This section describes common Zone Management activities in OpenDNSSEC.
The details of the command utilities shown below can be found here.
On this Page
Zones can be added and removed at will. If the optional parameters are not given, then it will default to the policy default and assume 'File' adaptors for both input and output with the (un)signed zones located in the {prefix}/var/opendnssec/ subdirectories. More details can be found on the zone add command here: ods-ksmutl zone add
ods-ksmutil zone add --zone example.com [--policy <policy> --signerconf <signerconf.xml> --input <input> --in-type <input type> --output <output> --out-type <output type>] ods-ksmutil zone delete --zone example.com
This command will report positively with a message like:
zonelist filename set to /etc/opendnssec/zonelist.xml. SQLite database set to: /var/opendnssec/kasp.db Imported zone: example.com
Using this command thousands of times might be slow since it also writes to zonelist.xml. Use --no-xml to stop this behavior. Then export the zonelist when you are finished:
ods-ksmutil zonelist export > zonelist.xml
Alternatively, you could manually edit the zonelist.xml and then give the command:
ods-ksmutil update zonelist
After zones are added, they will show up in your logs as follows:
ods-enforcerd: Zone example.com found. ods-enforcerd: Policy for example.com set to default. ods-enforcerd: Config will be output to /var/opendnssec/signconf/example.com.xml.
If you opened the latter file, you would find the settings that were applied to the zone at the time this file was added.
When you update the content of an unsigned zone you must tell the signer engine to re-read the unsigned zone file using the ods-signer command like this:
ods-signer sign example.com
This will also have the effect that the zone is scheduled for immediate resigning.
