NOTES on using OpenDNSSEC (ODS) ------------------------------- ($Id: ODS-NOTES,v 1.6 2016/07/24 10:07:23 wytze Exp $) 1. initial setup: ods-enforcer-db-setup 2. starting the two daemons, ods-signerd and ods-enforcerd: ods-control start 3. stopping the two daemons: ods-control stop 4. adding or removing zones: ods-enforcer zone add --zone example.com [--policy --signerconf --input --output ] ods-enforcer zone delete --zone example.com 5. backing up HSM keys ods-control ksm stop # backup the HSM, i.e. save /var/softhsm to a safe location ods-enforcer backup done ods-control ksm start 6. extracting the public keys and their hashes: ods-enforcer key export --zone example.com ods-enforcer key export --zone example.com --ds 7. updating the unsigned zone (schedule immediate re-sign): ods-signer sign example.com 8. indicating that DS record is published (either by parent or dlv.isc.org) ods-enforcer key ds-seen --zone cacert.net --keytag 6054 ods-enforcer key ds-seen --zone cacert.com --keytag 31291 ods-enforcer key ds-seen --zone cacert.org --keytag 59365 the keytag will vary and can be learned from 6. above 9. generating new keys when the error message "Not enough keys to" satisfy ksk policy for zone: ..." is seen: ods-enforcer key generate -p default --interval P1Y 10. key rollover for the KSK (once per year per current policy, in October) 0. wait for message in the syslog: "DS Record set has changed, the current set looks like:" 1. ods-enforcer key export --zone cacert.XXX --keystate publish -d 2. publish new (publish) hashes at GKG.NET and delete the old ones 3. check visibility (dig cacert.XXX ds) 4. ods-enforcer key ds-seen --zone cacert.XXX --keytag YYYYY 5. check zone correctness with http://dnssec-debugger.verisignlabs.com/ see also: OpenDNSSEC Key Rollover Guide, W. Matthijs Mekking, October 16, 2015 see also: https://wiki.opendnssec.org/display/DOCS/Key+Management 11. updating the KASP policy: co -l /etc/opendnssec/kasp.xml vi /etc/opendnssec/kasp.xml ci -u /etc/opendnssec/kasp.xml ods-enforcer update kasp All logging goes through syslog in /var/log/messages Warnings will be visible in /var/log/warn