GSP
Quick Navigator
Search Site

Unix VPS
A - Starter
B - Basic
C - Preferred
D - Commercial
MPS - Dedicated
Previous VPSs
* Sign Up! *

Support
Contact Us
Online Help
Handbooks
Domain Status
Man Pages

FAQ
Virtual Servers
Pricing
Billing
Technical

Network
Facilities
Connectivity
Topology Map

Miscellaneous
Server Agreement
Year 2038
Credits
 

USA Flag

 

 

Man Pages
ods-enforcer(8) OpenDNSSEC ods-enforcer ods-enforcer(8)

ods-enforcer - OpenDNSSEC enforcer Engine client

ods-enforcer help | start | stop | reload | running
ods-enforcer queue | flush | signconf | enforce | verbosity <number>
ods-enforcer update conf | repositorylist | all
ods-enforcer policy list | export | import | purge | resalt
ods-enforcer zone list | add | delete | set-policy
ods-enforcer zonelist export | import
ods-enforcer key list | export | import | ds-submit | ds-seen | ds-retract | ds-gone | generate | purge | rollover
ods-enforcer backup list | prepare | commit | rollback
ods-enforcer rollover list
ods-enforcer repository list
ods-enforcer help [COMMAND]

ods-enforcer is part of the OpenDNSSEC software. With this tool, you can send commands to the enforcer engine daemon. ods-enforcer manages the operation of the KASP Enforcer, which is the part of OpenDNSSEC that triggers key generation and signing operations on domains based on policies with user-defined timing and security requirements. Among the functions of ods-enforcer are key management, import to the zone list and manually rolling keys to recover from exceptional situations like key loss. The following sections discuss the subcommands.

For more information, go to http://www.opendnssec.org and visit the Documentation page.

Show a brief list of commands.
Start the engine and the process.
Stop the engine and terminate the process.
Reload the engine.
Return acknowledgment that the engine is running.
Set verbosity to the given number.

queue shows all scheduled tasks with their time of the earliest executions, as well as all tasks currently being processed.
Execute all scheduled tasks immediately.
Force the enforcer to run once for every zone.

Force write of signer configuration files for all zones.
Update the configuration from conf.xml and reload the enforcer.
List repositories.
Perform policy import, zonelist import, and update repository list.

List all policies in the database.
Export a specified policy or all of them from the database.
Import policies from kasp.xml into the enforcer database.
This command will remove any policies from the database which have no associated zones. Use with caution.
Generate new NSEC3 salts for policies that have salts older than the resalt duration.

List all zones currently in the database.
Add a new zone to the enforcer database.
Delete a zone or all of zones from the enforcer database.
Change the policy for a zone in the enforcer database.
Export list of zones from the database to the zonelist.xml file.
Import zones from zonelist.xml into the enforcer database.

List information about keys in all zones, or in a particular zone from the database.
Export DNSKEY(s) for a given zone/all from the database.
Add a key which was created outside of the OpenDNSSEC code into the enforcer database.
Issue a ds-submit to the enforcer for a KSK.
Issue a ds-seen to the enforcer for a KSK.
Issue a ds-seen for all ready (for ds-seen) KSKs. This command indicates to OpenDNSSEC that a submitted DS record has appeared in the parent zone, and thereby trigger the completion of a KSK rollover.
Issue a ds-retract to the enforcer for a KSK.
Issue a ds-gone to the enforcer for a KSK.
Pre-generate keys for all or a given policy, the duration to pre-generate for can be specified or otherwise its taken from the conf.xml.
This command will remove keys from the database and HSM that are dead. If the --delete (or -d) flag is given, the keys are also purged from the HSM. Keys are always purged from the HSM if the <Purge>
Start a key rollover of the desired type *now* or all of them. The process is the same as for the scheduled automated rollovers however it does not wait for the keys lifetime to expire before rolling. The next rollover is due after the newest key aged passed its lifetime.
List the expected dates and times of upcoming rollovers. This can be used to get an idea of upcoming works.

Enumerate backup status of keys.
Flag the keys found in all configured HSMs as to be backed up.
Mark flagged keys found in all configured HSMs as backed up.
List repositories.

/etc/opendnssec/conf.xml
The main configuration file for OpenDNSSEC.
/etc/opendnssec/zonelist.xml
The list of zones as defined in conf.xml. This list is used during 'zonelist import'.
/etc/opendnssec/kasp.xml
The configuration of policies that define timing and security, as defined in conf.xml.
/var/opendnssec/unsigned/
The location that is usually configured in conf.xml which contains unsigned zones.
/var/opendnssec/signed/
The location that is usually configured in conf.xml which contains signed zones.

will log all the problems via stderr.

ods-control(8), ods-enforcerd(8), ods-signerd(8), ods-signer(8), ods-kasp(5), ods-kaspcheck(1), ods-timing(5), ods-hsmspeed(1), ods-hsmutil(1), opendnssec(7), http://www.opendnssec.org/

ods-enforcer was written by NLnet Labs as part of the OpenDNSSEC project.

April 2016 OpenDNSSEC
Search for    or go to Top of page |  Section 8 |  Main Index

Powered by GSP Visit the GSP FreeBSD Man Page Interface.
Output converted with ManDoc.