This section describes how to start OpenDNSSEC and the operations used to manage and monitor the system.
The details of the command utilities shown below can be found here.
All directories are prepared by the build script and are set to be owned by root, so all commands in the default configuration must also be run by root. To change this, alter the configuration or privileges on the files and directories.
Before you run the system for the first time you must import your policy and zone list into the database using the following command:
After running this the first time, you will be ready to run OpenDNSSEC with an empty set of zones. On the other hand, if this command is run on an existing database, then will all meta-information about the zones be lost. The keys would then still exist in HSMs, so you should not forget to clean them up.
OpenDNSSEC consist of two daemons, ods-signerd and ods-enforcerd. To start and stop them use the following commands:
A proper-looking response to this commands is:
At any time, you can stop OpenDNSSEC's daemons orderly with:
After this, your logs should contain messages like:
Your zone will be signed, once you have setup the system and started it. When you have verified that the zone is operational and working, it is time to upload the trust anchor to the parent zone. The Enforcer is waiting for zone to be connected to the trust chain before considering the KSK to be active.
Export the public key either as DNSKEY or DS, depending on what format your parent zone wants it in. See the section Export the public keys, on how to get the key information.
This step can be automated or semi-automated by placing a command in the <DelegationSignerSubmitCommand> tag. This should point to a binary which will accept the required key(s) as DNSKEY RRs on STDIN.
Notify the Enforcer when you can see the DS RR in your parent zone. You usually give the keytag to the Enforcer, but if there are KSKs with the same keytag then use the CKA_ID.
And you will see that your KSK is now active:
The details of common key management activities are described on the Key Management page - these include:
The details of common zone management activities are described on the Zone Management page - these include:
When you make changes to a policy or add a new policy in kasp.xml you must update the changes to the database.
When making changes to the KASP policy the following should be considered:
After updating signature timers in the policy it may be helpful to issue the command:
as it will speed up acclimatising timers for the signatures.
Details of logs produced by the system can be found on the Logging page.