[Opendnssec-user] Timing/triggers for ODS2 Enforcer's <DelegationSignerSubmitCommand> & <DelegationSignerRetractCommand> ?

PGNet Dev pgnet.dev at gmail.com
Fri Jan 20 13:24:27 UTC 2017

In ODS 2.1.x, I'm working on full DS-record automation using APIs for different registrars.

Within conf.xml, the two options for triggering scripts are


What are the specific prerequisites & timing for these to be called?



		"Configure the <DelegationSignerSubmitCommand> if you want to have a program/script receiving the new KSK during a key rollover. This will make it possible to create a fully automatic KSK rollover, where OpenDNSSEC feed your program/script on stdin with the current set of DNSKEYs that we want to have in the parent as DS RRs. There are two examples available: an eppclient and a simple mail script. Remember that the ods-ksmutil key ds-seen must be given in order to complete the rollover. This should only be done when the new DS RRs are available on the parents public nameservers."

it's unclear.

Is ODS enforcer polling for a specific trigger to fire each script?

Or do we need to add polling of some sort in the scripts themselves?

More information about the Opendnssec-user mailing list