$Id: README 3150 2010-04-08 11:36:13Z jakob $

ods-ksmutil

This is a utility that allows several different actions to be performed (relatively) easily:

## global options

	--config <config>          aka -c

        Change the conf.xml file that is used, from the default.

## commands

	setup

        Import conf.xml, kasp.xml and zonelist.xml into a database 
        (deletes current contents, including any keys).

	update kasp
    update zonelist
    update conf
    update all

        Update database from config_dir (like above, but existing contents 
        are kept)

	zone add
		--zone <zone>                     aka -z
		[--policy <policy>]               aka -p
		[--signerconf <signerconf.xml>]   aka -s
		[--input <input>]                 aka -i
		[--output <output>]               aka -o

        Add a zone to both zonelist.xml and the database (both locations 
        read from conf.xml).
        Defaults are provided for all options but zone name.

	zone delete
		--zone <zone> | --all             aka -z / -a

        Delete a zone to both zonelist.xml and the database (both locations 
        read from conf.xml).

	zone list

        List zones from the zonelist.xml

	repository list

        List repositories from the database

	policy export
		--policy <policy> | --all         aka -p / -a

        Export a policy from the database in kasp.xml format.

	policy list

        List policies available.

	key list
		[--verbose]
		--zone <zone> | --all             aka -z / -a
(will appear soon:
		[--keystate <state>]              aka -e
		[--keytype <type>]                aka -t
		[--ds]                            aka -d    )

        List information about keys in zone. --verbose 

	key export
		--zone <zone> | --all             aka -z
		[--keystate <state>]              aka -e
		[--keytype <type>]                aka -t
		[--ds]                            aka -d

        Export key information in a suitable format for putting into a zonefile

	key import
		--cka_id <CKA_ID>                 aka -k
		--repository <repository>         aka -r
		--zone <zone>                     aka -z
		--bits <size>                     aka -b
		--algorithm <algorithm>           aka -g
		--keystate <state>                aka -e
		--keytype <type>                  aka -t
		--time <time>                     aka -w
		[--retire <retire>]               aka -y

        Add a key which was created outside of the OpenDNSSEC code into the database
		
	key rollover
		--zone zone [--keytype <type>]
	key rollover
		--policy policy [--keytype <type>]

        Rollover active keys on a zone or policy
        "keytype" specifies the type of key to roll (both are rolled if nothing is specified)
        After running, the enforcer will be woken up so that the signer can be sent the new information

        If the policy that the zone is on specifies that keys are shared then all zones on that policy will be rolled.
        A backup of the sqlite DB file is made (if appropriate).
	
	key purge --zone <zone>                   aka -z
	key purge --policy <policy>               aka -p

        Remove keys that are in the "Dead" state from the repository and from the enforcer DB

    key generate
        --policy <policy>                     aka -p
        --interval <interval>                 aka -n

        Create enough keys for the given policy to last for the period of time given by interval.

    key ksk-roll
        --zone <zone>                         aka -z
        --keytag <keytag>                     aka -x
		--cka_id <CKA_ID>                     aka -k

        Indicate that a submitted DS record has appeared in the parent zone. Specifiying a zone will speed up the search of keys by narrowing the field but is not mandatory; cka_id can be used to resolve a keytag clash.

	backup done --repository <repository>     aka -r
        
        Indicate that a backup of the given repository has been done, all non-backed up keys will now be marked as backed up.
        This is especially important if the repository used has the "RequireBackup" flag set.
        Include this call in a HSM backup process to avoid warnings or errors about using non-backed up keys.
        Keys generated between a backup being made and the backup done command being run will be erroneously marked as having been backed up. To avoid this, either choose a backup schedule that doesn't run while the enforcer might be generating keys, or shutdown the enforcer while a backup is performed.
	
	backup list --repository <repository>     aka -r

        List the backups that have been made on the given repository.

    database backup [--output <output>]       aka -o

        Make a copy of the enforcer database (if using sqlite). 
        It makes sure that the database is in a consistent state by taking a lock out first.
        If --output is omitted then the usual enforcer.db.backup is used.

	rollover list

        List the expected dates and times of upcoming rollovers.


key states: GENERATED|PUBLISHED|READY|ACTIVE|RETIRED|REVOKED|DEAD
key types:  KSK|ZSK

