ods-enforcer - OpenDNSSEC enforcer Engine client

ods-enforcer was written by NLnet Labs as part of the OpenDNSSEC project.

OpenDNSSEC                                         April 2016                                    ods-enforcer(8)

       ods-enforcer  is  part  of the OpenDNSSEC software. With this tool, you can send commands to the enforcer
       engine daemon.  ods-enforcer manages the operation of the KASP Enforcer, which is the part of  OpenDNSSEC
       that triggers key generation and signing operations on domains based on policies with user-defined timing
       and  security  requirements.  Among  the functions of ods-enforcer are key management, import to the zone
       list and manually rolling keys to recover from  exceptional  situations  like  key  loss.  The  following
       sections discuss the subcommands.

       For more information, go to http://www.opendnssec.org and visit the Documentation page.

       will log all the problems via stderr.

/etc/opendnssec/conf.xml
              The main configuration file for OpenDNSSEC.

       /etc/opendnssec/zonelist.xml
              The list of zones as defined in conf.xml. This list is used during 'zonelist import'.

       /etc/opendnssec/kasp.xml
              The configuration of policies that define timing and security, as defined in conf.xml.

       /var/lib/opendnssec/unsigned/
              The location that is usually configured in conf.xml which contains unsigned zones.

       /var/lib/opendnssec/signed/
              The location that is usually configured in conf.xml which contains signed zones.

help   Show a brief list of commands.

       start  Start the engine and the process.

       stop   Stop the engine and terminate the process.

       reload Reload the engine.

       running
              Return acknowledgment that the engine is running.

       verbosity
              Set verbosity to the given number.

keylist[--verbose][--debug][--full][--parsable][--zone][--keystate][--all]
              List information about keys in all zones, or in a particular zone from the database.

       keyexport(--zone<zone>|--all)[--keystate<state>][--keytype<type>][--ds]
              Export DNSKEY(s) for a given zone/all from the database.

       keyimport--cka_id<CKA_ID>--repository<repository>--zone<zone>--bits<size>--algorithm<algorithm>--keystate<state>--keytype<type>--inception_time<time>
              Add a key which was created outside of the OpenDNSSEC code into the enforcer database.

       keyds-submit--zone<zone>(--keytag<keytag>|--cka_id<CKA_ID>)
              Issue a ds-submit to the enforcer for a KSK.

       keyds-seen--zone<zone>(--keytag<keytag>|--cka_id<CKA_ID>)
              Issue a ds-seen to the enforcer for a KSK.

       keyds-seen--all
              Issue  a  ds-seen  for  all  ready (for ds-seen) KSKs. This command indicates to OpenDNSSEC that a
              submitted DS record has appeared in the parent zone, and thereby trigger the completion of  a  KSK
              rollover.

       keyds-retract--zone<zone>(--keytag<keytag>|--cka_id<CKA_ID>)
              Issue a ds-retract to the enforcer for a KSK.

       keyds-gone--zone<zone>(--keytag<keytag>|--cka_id<CKA_ID>)
              Issue a ds-gone to the enforcer for a KSK.

       keygenerate--duration<duration>(--policy<policy>|--all)
              Pre-generate  keys for all or a given policy, the duration to pre-generate for can be specified or
              otherwise its taken from the conf.xml.

       keypurge(--policy<policy>|--zone<zone>|--delete)
              This command will remove keys from the database and HSM that are dead.  If the  --delete  (or  -d)
              flag  is given, the keys are also purged from the HSM.  Keys are always purged from the HSM if the
              <Purge>

       keyrollover(--zone<zone>|--policy<policy>)[--keytype<keytype>|--all]
              Start a key rollover of the desired type *now* or all of them. The process is the same as for  the
              scheduled  automated  rollovers  however  it  does not wait for the keys lifetime to expire before
              rolling. The next rollover is due after the newest key aged passed its lifetime.

       rolloverlist[--zone<zone>]
              List the expected dates and times of upcoming rollovers. This can  be  used  to  get  an  idea  of
              upcoming works.

ods-enforcer - OpenDNSSEC enforcer Engine client

policylist
              List all policies in the database.

       policyexport(--policy<policy>|--all)
              Export a specified policy or all of them from the database.

       policyimport
              Import policies from kasp.xml into the enforcer database.

       policypurge
              This command will remove any policies from the database which have no associated zones.  Use  with
              caution.

       policyresalt
              Generate new NSEC3 salts for policies that have salts older than the resalt duration.

backuplist--repository<repository>
              Enumerate backup status of keys.

       backupprepare--repository<repository>
              Flag the keys found in all configured HSMs as to be backed up.

       backupcommit--repository<repository>
              Mark flagged keys found in all configured HSMs as backed up.

       backuprollback--repository<repository>repositorylist
              List repositories.

queue  queue  shows  all scheduled tasks with their time of the earliest executions, as well as all tasks
              currently being processed.

       flush  Execute all scheduled tasks immediately.

       enforce
              Force the enforcer to run once for every zone.

ods-control(8),   ods-enforcerd(8),   ods-signerd(8),   ods-signer(8),   ods-kasp(5),   ods-kaspcheck(1),
       ods-timing(5), ods-hsmspeed(1), ods-hsmutil(1), opendnssec(7), http://www.opendnssec.org/

signconf
              Force write of signer configuration files for all zones.

       updateconf
              Update the configuration from conf.xml and reload the enforcer.

       updaterepositorylist
              List repositories.

       updateall
              Perform policy import, zonelist import, and update repository list.

ods-enforcer help | start | stop | reload | running
       ods-enforcer queue | flush | signconf | enforce | verbosity <number>
       ods-enforcerupdate conf | repositorylist | all
       ods-enforcerpolicy list | export | import | purge | resalt
       ods-enforcerzone list | add | delete | set-policy
       ods-enforcerzonelist export | import
       ods-enforcerkey list | export | import | ds-submit | ds-seen | ds-retract | ds-gone | generate | purge |
       rollover
       ods-enforcerbackup list | prepare | commit | rollback
       ods-enforcerrollover list
       ods-enforcerrepository list
       ods-enforcer help [COMMAND]

zonelist
              List all zones currently in the database.

       zoneadd--zone<zone>[--policy<policy>][--signerconf<path>][--in-type<type>][--input<path>][--out-type<type>][--output<path>][--xml][--suspend]
              Add a new zone to the enforcer database.

       zonedelete(--zone<zone>|--all[--xml])
              Delete a zone or all of zones from the enforcer database.

       zoneset-policy--zone<zone>--policy<policy>[--xml]
              Change the policy for a zone in the enforcer database.

       zonelistexport
              Export list of zones from the database to the zonelist.xml file.

       zonelistimport[--remove-missing-zones][--file<absolutepath>]
              Import zones from zonelist.xml into the enforcer database.