Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
ods-ksmutil setup

Import conf.xmlDelete current contents of database (including any keys) and then import repository list, kasp.xml and zonelist.xml into a database (deletes current contents, including any keys).

Command: start|stop|notify

...

Code Block
ods-ksmutil update kasp
ods-ksmutil update zonelist
ods-ksmutil update conf
ods-ksmutil update all

Update database from config_dir (like above, but existing contents are kept)

Command: zone add

Code Block
ods-ksmutil zone add

Add a zone to both zonelist.by importing contents of kasp.xml,  zonelist.xml or the repository list from conf.xml into a database (or all three). For zonelist and conf the update replaces the existing contents of the database (but note the keys are not updated by any of these commands). For kasp the update replaces or adds to the existing content, but does not delete any policies. The command 'ods-ksmutil' policy purge can be used to remove polices with no zones associated with them. 

Note that 'update kasp' is equivalent to 'import policy' and 'update zonelist' is equivalent to 'import zonelist'.

Anchor
zone-add
zone-add
Command: zone add

Code Block
ods-ksmutil zone add

Add a zone to both zonelist.xml and the database (both locations read from conf.xml).

...

  • The <input type> and <output type> fields specify what kind of adaptor should be configured for the zone. Valid values are 'File' (default) and 'DNS' for both input and output:
    • When using a 'File' adaptor the <input> field specifies the location of the unsigned zone and the <output> field specifies the location of the signed zone
    • When using a 'DNS' adaptos adaptor the <input> and <output> fields specify the location of the xml file that describes the adapter to be used e.g. {prefix}/etc/opendnssec/addns.xml
  • Defaults are provided for all options but zone name:
    • --policy will use the 'default' policy
    • --signerconf will default to use the {prefix}/var/opendnssec/signerconf/<zone>.xml file
    • --input will default to {prefix}/var/opendnssec/unsigned/<zone> (Note - this currently always assumes for a 'File' adaptor . There is no default or (available from 1.4.3) {prefix}/var/opendnssec/addns.xml for a 'DNS' adaptor)
    • --in-type will default to 'File'
    • --output will default to {prefix}/var/opendnssec/signed/<zone> (Note - this currently always assumes <zone> for a 'File' adaptor . There is no default for a 'DNS' adaptor)-or (available from 1.4.3) {prefix}/var/opendnssec/addns.xml for a 'DNS' adaptor
    • --out-type will default to 'File'
       
  • The "no-xml" flag is useful when adding a number of zones; it prevents zonelist.xml from being written to thus speeding up the process. If the "no-xml" flag is used then after all the zones have been added then the zonelist file will need to be updated via the command:

...

Export a policy from the database in kasp.xml format. 

Options

Code Block
--policy <policy> | --all         aka -p / -a

...

Update the database with the contents of kasp.xml; identical to "update kasp". (Note this does not delete any policies. The command 'ods-ksmutil' policy purge can be used to remove polices with no zones associated with them.)

Command: policy list

Code Block
ods-ksmutil policy list

List policies available.

Command:

...

policy purge (experimental)

Code Block
ods-ksmutil keypolicy listpurge

List information about keys Delete all policies and associated keys if there are no zones currently using the policy. This command should be used with caution and it is recommended to backup your database before using it.

Command: key list

Code Block
ods-ksmutil key list

List information about keys in zone.

Options

Code Block
Pre 1.4.4:
[--verbose]
--zone <zone> | --all             aka -z / -a
(will appear soon
1.4.4 and later:
[--keystate <state>]verbose]                              aka -ev
[--keytypezone <type>]<zone>]                          aka -tz
[--ds]keystate <state>| --all]              aka -e / -a
[--keytype <type>]          aka -d    ) 

Command: key export

Code Block
ods-ksmutil key export

Export key information in a suitable format for putting into a zonefile

Options

Code Block
--zone <zone> | --all             aka -z
[--keystate aka -t

By default:

  • keys for all zones are listed when using  'ods-ksmutil key list' 
  • the 'ods-ksmutil key list' command does not list keys in the GENERATE or DEAD state. 

In 1.4.4 the command was extended to support filters on key state and key type.

  • The --all option now results in a listing of keys in all key states, including GENERATE and DEAD

Command: key export

Code Block
ods-ksmutil key export

Export key information in a suitable format for putting into a zonefile

Options

Code Block
--zone <zone> | --all             aka -z
[--keystate <state>]              aka -e
[--keytype <type>]                aka -t
[--ds]                            aka -d

...

