README.Debian 1.32 KB
Newer Older
1 2 3 4 5 6 7 8
opendnssec-enforcer for Debian

This package is part of OpenDNSSEC suite, and is probably useless
without the other parts (unless you really know, what you're doing),
so you may want to install opendnssec meta package which pulls all
necessary dependencies to run OpenDNSSEC system.

9 10 11 12 13 14 15
If you are going to use softhsm, you need to allow opendnssec user
to access /var/lib/softhsm (or another place where you keep your
softHSM database).  On standard debian system, it should be sufficient
to add opendnssec user to softhsm group by issuing:

  # adduser opendnssec softhsm

16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
Manual configuration required

OpenDNSSEC requires manual configuration before the signer and
enforcer daemons can be started.

One of these configuration steps consists in installing and
configuring a Hardware Security Module (HSM) that will handle the
cryptographic key operations. Most people will want to use the
software HSM implementation provided by the recommended softhsm2
package, but other options are possible.

The file /etc/opendnssec/prevent-startup is created during fresh
installations and prevents the daemons from being automatically
started. You should remove this file and start the daemons once you
have configured OpenDNSSEC.

 -- Mathieu Mirmont <>, Wed, 30 Jan 2019 17:46:07 +0100