Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
ods-ksmutil setup

Import conf.xmlDelete current contents of database (including any keys) and then import repository list, kasp.xml and zonelist.xml into a database (deletes current contents, including any keys).

Command: start|stop|notify

...

Code Block
ods-ksmutil update kasp
ods-ksmutil update zonelist
ods-ksmutil update conf
ods-ksmutil update all

Update database from config_dir (like above, but existing contents are kept)

...

Code Block
ods-ksmutil zone add

Add a zone to both zonelist.xml and the database (both locations read from conf.xml).

Options

...

by importing contents of kasp.xml,  zonelist.xml or the repository list from conf.xml into a database (or all three). For zonelist and conf the update replaces the existing contents of the database (but note the keys are not updated by any of these commands). For kasp the update replaces or adds to the existing content, but does not delete any policies. The command 'ods-ksmutil' policy purge can be used to remove polices with no zones associated with them. 

Note that 'update kasp' is equivalent to 'import policy' and 'update zonelist' is equivalent to 'import zonelist'.

Anchor
zone-add
zone-add
Command: zone add

Code Block
ods-ksmutil zone add

Add a zone to both zonelist.xml and the database (both locations read from conf.xml).

Options

Code Block
--zone <zone>                     aka -z
[--policy <policy>]               aka -p
[--signerconf <signerconf.xml>]   aka -s
[--input <input>]                 aka -i
[--in-type <input type>]          aka -j
[--output <output>]               aka -o
[--out-type <output type>]        aka -q
[--no-xml]                        aka -m

...

  • The <input type> and <output type> fields specify what kind of adaptor should be configured for the zone. Valid values are 'File' (default) and 'DNS' for both input and output:
    • When using a 'File' adaptor the <input> field specifies the location of the unsigned zone and the <output> field specifies the location of the signed zone
    • When using a 'DNS' adaptor the <input> and <output> fields specify the location of the xml file that describes the adapter to be used e.g. {prefix}/etc/opendnssec/addns.xml
  • Defaults are provided for all options but zone name:
    • --policy will use the 'default' policy
    • --signerconf will default to use the {prefix}/var/opendnssec/signerconf/<zone>.xml file
    • --input will default to {prefix}/var/opendnssec/unsigned/<zone> (Note - this currently always assumes for a 'File' adaptor . There is no default for a 'DNS' adaptor)or (available from 1.4.3) {prefix}/var/opendnssec/addns.xml for a 'DNS' adaptor
    • --in-type will default to 'File'
    • --output will default to {prefix}/var/opendnssec/signed/<zone> (Note - this currently always assumes for a 'File' adaptor . There is no default for a 'DNS' adaptor)
    • --out-type will default to 'File'
       
  • The "no-xml" flag is useful when adding a number of zones; it prevents zonelist.xml from being written to thus speeding up the process. If the "no-xml" flag is used then after all the zones have been added then the zonelist file will need to be updated via the command:
Code Block
ods-ksmutil zonelist export

...

    • or (available from 1.4.3) {prefix}/var/opendnssec/addns.xml for a 'DNS' adaptor
    • --out-type will default to 'File'
       
  • The "no-xml" flag is useful when adding a number of zones; it prevents zonelist.xml from being written to thus speeding up the process. If the "no-xml" flag is used then after all the zones have been added then the zonelist file will need to be updated via the command:
Code Block
ods-ksmutil zonelist export

Command: zone delete

Code Block
ods-ksmutil zone delete

Delete a zone to both zonelist.xml and the database (both locations read from conf.xml).

Options

Code Block
--zone <zone> | --all             aka -z / -a

Command: zone list

Code Block
ods-ksmutil zone list

List zones from the zonelist.xml

Command: repository list

Code Block
ods-ksmutil repository list

List repositories from the database

Command: policy export

Code Block
ods-ksmutil policy export

Export a policy from the database in kasp.xml format. 

Options

Code Block
--policy <policy> | --all         aka -p / -a

Command: policy import

Code Block
ods-ksmutil zonepolicy deleteimport

Delete a zone to both zonelist.xml and the database (both locations read from conf.xml).

Options

Code Block
--zone <zone> | --all             aka -z / -a

...