Code Block
--cka_id <CKA_ID>                 aka -k
--repository <repository>         aka -r
--zone <zone>                     aka -z
--bits <size>                     aka -b
--algorithm <algorithm>           aka -g
--keystate <state>                aka -e
--keytype <type>                  aka -t
--time <time>                     aka -w
[--check-repository]              aka -tC
[--timeretire <retire>]  <time>             aka -y
  • (Available from 1.4.3) If the --check-repository flag is used then the import will fail if no key with the matching cka_id is available in the repository.

 

Command: key rollover

Code Block
ods-ksmutil key rollover

Rollover active keys on a zone or policy

Options

Code Block
--zone <zone> | aka -w
[--policy <policy>
--retirekeytype <retire>]<type>               aka -y

 

Command: key rollover

Code Block
ods-ksmutil key rollover

Rollover active keys on a zone or policy

Options

Code Block
--zone <zone> | --policy <policy>
--keytype <type> | --all

"keytype" specifies a single type of key to roll. After running, the enforcer will be woken up so that the signer can be sent the new information.

If the policy that the zone is on specifies that keys are shared then all zones on that policy will be rolled. A backup of the sqlite DB file is made (if appropriate).

 

Info

From 1.4.1 either the keytype must be specified or the '–all' option is required for this command. This is to avoid the possibility of rolling more keys than intended by accidentally forgetting to specify a key type.

 

Command: key purge

Code Block
ods-ksmutil key purge

Remove keys that are in the "Dead" state from the repository and from the enforcer DB

Options

Code Block
--zone <zone> | --policy <policy>| --all

"keytype" specifies a single type of key to roll. After running, the enforcer will be woken up so that the signer can be sent the new information.

If the policy that the zone is on specifies that keys are shared then all zones on that policy will be rolled. A backup of the sqlite DB file is made (if appropriate).

 

Info

From 1.4.1 either the keytype must be specified or the '–all' option is required for this command. This is to avoid the possibility of rolling more keys than intended by accidentally forgetting to specify a key type.

 

Command: key purge

Code Block
ods-ksmutil key purge

Remove keys that are in the "Dead" state from the repository and from the enforcer DB

Options

Code Block
--zone <zone> | --policy <policy>        aka -z | -p

 

Command: key generate

Code Block
ods-ksmutil key generate

Create enough keys for the given policy to last for the period of time given by interval. 

Options

Code Block
--policy <policy>                     aka -p
--interval <interval>                 aka -zn
|
-p

 

Command: key generate

Code Block
ods-ksmutil key generate

Create enough keys for the given policy to last for the period of time given by interval.

Options

Code Block
--policy <policy>[--zonetotal <zone total>]            aka -Z
--auto-accept                         aka -p
--interval <interval>                 aka -n

...

-A

 

  • Intervals are specified in the format used in the configuration files, see Configuration.
  • (Available in 1.4.2) Optionally specify a total number of zones to generate keys for (default is all the zones on the policy) with the --zonetotal parameter.
  • The command predicts the number of keys that will be generated and then the user is requested to confirm the operation. If the --auto-accept parameter is specified the confirmation step is skipped. 

Anchor
ds-seen
ds-seen
Command: key ds-seen

...

Indicate that a submitted DS record has appeared in the parent zone (this triggers the completion of a KSK rollover, or the provisioning of a standby KSK).

Options

Code Block
[--zone <zone>                            aka -z]
--keytag <keytag> | --cka_id <CKA_ID>    aka -x / -k
[--no-notify|-l]                         aka -xl
[--cka_id <CKA_ID>no-retire|-f]                         aka -k
[--no-retire]
f
  • Specifiying a zone will speed up the search of keys by narrowing the field but is not mandatory

...

  • cka_id can be used to resolve a keytag clash. 
  • By default the command will simultaneously move the current key into the retired state. If you wish to delay this step then add the --no-retire flag and use the ksk-retire command when needed.
  • (Available in 1.4.3) By default the command will

...

  • notify the enforcer there has been a change so that the changes take full effect. If you wish to delay this step then add

...

  • the --no-

...

  • notify flag and use

...

  • the ods-control enforcer notifycommand after all the ds-seen commands have been issued. 

Command: key ksk-retire

Code Block
ods-ksmutil key ksk-retire

...