ods-server

ods-server [options] [start|stop|reload|status]

-c <file>, --config <file>
    Specifies the OpenDNSSEC configuration file to use.

-h, --help
    Displays a help message and exits.

-v, --version
    Shows version information and exits.

-d, --debug
    Enables debug logging, providing more verbose output for troubleshooting.

-p <file>, --pidfile <file>
    Specifies the PID file path where the daemon writes its process ID.

-t <dir>, --chroot <dir>
    Changes the root directory of the daemon process for enhanced security.

-u <user>, --user <user>
    Drops privileges and runs the daemon as the specified user.

-g <group>, --group <group>
    Drops privileges and runs the daemon as the specified group.

--foreground
    Runs the daemon in the foreground, useful for debugging.

--nonl
    Suppresses logging to syslog, outputting only to standard error if in foreground.

--log-config
    Logs the complete configuration loaded by the daemon at startup.

start
    Command to start the ods-server daemon.

stop
    Command to stop the ods-server daemon.

reload
    Command to instruct the daemon to reload its configuration and policies without stopping.

status
    Displays the current running status of the ods-server daemon.

ods-server is the core daemon component of the OpenDNSSEC project, an automated DNSSEC key and signing management tool.
It is responsible for all cryptographic operations, including key generation, key rollovers, and the actual signing of DNS zones according to policies defined in the Key and Signing Policy (KASP) database.
The daemon continually monitors the state of configured zones and applies the necessary DNSSEC operations to ensure they remain signed and secure.
It communicates with configured DNS servers (such as BIND or NSD) to retrieve unsigned zones and push signed zones, effectively automating the entire DNSSEC signing process for domain owners.

Running ods-server requires a properly configured OpenDNSSEC environment, including the Enforcer and a configured Hardware Security Module (HSM) or software-based key store.
Incorrect or outdated DNSSEC policies (defined in KASP) can lead to critical issues such as zones becoming unsigned, key rollover failures, or operational errors.
It is crucial to ensure that the daemon has appropriate file system permissions to access configuration files, key material, and communicate with the DNS server.

The primary configuration file for ods-server is typically conf.xml, which defines paths, logging, and connections to the KASP database and DNS servers.
DNSSEC policies themselves are defined in kasp.xml, managed by the enforcer component, and are crucial for the daemon's operations.

By default, ods-server logs its operational messages and errors to syslog, typically under the daemon facility.
For detailed troubleshooting, enabling debug logging (-d option) and reviewing the syslog messages is essential.

The ods-server daemon is a central component of the OpenDNSSEC project, which originated from a need to automate the complex process of DNSSEC signing.
Developed by NLnet Labs and SURFnet, OpenDNSSEC aims to provide an open-source, robust, and policy-driven solution for securing DNS zones.
The daemon has evolved through various versions, improving performance, adding features, and enhancing security, becoming a widely adopted tool for DNSSEC automation in critical infrastructure.

ods-enforcerd(8), ods-control(8), ods-ksmutil(1), ods-enforcer(1), named(8), nsd(8)