The Key & Signing Policy Enforcer is part of the OpenDNSSEC project.
For more information, visit http://www.opendnssec.org

CONTENTS:
    INTRODUCTION
    DEPENDENCIES
    INSTALLATION
    INTERACTION FROM THE COMMAND LINE
    RUNNING THE ENGINE
    RUNNING WITHOUT THE KASP
    DEBUGGING

-------------------------------------------------------------------
INTRODUCTION
-------------------------------------------------------------------

T.B.S.

-------------------------------------------------------------------
DEPENDENCIES
-------------------------------------------------------------------

The enforcer depends on the ldns library http://www.NLnetLabs.nl/projects/ldns
and can only be used in conjuction with a PKCS#11 library (a software
version of which, softHSM, is supplied with the OpenDNSSEC).
Additionally the enforcer depends on Google's Protocol Buffer library 
version 2.2 or higher.


-------------------------------------------------------------------
INSTALLATION
-------------------------------------------------------------------

T.B.S.

To build and install the enforcer, the following steps are needed:

From the base directory <opendnssec>/enforcer

autoreconf --install
./configure
make
make install

This will build the C-based tools, and set up the tools and engine to
use the options provided with configure:

--with-ldns=<dir> The base directory (prefix) of your ldns installation,
                  if it isn't in your standard path.
--prefix=<dir>    Installation directory. All files will be installed
                  relative to this path, and default search paths will
                  be relative to the prefix. Defaults to /usr/local

The enforcer will be installed in
<prefix>/sbin

-------------------------------------------------------------------
INTERACTION FROM THE COMMAND LINE
-------------------------------------------------------------------

If the enforcer is running (see the next section on how to run
one manually), you can interact with it using the tool ods-enforcer.

If you give no arguments, it will connect to the enforcer and go to
interactive mode. Only the start command cannot be called in
interactive mode. The command 'help' shows a list of possible
commands:
$ ods-enforcer
cmd> help
 Commands:

T.B.S.

queue           show the current task queue.
flush           execute all scheduled tasks immediately.
start           start the engine.
reload          reload the engine.
stop            stop the engine.
verbosity <nr>  set verbosity.

cmd> quit

You can also use these commands directly from your shell, by giving
them as arguments to ods-signer. If you do this, the client will
execute the command and quit.

-------------------------------------------------------------------
RUNNING THE ENGINE
-------------------------------------------------------------------

You can run the engine by calling <prefix>/sbin/ods-signer start

If everything is ok, you should see the following output:
$ ./ods-signer start
OpenDNSSEC signer engine version 1.2.0
$

The engine has daemonized itself and should be running. You can
check that it does by using ods-signer as specified in the
section INTERACTION FROM THE COMMAND LINE.

-------------------------------------------------------------------
RUNNING WITHOUT THE KASP
-------------------------------------------------------------------

If you want to test the engine on its own, or run it without using
the KASP module, you will need to perform the following steps.

Of course it has to be installed using the steps from section
INSTALLATION.

HSM
---
You will need to set up an HSM module. If you use SoftHSM, you will
need to make sure that a token is initialized, and that the correct
softhsm.conf file is set in the environment variable $SOFTHSM_CONF.

Some keys should be present in the token. If not, you can generate
them with the hsm-toolkit from OpenDNSSEC.


conf.xml
--------

You will need to either create or update the
<prefix>/etc/opendnssec/conf.xml file to your
settings; the <Repository> element should contain the name of the
token you have initialized in your HSM, the complete path of the
module library (e.g. <prefix>/lib/libsofthsm.so). Optionally you
can use a PIN value here too. If you do not specify it, the engine
will prompt for it.

If you run a nameserver, you will need to create a little script
that tells that server to reload its zones, and point to that
script with the element <NotifyCommand> below <Signer>.

The rest of the values can be left to their defaults.

The elements and their exact meanings are described here:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/conf.rnc

zonelist.xml
------------

You can tell the enforecer what zones to enforce with
<prefix>/etc/zonelist.xml
An example zone list file can be found at
http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonelist.xml

The elements and their exact meanings are described here:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/zonelist.rnc

This file will specify the specific zone configuration, and its
in- and output-files.


zone configuration
------------------

T.B.S.

At the location pointed to in your zonelist.xml, you should create
a signer configuration xml file. An example can be found at:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/signconf.xml

The elements and their exact meanings are described here:
http://www.opendnssec.se/browser/trunk/conf/opendnssec/signconf.rnc


Diagnostics
-----------

T.B.S.

