Skip site navigation (1)Skip section navigation (2)

FreeBSD Manual Pages

  
 
  

home | help
ods-enforcer(8)		    OpenDNSSEC ods-enforcer	       ods-enforcer(8)

NAME
       ods-enforcer - OpenDNSSEC enforcer Engine client

SYNOPSIS
       ods-enforcer help | start | stop	| reload | running
       ods-enforcer queue | flush | signconf | enforce | verbosity <number>
       ods-enforcer update conf	| repositorylist | all
       ods-enforcer policy list	| export | import | purge | resalt
       ods-enforcer zone list |	add | delete
       ods-enforcer zonelist export | import
       ods-enforcer  key list |	export | import	| ds-submit | ds-seen |	ds-re-
       tract | ds-gone | generate | purge | rollover
       ods-enforcer backup list	| prepare | commit | rollback
       ods-enforcer rollover list
       ods-enforcer repository list
       ods-enforcer help [COMMAND]

DESCRIPTION
       ods-enforcer is part of the OpenDNSSEC software.	With  this  tool,  you
       can  send commands to the enforcer engine daemon.  ods-enforcer manages
       the operation of	the KASP Enforcer, which is  the  part	of  OpenDNSSEC
       that triggers key generation and	signing	operations on domains based on
       policies	with user-defined timing and security requirements. Among  the
       functions  of  ods-enforcer are key management, import to the zone list
       and manually rolling keys to recover from exceptional  situations  like
       key loss. The following sections	discuss	the subcommands.

       For  more  information,	go  to http://www.opendnssec.org and visit the
       Documentation page.

GENERIC	OPTIONS
       help   Show a brief list	of commands.

       start  Start the	engine and the process.

       stop   Stop the engine and terminate the	process.

       reload Reload the engine.

       running
	      Return acknowledgment that the engine is running.

       verbosity
	      Set verbosity to the given number.

SCHEDULING OPTIONS
       queue  queue shows all scheduled	tasks with their time of the  earliest
	      executions, as well as all tasks currently being processed.

       flush  Execute all scheduled tasks immediately.

       enforce
	      Force the	enforcer to run	once for every zone.

SIGNCONF AND UPDATE SUBCOMMANDS
       signconf
	      Force write of signer configuration files	for all	zones.

       update conf
	      Update the configuration from conf.xml and reload	the enforcer.

       update repository list
	      List repositories.

       update all
	      Perform  policy  import,	zonelist import, and update repository
	      list.

POLICY ADMINISTRATION SUBCOMMNADS
       policy list
	      List all policies	in the database.

       policy export (--policy <policy>	| --all)
	      Export a specified policy	or all of them from the	database.

       policy import
	      Import policies from kasp.xml into the enforcer database.

       policy purge
	      This command will	remove any policies from  the  database	 which
	      have no associated zones.	Use with caution.

       policy resalt
	      Generate new NSEC3 salts for policies that have salts older than
	      the resalt duration.

ZONE MANAGEMENT	SUBCOMMANDS
       zone list
	      List all zones currently in the database.

       zone add	--zone <zone> [--policy	<policy>] [--signerconf	<path>]	[--in-
       type  <type>]  [--input	<path>]	 [--out-type <type>] [--output <path>]
       [--xml] [--suspend]
	      Add a new	zone to	the enforcer database.

       zone delete (--zone <zone> | --all [--xml])
	      Delete a zone or all of zones from the enforcer database.

       zonelist	export
	      Export list of zones from	the database to	the zonelist.xml file.

       zonelist	import [--remove-missing-zones]	[--file	<absolute path>]
	      Import zones from	zonelist.xml into the enforcer database.

