NOTES on using OpenDNSSEC (ODS)
-------------------------------
($Id: ODS-NOTES,v 1.6 2016/07/24 10:07:23 wytze Exp $)

1. initial setup:

	ods-enforcer-db-setup

2. starting the two daemons, ods-signerd and ods-enforcerd:

	ods-control start

3. stopping the two daemons:

	ods-control stop

4. adding or removing zones:

	ods-enforcer zone add --zone example.com [--policy <policy> --signerconf <signerconf.xml> --input <input> --output <output>]

	ods-enforcer zone delete --zone example.com

5. backing up HSM keys

	ods-control ksm stop
 	# backup the HSM, i.e. save /var/softhsm to a safe location
 	ods-enforcer backup done
 	ods-control ksm start

6. extracting the public keys and their hashes:

	ods-enforcer key export --zone example.com
 	ods-enforcer key export --zone example.com --ds

7. updating the unsigned zone (schedule immediate re-sign):

	ods-signer sign example.com

8. indicating that DS record is published (either by parent or dlv.isc.org)

	ods-enforcer key ds-seen --zone cacert.net --keytag 6054
	ods-enforcer key ds-seen --zone cacert.com --keytag 31291
	ods-enforcer key ds-seen --zone cacert.org --keytag 59365

    the keytag will vary and can be learned from 6. above

9. generating new keys when the error message "Not enough keys to"
   satisfy ksk policy for zone: ..." is seen:

	ods-enforcer key generate -p default --interval P1Y

10. key rollover for the KSK (once per year per current policy, in October)
	0. wait for message in the syslog: "DS Record set has changed, the current set looks like:"
	1. ods-enforcer key export --zone cacert.XXX --keystate publish -d
	2. publish new (publish) hashes at GKG.NET and delete the old ones
	3. check visibility (dig cacert.XXX ds)
	4. ods-enforcer key ds-seen --zone cacert.XXX --keytag YYYYY
	5. check zone correctness with http://dnssec-debugger.verisignlabs.com/
    see also: OpenDNSSEC Key Rollover Guide, W. Matthijs Mekking, October 16, 2015
    see also: https://wiki.opendnssec.org/display/DOCS/Key+Management

11. updating the KASP policy:

	co -l /etc/opendnssec/kasp.xml
	vi /etc/opendnssec/kasp.xml
	ci -u /etc/opendnssec/kasp.xml
	ods-enforcer update kasp

All logging goes through syslog in /var/log/messages
Warnings will be visible in /var/log/warn