Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
ods-ksmutil setup

Import conf.xmlDelete current contents of database (including any keys) and then import repository list, kasp.xml and zonelist.xml into a database (deletes current contents, including any keys).

Command: start|stop|notify

...

Code Block
ods-ksmutil update kasp
ods-ksmutil update zonelist
ods-ksmutil update conf
ods-ksmutil update all

Update database from config_dir (like above, but existing contents are kept)

...

Code Block
ods-ksmutil zone add

Add a zone to both zonelist.xml and the database (both locations read from conf.xml).

Options

...

by importing contents of kasp.xml,  zonelist.xml or the repository list from conf.xml into a database (or all three). For zonelist and conf the update replaces the existing contents of the database (but note the keys are not updated by any of these commands). For kasp the update replaces or adds to the existing content, but does not delete any policies. The command 'ods-ksmutil' policy purge can be used to remove polices with no zones associated with them. 

Note that 'update kasp' is equivalent to 'import policy' and 'update zonelist' is equivalent to 'import zonelist'.

Anchor
zone-add
zone-add
Command: zone add

Code Block
ods-ksmutil zone add

Add a zone to both zonelist.xml and the database (both locations read from conf.xml).

Options

Code Block
--zone <zone>                     aka -z
[--policy <policy>]               aka -p
[--signerconf <signerconf.xml>]   aka -s
[--input <input>]                 aka -i
[--in-type <input type>]          aka -j
[--output <output>]               aka -o
[--out-type <output type>]        aka -q
[--no-xml]                        aka -m

...

  • The <input type> and <output type> fields specify what kind of adaptor should be configured for the zone. Valid values are 'File' (default) and 'DNS' for both input and output:
    • When using a 'File' adaptor the <input> field specifies the location of the unsigned zone and the <output> field specifies the location of the signed zone
    • When using a 'DNS' adaptor the <input> and <output> fields specify the location of the xml file that describes the adapter to be used e.g. {prefix}/etc/opendnssec/addns.xml
  • Defaults are provided for all options but zone name:
    • --policy will use the 'default' policy
    • --signerconf will default to use the {prefix}/var/opendnssec/signerconf/<zone>.xml file
    • --input will default to {prefix}/var/opendnssec/unsigned/<zone> for a 'File' adaptor or (available from 1.4.3) {prefix}/var/opendnssec/addns.xml for a 'DNS' adaptor
    • --in-type will default to 'File'
    • --output will default to {prefix}/var/opendnssec/signed/<zone> for a 'File' adaptor or or (available from 1.4.3) {prefix}/var/opendnssec/addns.xml for a 'DNS' adaptor
    • --out-type will default to 'File'
       
    The "no-xml" flag is useful when adding a number of zones; it prevents zonelist.xml from being written to thus speeding up the process. If the "no-xml" flag is used then after all the zones have been added then the zonelist file will need to be updated via the command:
    • addns.xml for a 'DNS' adaptor
    • --out-type will default to 'File'
       
  • The "no-xml" flag is useful when adding a number of zones; it prevents zonelist.xml from being written to thus speeding up the process. If the "no-xml" flag is used then after all the zones have been added then the zonelist file will need to be updated via the command:
Code Block
ods-ksmutil zonelist export

Command: zone delete

Code Block
ods-ksmutil zone delete

Delete a zone to both zonelist.xml and the database (both locations read from conf.xml).

Options

Code Block
--zone <zone> | --all             aka -z / -a

Command: zone list

Code Block
ods-ksmutil zone list

List zones from the zonelist.xml

Command: repository list

Code Block
ods-ksmutil zonelist exportrepository list

List repositories from the database

Command:

...

policy export

Code Block
ods-ksmutil zonepolicy deleteexport

Delete a zone to both zonelist.xml and the database (both locations read from conf.xml).Export a policy from the database in kasp.xml format. 

Options

Code Block
--zonepolicy <zone><policy> | --all             aka -zp / -a

Command:

...

Code Block
ods-ksmutil zone list

List zones from the zonelist.xml

...

policy import

Code Block
ods-ksmutil repositorypolicy listimport

List repositories from the databaseUpdate the database with the contents of kasp.xml; identical to "update kasp". (Note this does not delete any policies. The command 'ods-ksmutil' policy purge can be used to remove polices with no zones associated with them.)

Command: policy

...

list

Code Block
ods-ksmutil policy exportlist

Export a policy from the database in kasp.xml format.

OptionsList policies available.

Command: policy purge (experimental)

Code Block
ods--ksmutil policy <policy> | --all         aka -p / -a

...

purge

Delete all policies and associated keys if there are no zones currently using the policy. This command should be used with caution and it is recommended to backup your database before using it.

Command: key list

Code Block
ods-ksmutil policykey importlist

Update the database with the contents of kasp.xml; identical to "update kasp".

Command: policy list

Code Block
ods-ksmutil policy list

List policies available.

Command: key list

Code Block
ods-ksmutil key list

List information about keys in zone.

Options

...

List information about keys in zone.

Options

Code Block
Pre 1.4.4:
[--verbose]
--zone <zone> | --all             aka -z / -a

1.4.4 and later:
[--verbose]                         aka -z / -a (will appearaka soon:-v
[--keystatezone <state><zone>]                          aka -ez
[--keytype <type>keystate <state>| --all]              aka -e aka/ -ta
[--ds]    keytype <type>]                        aka -d    )
aka -t

By default:

  • keys for all zones are listed when using  'ods-ksmutil key list' 
  • the 'ods-ksmutil key list' command does not list keys in the GENERATE or DEAD state. 

In 1.4.4 the command was extended to support filters on key state and key type.

  • The --all option now results in a listing of keys in all key states, including GENERATE and DEAD

Command: key export

Code Block
ods-ksmutil key export

...

Code Block
--cka_id <CKA_ID>                 aka -k
--repository <repository>         aka -r
--zone <zone>                     aka -z
--bits <size>                     aka -b
--algorithm <algorithm>           aka -g
--keystate <state>                aka -e
--keytype <type>                  aka -t
--time <time>                     aka -w
[--check-repository]              aka -C
[--retire <retire>]               aka -y
  • (Available from 1.4.3) If the --check-repository flag is used then the import will fail if no key with the matching cka_id is available in the repository.

 

Command: key rollover

Code Block
ods-ksmutil key rollover

...