Skip to end of metadata
Go to start of metadata

This section describes common Zone Management activities in OpenDNSSEC.

The details of the command utilities shown below can be found here.

On this Page

Adding / Removing zones

Zones can be added and removed at will. If the optional parameters are not given, then it will default to the policy default and assume 'File' adaptors (input/output type) for both input and output with the (un)signed zones located in the {prefix}/var/opendnssec/ subdirectories. More details on the zone add command can be found here: ods-ksmutl zone add

ods-ksmutil zone add --zone 
[--policy <policy> --signerconf <signerconf.xml> --input <input> --in-type <input type> --output <output> --out-type <output type>]
ods-ksmutil zone delete --zone

This command will report positively with a message like:

zonelist filename set to /etc/opendnssec/zonelist.xml.
SQLite database set to: /var/opendnssec/kasp.db
Imported zone:

 Using this command thousands of times might be slow since it also writes to zonelist.xml. Use --no-xml to stop this behavior. Then export the zonelist when you are finished:

ods-ksmutil zonelist export > zonelist.xml

Alternatively, you could manually edit the zonelist.xml and then give the command:

ods-ksmutil update zonelist

After zones are added, they will show up in your logs as follows:

ods-enforcerd: Zone found.
ods-enforcerd: Policy for set to default.
ods-enforcerd: Config will be output to /var/opendnssec/signconf/

If you opened the latter file, you would find the settings that were applied to the zone at the time this file was added.

Updating an unsigned zone

When you update the content of an unsigned zone you must tell the signer engine to re-read the unsigned zone file using the ods-signer command like this:

ods-signer sign

This will also have the effect that the zone is scheduled for immediate resigning.

  • No labels