Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Export the public key either as DNSKEY or DS, depending on what format your parent zone wants it in. See the section Export the public keys, on how to get the key information.


    This step can be automated or semi-automated by placing a command in the <DelegationSignerSubmitCommand> tag. This should point to a binary which will accept the required key(s) as DNSKEY RRs on STDIN.

  2. Notify the Enforcer when you can see the DS RR in your parent zone. You usually give the keytag to the Enforcer, but if there are KSKs with the same keytag then use the CKA_ID.

    Code Block
    ods-ksmutil key ds-seen -z -x 22499


    Code Block
    ods-ksmutil key ds-seen -z -k 9621ca39306ce050e8dd94c5ab837001
    Code Block
    Found key with CKA_ID 9621ca39306ce050e8dd94c5ab837001
    Key 9621ca39306ce050e8dd94c5ab837001 made active

    And you will see that your KSK is now active:

    Code Block
    ods-ksmutil key list
    Zone:                           Keytype:      State:    Date of next transition:                     ZSK           active    2010-10-15 07:20:53                     KSK           active    2010-10-15 07:31:03


  • Adding / Removing zones
  • Updating an unsigned zone

Updating an unsigned zone


When you update the content of an unsigned zone you must manually tell the signer engine to re-read the unsigned zone file using the ods-signer command like this:

Code Block
ods-signer sign

Updating the xml config files (including the KASP policy)


When you make changes to conf.xml, kasp.xml or zonelist.xml you must run the

Code Block
ods-ksmutil update all

command (or the appropriate command listed below) in order for the changes to be propagated to the system database.


If you make changes to the enforcer or auditor section of the conf.xml file then you must run

Code Block
ods-ksmutil update conf

For most other changes to the conf.xml file it is advisable to stop and start OpenDNSSEC to ensure the changes are detected. 


When you make changes to a policy or add a new policy in kasp.xml you must update the changes to the database.

Code Block
ods-ksmutil update kasp

When making changes to the KASP policy the following should also be considered:

  • It is advised not to update policy details (in particular propagation times) while a rollover is in progress.
  • Changing the algorithm used in a policy is not supported in 1.3 or 1.4.
  • Certain policy changes e.g. changing 'Standby keys" from 'on' to 'off' may lead to orphaned keys.
  • After updating signature timers in the policy it may be helpful to issue the command:

    Code Block
    $ ods-signer clear <zone>; ods-signer sign <zone>

     as it will speed up acclimatising timers for the signatures.


If you add zones directly into the zonelist (rather than using the ods-ksmutil zone add command) you must tell the enforcer to re-read the zone list by using the command:

Code Block
ods-ksmutil update zonelist


Monitoring the system

  • The pids used by the enforcer and signer processes are reported in syslog on startup.
  • The command 'ods-signer running' will report the status of the signer process, or restart it if it is not running.
  • When the enforcer daemon has run and completed enforcing the zones is sends a message to the syslog containing the text "Sleeping for" reporting how long it will be until it next runs 
  • The signer produces a log containing the text "[STAT]" whenever a zone is successfully signed
  • A Nagios plugin is available to check signed zones:


Details of logs produced by the system can be found on the Logging page.