$Id$ The Key & Signing Policy Enforcer is part of the OpenDNSSEC project. For more information, visit http://www.opendnssec.org CONTENTS: INTRODUCTION DEPENDENCIES INSTALLATION INTERACTION FROM THE COMMAND LINE RUNNING THE ENGINE RUNNING WITHOUT THE KASP DEBUGGING ------------------------------------------------------------------- INTRODUCTION ------------------------------------------------------------------- T.B.S. ------------------------------------------------------------------- DEPENDENCIES ------------------------------------------------------------------- The enforcer depends on the ldns library http://www.NLnetLabs.nl/projects/ldns and can only be used in conjuction with a PKCS#11 library (a software version of which, softHSM, is supplied with the OpenDNSSEC). Additionally the enforcer depends on Google's Protocol Buffer library version 2.2 or higher. ------------------------------------------------------------------- INSTALLATION ------------------------------------------------------------------- T.B.S. To build and install the enforcer, the following steps are needed: From the base directory /enforcer-ng autoreconf --install ./configure make make install This will build the C-based tools, and set up the tools and engine to use the options provided with configure: --with-ldns= The base directory (prefix) of your ldns installation, if it isn't in your standard path. --prefix= Installation directory. All files will be installed relative to this path, and default search paths will be relative to the prefix. Defaults to /usr/local The enforcer will be installed in /sbin ------------------------------------------------------------------- INTERACTION FROM THE COMMAND LINE ------------------------------------------------------------------- If the enforcer is running (see the next section on how to run one manually), you can interact with it using the tool ods-enforcer. If you give no arguments, it will connect to the enforcer and go to interactive mode. Only the start command cannot be called in interactive mode. The command 'help' shows a list of possible commands: $ ods-enforcer cmd> help Commands: T.B.S. queue show the current task queue. flush execute all scheduled tasks immediately. start start the engine. reload reload the engine. stop stop the engine. verbosity set verbosity. cmd> quit You can also use these commands directly from your shell, by giving them as arguments to ods-signer. If you do this, the client will execute the command and quit. ------------------------------------------------------------------- RUNNING THE ENGINE ------------------------------------------------------------------- You can run the engine by calling /sbin/ods-signer start If everything is ok, you should see the following output: $ ./ods-signer start OpenDNSSEC signer engine version 1.2.0 $ The engine has daemonized itself and should be running. You can check that it does by using ods-signer as specified in the section INTERACTION FROM THE COMMAND LINE. ------------------------------------------------------------------- RUNNING WITHOUT THE KASP ------------------------------------------------------------------- If you want to test the engine on its own, or run it without using the KASP module, you will need to perform the following steps. Of course it has to be installed using the steps from section INSTALLATION. HSM --- You will need to set up an HSM module. If you use SoftHSM, you will need to make sure that a token is initialized, and that the correct softhsm.conf file is set in the environment variable $SOFTHSM_CONF. Some keys should be present in the token. If not, you can generate them with the hsm-toolkit from OpenDNSSEC. conf.xml -------- You will need to either create or update the /etc/opendnssec/conf.xml file to your settings; the element should contain the name of the token you have initialized in your HSM, the complete path of the module library (e.g. /lib/libsofthsm.so). Optionally you can use a PIN value here too. If you do not specify it, the engine will prompt for it. If you run a nameserver, you will need to create a little script that tells that server to reload its zones, and point to that script with the element below . The rest of the values can be left to their defaults. The elements and their exact meanings are described here: http://www.opendnssec.se/browser/trunk/conf/opendnssec/conf.rnc zonelist.xml ------------ You can tell the enforecer what zones to enforce with /etc/zonelist.xml An example zone list file can be found at http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonelist.xml The elements and their exact meanings are described here: http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonelist.rnc This file will specify the specific zone configuration, and its in- and output-files. zone configuration ------------------ T.B.S. At the location pointed to in your zonelist.xml, you should create a signer configuration xml file. An example can be found at: http://www.opendnssec.se/browser/trunk/conf/opendnssec/signconf.xml The elements and their exact meanings are described here: http://www.opendnssec.se/browser/trunk/conf/opendnssec/signconf.rnc Diagnostics ----------- T.B.S. ------------------------------------------------------------------- DEBUGGING ------------------------------------------------------------------- Warning: DO NOT TRY THIS EXCEPT FOR DEBUGGING PURPOSES If the eforcer is build with the '--enable-timeshift' option, one can override the system clock using the ENFORCER_TIMESHIFT environment variable. ENFORCER_TIMESHIFT should be set to the timestamp (in YYYYMMDDHHMMSS format). When running with timeshift, the program will run once only and exit.