Update the database with the contents of kasp.xml; identical to "update kasp". (Note this does not delete any policies. The command 'ods-ksmutil' policy purge can be used to remove polices with no zones associated with them.)

Command: policy list

Code Block
ods-ksmutil policy list

List policies available.

Command: policy purge (experimental)

Code Block
ods-ksmutil zonepolicy list

List zones from the zonelist.xml

...

purge

Delete all policies and associated keys if there are no zones currently using the policy. This command should be used with caution and it is recommended to backup your database before using it.

Command: key list

Code Block
ods-ksmutil repositorykey list

List repositories from the database

...

information about keys in zone.

Options

Code Block
ods-ksmutil policy export

Export a policy from the database in kasp.xml format.

Options

Code Block
--policy <policy>Pre 1.4.4:
[--verbose]
--zone <zone> | --all         aka -p / -a

Command: policy import

Code Block
ods-ksmutil policy import

Update the database with the contents of kasp.xml; identical to "update kasp".

Command: policy list

Code Block
ods-ksmutil policy list

List policies available.

Command: key list

Code Block
ods-ksmutil key list

List information about keys in zone.

Options

Code Block
[--verbose]
--zone <zone> | --all       aka -z / -a

1.4.4 and later:
[--verbose]                         aka -z / -a (will appearaka soon:-v
[--keystatezone <state>]<zone>]                          aka -ez
[--keytype <type>]keystate <state>| --all]              aka -e / -a
[--keytype <type>]     aka -t [--ds]                            aka -d    )
aka -t

By default:

  • keys for all zones are listed when using  'ods-ksmutil key list' 
  • the 'ods-ksmutil key list' command does not list keys in the GENERATE or DEAD state. 

In 1.4.4 the command was extended to support filters on key state and key type.

  • The --all option now results in a listing of keys in all key states, including GENERATE and DEAD

Command: key export

Code Block
ods-ksmutil key export

...

Code Block
--cka_id <CKA_ID>                 aka -k
--repository <repository>         aka -r
--zone <zone>                     aka -z
--bits <size>                     aka -b
--algorithm <algorithm>           aka -g
--keystate <state>                aka -e
--keytype <type>                  aka -t
--time <time>time <time>                     aka -w
[--check-repository]              aka -wC
[--retire <retire>]               aka -y
  • (Available from 1.4.3) If the --check-repository flag is used then the import will fail if no key with the matching cka_id is available in the repository.

 

Command: key rollover

Code Block
ods-ksmutil key rollover

...

Code Block
--policy <policy>                     aka -p
--interval <interval>                 aka -n

[--zonecountzonetotal <zone count>total>]            aka -Z
--auto-accept                         aka -A

...

  • Intervals are specified in the format used in the configuration files, see Configuration.Configuration.
  • (Available in 1.4.2) Optionally specify a given total number of zones to generate keys for (default is all the zones on the policy) with the --zonecount zonetotal parameter.
  • The command predicts the number of keys that will be generated and then the user is requested to confirm the operation. If the --auto-accept parameter is specified the confirmation step is skipped. 

...

Indicate that a submitted DS record has appeared in the parent zone (this triggers the completion of a KSK rollover, or the provisioning of a standby KSK).

Options

Code Block
[--zone <zone>                            aka -z]
--keytag <keytag> | --cka_id <CKA_ID>    aka -x / -k
[--no-notify|-l]                         aka -xl
[--cka_id <CKA_ID>no-retire|-f]                         aka -k
[--no-retire]
f
  • Specifiying a zone will speed up the search of keys by narrowing the field but is not mandatory

...

  • cka_id can be used to resolve a keytag clash. 
  • By default the command will simultaneously move the current key into the retired state. If you wish to delay this step then add the --no-retire flag and use the ksk-retire command when needed.
  • (Available in 1.4.3) By default the command will

...

  • notify the enforcer there has been a change so that the changes take full effect. If you wish to delay this step then add

...

  • the --no-

...

  • notify flag and use

...

  • the ods-control enforcer notifycommand after all the ds-seen commands have been issued. 

Command: key ksk-retire

Code Block
ods-ksmutil key ksk-retire

...