Zones can be added and removed at will. If the optional parameters are not given, then it will default to the policy default and the /var/opendnssec/ subdirectories.
ods-ksmutil zone add --zone example.com [--policy <policy> --signerconf <signerconf.xml> --input <input> --output <output>] ods-ksmutil zone delete --zone example.com
This command will report positively with a message like:
zonelist filename set to /etc/opendnssec/zonelist.xml. SQLite database set to: /var/opendnssec/kasp.db Imported zone: example.com
Using this command thousands of times might be slow since it also writes to zonelist.xml. Use --no-xml to stop this behavior. Then export the zonelist when you are finished:
Alternatively, you could manually edit the zonelist.xml and then give the command:
ods-ksmutil update zonelist
After zones are added, they will show up in your logs as follows:
ods-enforcerd: Zone example.com found. ods-enforcerd: Policy for example.com set to default. ods-enforcerd: Config will be output to /var/opendnssec/signconf/example.com.xml.
If you opened the latter file, you would find the settings that were applied to the zone at the time this file was added.
When you update the content of an unsigned zone you must tell the signer engine to re-read the unsigned zone file using the ods-signer command like this:
ods-signer sign example.com
This also have the effect that you schedule the zone for immediate resigning.