OpenDNSSEC Cheat Sheet

Setup Commands

Install SoftHSM and OpenDNSSEC, then do the following to get started:

softhsm2-util  --init-token --slot 0 --label OpenDNSSEC --pin 1234 --so-pin 1234

Initialize database. Be careful, if you say "Yes" here, you reset all your signatures and keys. Do not run this on a system that is already set up and in use.


Start or stop OpenDNSSEC manually without Systemd

ods-control start
ods-control stop

Using Systemd

rm /etc/opendnssec/prevent-startup
systemctl start opendnssec-enforcer.service
systemctl start opendnssec-signer.service

Finalize setup

ods-enforcer policy import

Testing a KSK rollover

To list the planned key rollovers use

ods-enforcer rollover list

List keys in the old format which does not reflect the states of the new 2.0 statemachines but tries to replicate old states

ods-enforcer key list -v

However, better have a look at the new, more informative states

ods-enforcer key list -d

Triggger a manual key rollover

ods-enforcer key rollover --keytype KSK --zone

As soon as the state of the key is

ods-enforcer key export --zone --ds

Publish the DS record in the parent zone and as soon as you see the entry using dig, drill or similar you can tell openDNSSEC that the key has been seen. Preferably take the tag from your dig query to ensure you mark the correct key as seen.

ods-endforcer key ds-seen --zone --keytag <tag>

Testing your resolver

To ensure your resolver validates DNSSEC use the following queries. This should not return a result because DNSSEC validation fails:

dig @<resolver-to-test>

However, if you disable DNSSEC validation you should get an A record.

dig @<resolver-to-test> +cd