Install SoftHSM and OpenDNSSEC, then do the following to get started:
softhsm2-util --init-token --slot 0 --label OpenDNSSEC --pin 1234 --so-pin 1234
Initialize database. Be careful, if you say "Yes" here, you reset all your signatures and keys. Do not run this on a system that is already set up and in use.
ods-enforcer-db-setup
Start or stop OpenDNSSEC manually without Systemd
ods-control start ods-control stop
Using Systemd
rm /etc/opendnssec/prevent-startup systemctl start opendnssec-enforcer.service systemctl start opendnssec-signer.service
Finalize setup
ods-enforcer policy import
To list the planned key rollovers use
ods-enforcer rollover list
List keys in the old format which does not reflect the states of the new 2.0 statemachines but tries to replicate old states
ods-enforcer key list -v
However, better have a look at the new, more informative states
ods-enforcer key list -d
Triggger a manual key rollover
ods-enforcer key rollover --keytype KSK --zone example.net
As soon as the state of the key is
ods-enforcer key export --zone example.net --ds
Publish the DS record in the parent zone and as soon as you see the entry using dig, drill or similar you can tell openDNSSEC that the key has been seen. Preferably take the tag from your dig query to ensure you mark the correct key as seen.
ods-endforcer key ds-seen --zone example.net --keytag <tag>
To ensure your resolver validates DNSSEC use the following queries. This should not return a result because DNSSEC validation fails:
dig dnssec-failed.org @<resolver-to-test>
However, if you disable DNSSEC validation you should get an A record.
dig dnssec-failed.org @<resolver-to-test> +cd