[Opendnssec-user] enforcer hooks

Jerry Lundström jerry at opendnssec.org
Mon May 19 08:26:18 UTC 2014

Hi Petr,

On fre, 2014-05-16 at 18:01 +0200, Petr Spacek wrote:
> I'm looking into OpenDNSSEC v 1.4.5 configuration files and I can't see any 
> hooks for user scripts in Enforcer's configuration.

There are two hooks/commands that you can configure for OpenDNSSEC:

1. Configure the <DelegationSignerSubmitCommand> if you want to have a
program/script receiving the new KSK during a key rollover.

2. <NotifyCommand> optional element that will tell the Signer Engine to
call this command when the zone has been signed. Will expand the
following variables: %zone (the name of the zone that was signed) and %
zonefile (the filename of the signed zone).

These are located in the conf.xml, see:

> I would like to run my own script every time a new key is generated or 
> existing key is deleted (or even better - after any state change).
> What mechanism would you recommend for this purpose?

There is no good mechanism for getting that information currently.

To understand what the big picture is could you explain why you want
this information as it happens?

There are a few different keys and states, there are HSM keys (raw key
material) and keys in KASP and they both carry a lot of states.

> I think that the (theoretical) hook should be called with parameters 
> equivalent to output from "ods-ksmutil key list -v" for every changed key.
> Would it be possible to add those hooks?

If time permits, sure. But right now I think we need to understand
deeper what/why you want to do this.

And if you or your team has time you could always make a pull request
with the functionality you wish to have.

Jerry Lundström - OpenDNSSEC Developer

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 603 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140519/de42bef9/attachment.bin>

More information about the Opendnssec-user mailing list