# OpenDNSSEC Cheat Sheet ## Setup Commands Install SoftHSM and OpenDNSSEC, then do the following to get started: ```bash softhsm2-util --init-token --slot 0 --label OpenDNSSEC --pin 1234 --so-pin 1234 ``` Initialize database. Be careful, if you say "Yes" here, you reset all your signatures and keys. Do not run this on a system that is already set up and in use. ```bash ods-enforcer-db-setup ``` Start or stop OpenDNSSEC manually without Systemd ```bash ods-control start ods-control stop ``` Using Systemd ```bash rm /etc/opendnssec/prevent-startup systemctl start opendnssec-enforcer.service systemctl start opendnssec-signer.service ``` Finalize setup ```bash ods-enforcer policy import ``` ## Testing a KSK rollover To list the planned key rollovers use ```bash ods-enforcer rollover list ``` List keys in the old format which does not reflect the states of the new 2.0 statemachines but tries to replicate old states ```bash ods-enforcer key list -v ``` However, better have a look at the new, more informative states ```bash ods-enforcer key list -d ``` Triggger a manual key rollover ```bash ods-enforcer key rollover --keytype KSK --zone example.net ``` As soon as the state of the key is ```bash ods-enforcer key export --zone example.net --ds ``` Publish the DS record in the parent zone and as soon as you see the entry using dig, drill or similar you can tell openDNSSEC that the key has been seen. Preferably take the tag from your dig query to ensure you mark the correct key as seen. ```bash ods-endforcer key ds-seen --zone example.net --keytag ``` ## Testing your resolver To ensure your resolver validates DNSSEC use the following queries. This should not return a result because DNSSEC validation fails: ```bash dig dnssec-failed.org @ ``` However, if you disable DNSSEC validation you should get an A record. ```bash dig dnssec-failed.org @ +cd ```