KEY MANAGEMENT SUBCOMMANDS
       key  list  [--verbose]  [--debug]  [--parsable]	[--zone]  [--keystate]
       [--all]
	      List  information	 about	keys  in all zones, or in a particular
	      zone from	the database.

       key export (--zone <zone>  |  --all)  [--keystate  <state>]  [--keytype
       <type>] [--ds]
	      Export DNSKEY(s) for a given zone/all from the database.

       key  import  --cka_id  <CKA_ID> --repository <repository> --zone	<zone>
       --bits <size>  --algorithm  <algorithm>	--keystate  <state>  --keytype
       <type> --inception_time <time>
	      Add  a key which was created outside of the OpenDNSSEC code into
	      the enforcer database.

       key ds-submit --zone <zone> (--keytag <keytag> |	--cka_id <CKA_ID>)
	      Issue a ds-submit	to the enforcer	for a KSK.

       key ds-seen --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
	      Issue a ds-seen to the enforcer for a KSK.

       key ds-seen --all
	      Issue a ds-seen for all ready (for ds-seen) KSKs.	 This  command
	      indicates	 to OpenDNSSEC that a submitted	DS record has appeared
	      in the parent zone, and thereby trigger the completion of	a  KSK
	      rollover.

       key ds-retract --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
	      Issue a ds-retract to the	enforcer for a KSK.

       key ds-gone --zone <zone> (--keytag <keytag> | --cka_id <CKA_ID>)
	      Issue a ds-gone to the enforcer for a KSK.

       key generate --duration <duration> (--policy <policy> | --all)
	      Pre-generate  keys  for  all  or a given policy, the duration to
	      pre-generate for can be specified	or otherwise  its  taken  from
	      the conf.xml.

       key purge (--policy <policy> | --zone <zone>)
	      This command will	remove keys from the database and HSM that are
	      dead.

       key rollover (--zone <zone> | --policy <policy>)	[--keytype <keytype> |
       --all]
	      Start  a	key rollover of	the desired type *now* or all of them.
	      The process is the same as for the scheduled automated rollovers
	      however  it does not wait	for the	keys lifetime to expire	before
	      rolling. The next	rollover is due	 after	the  newest  key  aged
	      passed its lifetime.

       rollover	list [--zone <zone>]
	      List  the	 expected  dates and times of upcoming rollovers. This
	      can be used to get an idea of upcoming works.

REPOSITORY AND BACKUP SUBCOMMANDS
       backup list --repository	<repository>
	      Enumerate	backup status of keys.

       backup prepare --repository <repository>
	      Flag the keys found in all configured HSMs as to be backed up.

       backup commit --repository <repository>
	      Mark flagged keys	found in all configured	HSMs as	backed up.

       backup rollback --repository <repository>

       repository list
	      List repositories.

FILES
       /etc/opendnssec/conf.xml
	      The main configuration file for OpenDNSSEC.

       /etc/opendnssec/zonelist.xml
	      The list of zones	as defined in conf.xml.	This list is used dur-
	      ing 'zonelist import'.

       /etc/opendnssec/kasp.xml
	      The  configuration  of policies that define timing and security,
	      as defined in conf.xml.

       /var/opendnssec/unsigned/
	      The location that	is usually configured in conf.xml  which  con-
	      tains unsigned zones.

       /var/opendnssec/signed/
	      The  location  that is usually configured	in conf.xml which con-
	      tains signed zones.

DIAGNOSTICS
       will log	all the	problems via stderr.

SEE ALSO
       ods-control(8),	 ods-enforcerd(8),   ods-signerd(8),	ods-signer(8),
       ods-kasp(5),    ods-kaspcheck(1),    ods-timing(5),    ods-hsmspeed(1),
       ods-hsmutil(1), opendnssec(7), http://www.opendnssec.org/

AUTHORS
       ods-enforcer was	written	by  NLnet  Labs	 as  part  of  the  OpenDNSSEC
       project.

OpenDNSSEC			  April	2016		       ods-enforcer(8)

NAME | SYNOPSIS | DESCRIPTION | GENERIC OPTIONS | SCHEDULING OPTIONS | SIGNCONF AND UPDATE SUBCOMMANDS | POLICY ADMINISTRATION SUBCOMMNADS | ZONE MANAGEMENT SUBCOMMANDS | KEY MANAGEMENT SUBCOMMANDS | REPOSITORY AND BACKUP SUBCOMMANDS | FILES | DIAGNOSTICS | SEE ALSO | AUTHORS

Want to link to this manual page? Use this URL:
<https://www.freebsd.org/cgi/man.cgi?query=ods-enforcer&sektion=8&manpath=FreeBSD+12.1-RELEASE+and+Ports>

home | help