oracular (8) ods-enforcer.8.gz

Provided by: opendnssec-enforcer-sqlite3_2.1.13-1.2ubuntu1_amd64 bug

NAME

       ods-enforcer - OpenDNSSEC enforcer Engine client

SYNOPSIS

       ods-enforcer help | start | stop | reload | running
       ods-enforcer queue | flush | signconf | enforce | verbosity <number>
       ods-enforcer update conf | repositorylist | all
       ods-enforcer policy list | export | import | purge | resalt
       ods-enforcer zone list | add | delete | set-policy
       ods-enforcer zonelist export | import
       ods-enforcer  key  list  |  export | import | ds-submit | ds-seen | ds-retract | ds-gone |
       generate | purge | rollover
       ods-enforcer backup list | prepare | commit | rollback
       ods-enforcer rollover list
       ods-enforcer repository list
       ods-enforcer help [COMMAND]

DESCRIPTION

       ods-enforcer is part of the OpenDNSSEC software. With this tool, you can send commands  to
       the  enforcer  engine  daemon.   ods-enforcer  manages the operation of the KASP Enforcer,
       which is the part of OpenDNSSEC that triggers key generation  and  signing  operations  on
       domains  based  on  policies with user-defined timing and security requirements. Among the
       functions of ods-enforcer are key management, import to the zone list and manually rolling
       keys  to recover from exceptional situations like key loss. The following sections discuss
       the subcommands.

       For more information, go to http://www.opendnssec.org and visit the Documentation page.

GENERIC OPTIONS

       help   Show a brief list of commands.

       start  Start the engine and the process.

       stop   Stop the engine and terminate the process.

       reload Reload the engine.

       running
              Return acknowledgment that the engine is running.

       verbosity
              Set verbosity to the given number.

SCHEDULING OPTIONS

       queue  queue shows all scheduled tasks with their time of the earliest executions, as well
              as all tasks currently being processed.

       flush  Execute all scheduled tasks immediately.

       enforce
              Force the enforcer to run once for every zone.

SIGNCONF AND UPDATE SUBCOMMANDS

       signconf
              Force write of signer configuration files for all zones.

       update conf
              Update the configuration from conf.xml and reload the enforcer.

       update repository list
              List repositories.

       update all
              Perform policy import, zonelist import, and update repository list.

POLICY ADMINISTRATION SUBCOMMNADS

       policy list
              List all policies in the database.

       policy export (--policy <policy> | --all)
              Export a specified policy or all of them from the database.

       policy import
              Import policies from kasp.xml into the enforcer database.

       policy purge
              This  command  will  remove any policies from the database which have no associated
              zones. Use with caution.

       policy resalt
              Generate new NSEC3 salts for  policies  that  have  salts  older  than  the  resalt
              duration.

ZONE MANAGEMENT SUBCOMMANDS

       zone list
              List all zones currently in the database.

       zone  add  --zone  <zone>  [--policy  <policy>]  [--signerconf  <path>] [--in-type <type>]
       [--input <path>] [--out-type <type>] [--output <path>] [--xml] [--suspend]
              Add a new zone to the enforcer database.

       zone delete (--zone <zone> | --all [--xml])
              Delete a zone or all of zones from the enforcer database.

       zone set-policy --zone <zone> --policy <policy> [--xml]
              Change the policy for a zone in the enforcer database.

       zonelist export
              Export list of zones from the database to the zonelist.xml file.

       zonelist import [--remove-missing-zones] [--file <absolute path>]
              Import zones from zonelist.xml into the enforcer database.

KEY MANAGEMENT SUBCOMMANDS

       key list [--verbose] [--debug] [--full] [--parsable] [--zone] [--keystate] [--all]
              List information about keys in  all  zones,  or  in  a  particular  zone  from  the
              database.

       key export (--zone <zone> | --all) [--keystate <state>] [--keytype <type>] [--ds]
              Export DNSKEY(s) for a given zone/all from the database.

       key  import  --cka_id  <CKA_ID>  --repository  <repository>  --zone  <zone>  --bits <size>
       --algorithm <algorithm> --keystate <state> --keytype <type> --inception_time <time>
              Add a key which was created outside  of  the  OpenDNSSEC  code  into  the  enforcer
              database.

       key ds-submit --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-submit to the enforcer for a KSK.

       key ds-seen --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-seen to the enforcer for a KSK.

       key ds-seen --all
              Issue  a  ds-seen  for  all  ready  (for  ds-seen)  KSKs. This command indicates to
              OpenDNSSEC that a submitted DS record has appeared in the parent zone, and  thereby
              trigger the completion of a KSK rollover.

       key ds-retract --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-retract to the enforcer for a KSK.

       key ds-gone --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
              Issue a ds-gone to the enforcer for a KSK.

       key generate --duration <duration> (--policy <policy> | --all)
              Pre-generate  keys  for all or a given policy, the duration to pre-generate for can
              be specified or otherwise its taken from the conf.xml.

       key purge (--policy <policy> | --zone <zone> | --delete)
              This command will remove keys from the database and HSM  that  are  dead.   If  the
              --delete  (or  -d)  flag is given, the keys are also purged from the HSM.  Keys are
              always purged from the HSM if the <Purge>

       key rollover (--zone <zone> | --policy <policy>) [--keytype <keytype> | --all]
              Start a key rollover of the desired type *now* or all of them. The process  is  the
              same as for the scheduled automated rollovers however it does not wait for the keys
              lifetime to expire before rolling. The next rollover is due after  the  newest  key
              aged passed its lifetime.

       rollover list [--zone <zone>]
              List the expected dates and times of upcoming rollovers. This can be used to get an
              idea of upcoming works.

REPOSITORY AND BACKUP SUBCOMMANDS

       backup list --repository <repository>
              Enumerate backup status of keys.

       backup prepare --repository <repository>
              Flag the keys found in all configured HSMs as to be backed up.

       backup commit --repository <repository>
              Mark flagged keys found in all configured HSMs as backed up.

       backup rollback --repository <repository>

       repository list
              List repositories.

FILES

       /etc/opendnssec/conf.xml
              The main configuration file for OpenDNSSEC.

       /etc/opendnssec/zonelist.xml
              The list of zones as defined in  conf.xml.  This  list  is  used  during  'zonelist
              import'.

       /etc/opendnssec/kasp.xml
              The  configuration  of  policies  that  define  timing  and security, as defined in
              conf.xml.

       /var/lib/opendnssec/unsigned/
              The location that is usually configured in conf.xml which contains unsigned zones.

       /var/lib/opendnssec/signed/
              The location that is usually configured in conf.xml which contains signed zones.

DIAGNOSTICS

       will log all the problems via stderr.

SEE ALSO

       ods-control(8),    ods-enforcerd(8),    ods-signerd(8),    ods-signer(8),     ods-kasp(5),
       ods-kaspcheck(1),    ods-timing(5),    ods-hsmspeed(1),   ods-hsmutil(1),   opendnssec(7),
       http://www.opendnssec.org/

AUTHORS

       ods-enforcer was written by NLnet Labs as part of the OpenDNSSEC project.