Quick getting started guide for OpenDNSSEC
1. Initialize the Software "Hardware Security Module"
    # mkdir /usr/local/var/softhsm
    # softhsm --init-token --slot 0 --label OpenDNSSEC
    (use '1234' for both questions below): 
    The SO PIN must have a length between 4 and 255 characters.
    Enter SO PIN: ****
    The user PIN must have a length between 4 and 255 characters.
    Enter user PIN: ****
    The token has been initialized.
	# softhsm --show-slots
    Create configuration files for OpenDNSSEC by making a copy
    of the samples distributed with the package:
      # cd /usr/local/etc/opendnssec
      # cp kasp.xml.sample kasp.xml
      # cp conf.xml.sample conf.xml
      # cp zonefetch.xml.sample zonefetch.xml
      # cp zonelist.xml.sample zonelist.xml
      # chmod 644 *xml
2. Change the default Policy to use NSEC instead of NSEC3:
    Edit /usr/local/etc/opendnssec/kasp.xml
    Find this section, and remove all the lines from  ... 
    
        
        P100D
        
            1
            5
            
        
    
    ... and replace them with this single line:
    
    Save & exit.
3. Initialize the KSM
    # ods-ksmutil setup
    *WARNING* This will erase all data in the database; are you sure? [y/N] y
    SQLite database set to: /usr/local/var/opendnssec/kasp.db
    fixing permissions on file /usr/local/var/opendnssec/kasp.db
    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
    kasp filename set to /usr/local/etc/opendnssec/kasp.xml.
    Repository SoftHSM found
    No Maximum Capacity set.
    RequireBackup NOT set; please make sure that you know the potential
        problems of using keys which are not recoverable
    /usr/local/etc/opendnssec/conf.xml validates
    /usr/local/etc/opendnssec/kasp.xml validates
    Policy default found
    Info: converting P1Y to seconds; M interpreted as 31 days, Y interpreted as 365 days
4. Install a copy of the unsigned zone for OpenDNSSEC to sign
    Earlier, we made a backup copy of our zone, before it was signed
    by BIND9. We are going to use that backup copy now and make it
    available to OpenDNSSEC.
          # cd /etc/namedb/master
          # cp MYTLD.unsigned /usr/local/var/opendnssec/unsigned/MYTLD
5. Add the zone to OpenDNSSEC's database:
    # ods-ksmutil zone add --zone mytld
    zonelist filename set to /usr/local/etc/opendnssec/zonelist.xml.
    SQLite database set to: /usr/local/var/opendnssec/kasp.db
    Imported zone: mytld
6. OpenDNSSEC reload BIND
    Modify /usr/local/etc/opendnssec/conf.xml
    Find the lines:
    ... remove the comments (the lines '')
7. Start OpenDNSSEC!
    # ods-control start
    Starting enforcer...
    OpenDNSSEC ods-enforcerd started (version 1.2.0), pid 63495
    Starting signer engine...
    Starting signer...
    OpenDNSSEC signer engine version 1.2.0
    Engine running.
    # ps ax | grep ods
    41588  ??  SsJ    0:00.11 /usr/local/sbin/ods-enforcerd
    41593  ??  SsJ    0:00.07 /usr/local/sbin/ods-signerd -vvv
8. Check that the zone is signed
    # ls -l /usr/local/var/opendnssec/signed
    -rw-r--r--  1 root  wheel  3944 Feb 19 09:10 mytld
    If for some reason, you don't see a file in this
    directory (/usr/local/var/opendnssec/signed/), then
    force the signer to sign:
    # ods-signer sign mytld
9. Tell BIND to load the new zone
    Modify /etc/namedb/named.conf, and change the zone definition for "mytld"
    so it looks like this (REMOVE auto-dnssec, etc...)
zone "mytld" {
        file "/usr/local/var/opendnssec/signed/mytld";
        type master;
        allow-transfer { any; };
};
    Restart named:
    # /etc/rc.d/named restart
10. Export the DS, ready to upload:
    # ods-ksmutil key export --zone mytld --ds --keystate publish >/tmp/dsset-mytld.
11. Upload the DS to the server
    # scp /tmp/dsset-mytld. adm@rootserv.ws.nsrc.org:
12. Notify the administrator!