This section details the various command utilities that are available with OpenDNSSEC.
Is a wrapper around the commands below.
You need a way to interact to the KASP Enforcer, for example to add and remove zones that are handled by OpenDNSSEC. The ods-ksmutil utility provides a number of commands to make this easier, all commands are invoked on the unix command line.
You must run the setup option before you ever run any sub-system in OpenDNSSEC.This reads the configuration kasp.xml and imports these settings into the KASP Enforcer database.
The setup command deletes the current content of the database! (Including information on keys; such that existing keys will become unusable and new keys will need to be generated.)
To add a zone to be handled by OpenDNSSEC, use the zone add command. This command needs a parameter to specify the zone, and optional parameters for which policy to use and which paths to use for input and output. An example of use:
A complete list of commands can be found by running:
or they are shown in detail here: ods-ksmutil commands
The ods-signer provides a Command Line Interface to the ods-signerd. There are a number of commands you give to ods-signer. If you start the CLI without any command line parameters you enter a shell where you can issue commands:
The same commands can be passed as command line arguments in your unix shell.
The ods-hsmutil utility is designed to interact directly with your HSM and can be used to manually list, create or delete keys. It can also be used to perform a set of basics HSM tests.
Be careful before create or deleting keys using ods-hsmutil, as the changes are not synced with the KASP Enforcer.
The tool ods-hsmspeed does performance testing on your HSM. This is also useful to find out at what speed you can get from SoftHSM on your CPU.
This tool is provided to check that the configuration files (conf.xml and kasp.xml) are semantically sane and contain no inconsistencies.
It is advisable to use this tool to check your configuration before starting to use OpenDNSSEC.
The hsmbully tool may be used to test your HSM for compliance with PKCS#11. This tool is not part of OpenDNSSEC, but can be found in the SVN repository:
You can also run the two OpenDNSSEC daemons ods-signerd and ods-enforcerd from the command line, they are installed into the sbin directory.
This is the component that performs all of the signing. It first reads zonelist.xml and then goes through all zones to sign them if needed. Start the daemon by running:
or if you want to use specific command line options:
The Enforcer daemon creates keys if needed (and configured to); it also maintains the states of the keys according to the appropriate policy. As the states of keys change, it communicates these changes to the signer via the configuration files that the signer uses when signing the zones. To run, call: