Skip to end of metadata
Go to start of metadata

One plugin is currently provided with OpenDNSSEC to aid users in automating their DNSSEC deployment:


The plugins provided are examples only and should be reviewed by users before use.



This makes it easier to notify the OpenDNSSEC operator that a new set of keys needs to be sent to the parent zone for publication, as needed when you perform key rollovers on the KSK. This plugin is just a simple example on how to use this API to send an e-mail with the keys.


In the plugins directory in the source code of OpenDNSSEC you have the directory simple-dnskey-mailer containing the shell script Edit this script and change the e-mail address you want to be notified about the new keyset.

In conf.xml you have the <DelegationSignerSubmitCommand> tag where you add the path to where you place this script in your system. Don't forget to uncomment the tag, and set the executable flag on the script.


When the Enforcer decides that it has an updated set of keys for publication at the parent level, it will run the script with the complete set of keys that you need to publish. When you have published the whols set of keys, any publication of new keys will have to be reported back by the operator to the Enforcer so that it knows that the parent has published the new keys. This will complete the key rollover. You do this by issuing the ds-seen command like this:

  ods-ksmutil key ds-seen --zone --keytag 12345


  ods-ksmutil key ds-seen --zone --cka_id a6f66e07781469df81e6c908bf22b168

You find the cka_id by listing the keys for your zone in verbose mode.


This plugin is no longer maintained and has been removed from the OpenDNSSEC source directory. It is still available for reference at trunk/contrib but there are know issues with the use of libcurl in this implementation.



  • No labels