Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


Code Block
 cmd> help
 zones                       Show the currently known zones
 sign <zone> [--serial <nr>] Read zone and schedule zone for immediate (re-)signing.
                             If a serial is given, that serial is used in the output zone.
 sign --all                  Read all zones and schedule all for immediate (re-)signing.
 clear <zone>                Delete the internal storage of this zone.
                             All signatures will be regenerated on the next re-sign.
 queue                       Show the current task queue.
 flush                       Execute all scheduled tasks immediately.
 update <zone>               Update this zone signer configurations.
 update [--all]              Update zone list and all signer configurations.
 start                       Start the engine.
 running                     Check if the engine is running.
 reload                      Reload the engine.
 stop                        Stop the engine.
 verbosity <nr>              Set verbosity.


  • When a using a 'File' input adaptor and the zone file is manually updated the user must manually issue the command for the signer to re-sign the zone 'ods-signer sign <zone>'
  • The verbosity level controls the level of logging, 0 will disable logging and 3 (default level) will provide informational log messages. You can set it higher to get debug log messages.

The same commands can be passed as command line arguments in your unix shell.




The tool ods-getconf can be used to retrieve a configuration option value given an expression. Introduced in 1.4.6.


This tool is provided to check that the configuration files (conf.xml and kasp.xml) are semantically sane and contain no inconsistencies.


The hsmbully tool may be used to test your HSM for compliance with PKCS#11. This tool is not part of OpenDNSSEC, but can be found in the SVN GitHub repository:

Code Block
git coclone http hsmbully


You can also run the two OpenDNSSEC daemons ods-signerd and ods-enforcerd from the command line, they are installed into the sbin directory.


The Enforcer daemon creates keys if needed (and configured to); it also maintains the states of the keys according to the appropriate policy. As the states of keys change, it communicates these changes to the signer via the configuration files that the signer uses when signing the zones. To run, call:

Code Block

or if you want to use specific command line options:

Code Block
>ods-enforcerd -h
Usage: ods-enforcerd [OPTION]...
OpenDNSSEC Enforcer version x.y.z
Supported options:
  -c <file>    Use alternate conf.xml.
  -d           Debug.
  -1           Run once, then exit.
  -p <policy>  Run once processing only the specified policy, then exit.   
  -P <pidfile> Specify the PID file to write.
  -V           Print version.
  -[?|h]       This help.

Note that the -p <policy> option is available in 1.4.3