105              Change the policy for a zone in the enforcer database.
106
107       zonelist export
108              Export list of zones from the database to the zonelist.xml file.
109
110       zonelist import [--remove-missing-zones] [--file <absolute path>]
111              Import zones from zonelist.xml into the enforcer database.
112

KEY MANAGEMENT SUBCOMMANDS

114       key  list  [--verbose]   [--debug]   [--full]   [--parsable]   [--zone]
115       [--keystate] [--all]
116              List  information  about  keys  in all zones, or in a particular
117              zone from the database.
118
119       key export (--zone <zone>  |  --all)  [--keystate  <state>]  [--keytype
120       <type>] [--ds]
121              Export DNSKEY(s) for a given zone/all from the database.
122
123       key  import  --cka_id  <CKA_ID> --repository <repository> --zone <zone>
124       --bits <size>  --algorithm  <algorithm>  --keystate  <state>  --keytype
125       <type> --inception_time <time>
126              Add  a key which was created outside of the OpenDNSSEC code into
127              the enforcer database.
128
129       key ds-submit --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
130              Issue a ds-submit to the enforcer for a KSK.
131
132       key ds-seen --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
133              Issue a ds-seen to the enforcer for a KSK.
134
135       key ds-seen --all
136              Issue a ds-seen for all ready (for ds-seen) KSKs.  This  command
137              indicates  to OpenDNSSEC that a submitted DS record has appeared
138              in the parent zone, and thereby trigger the completion of a  KSK
139              rollover.
140
141       key ds-retract --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
142              Issue a ds-retract to the enforcer for a KSK.
143
144       key ds-gone --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
145              Issue a ds-gone to the enforcer for a KSK.
146
147       key generate --duration <duration> (--policy <policy> | --all)
148              Pre-generate  keys  for  all  or a given policy, the duration to
149              pre-generate for can be specified or otherwise  its  taken  from
150              the conf.xml.
151
152       key purge (--policy <policy> | --zone <zone> | --delete)
153              This command will remove keys from the database and HSM that are
154              dead.  If the --delete (or -d) flag is given, the keys are  also
155              purged from the HSM.  Keys are always purged from the HSM if the
156              <Purge>
157
158       key rollover (--zone <zone> | --policy <policy>) [--keytype <keytype> |
159       --all]
160              Start  a  key rollover of the desired type *now* or all of them.
161              The process is the same as for the scheduled automated rollovers
162              however  it does not wait for the keys lifetime to expire before
163              rolling. The next rollover is due  after  the  newest  key  aged
164              passed its lifetime.
165
166       rollover list [--zone <zone>]
167              List  the  expected  dates and times of upcoming rollovers. This
168              can be used to get an idea of upcoming works.
169

REPOSITORY AND BACKUP SUBCOMMANDS

171       backup list --repository <repository>
172              Enumerate backup status of keys.
173
174       backup prepare --repository <repository>
175              Flag the keys found in all configured HSMs as to be backed up.
176
177       backup commit --repository <repository>
178              Mark flagged keys found in all configured HSMs as backed up.
179
180       backup rollback --repository <repository>
181
182       repository list
183              List repositories.
184

FILES

186       /etc/opendnssec/conf.xml
187              The main configuration file for OpenDNSSEC.
188
189       /etc/opendnssec/zonelist.xml
190              The list of zones as defined in conf.xml. This list is used dur‐
191              ing 'zonelist import'.
192
193       /etc/opendnssec/kasp.xml
194              The  configuration  of policies that define timing and security,
195              as defined in conf.xml.
196
197       /var/opendnssec/unsigned/
198              The location that is usually configured in conf.xml  which  con‐
199              tains unsigned zones.
200
201       /var/opendnssec/signed/
202              The  location  that is usually configured in conf.xml which con‐
203              tains signed zones.
204

DIAGNOSTICS

206       will log all the problems via stderr.
207

SEE ALSO

209       ods-control(8),   ods-enforcerd(8),   ods-signerd(8),    ods-signer(8),
210       ods-kasp(5),    ods-kaspcheck(1),    ods-timing(5),    ods-hsmspeed(1),
211       ods-hsmutil(1), opendnssec(7), http://www.opendnssec.org/
212

AUTHORS

214       ods-enforcer was written by  NLnet  Labs  as  part  of  the  OpenDNSSEC
215       project.
216
217
218
219OpenDNSSEC                        April 2016                   ods-enforcer(8)
Impressum