opendnssec-enforcer for Debian ------------------------------ This package is part of OpenDNSSEC suite, and is probably useless without the other parts (unless you really know, what you're doing), so you may want to install opendnssec meta package which pulls all necessary dependencies to run OpenDNSSEC system. If you are going to use softhsm, you need to allow opendnssec user to access /var/lib/softhsm (or another place where you keep your softHSM database). On standard debian system, it should be sufficient to add opendnssec user to softhsm group by issuing: # adduser opendnssec softhsm Manual configuration required ----------------------------- OpenDNSSEC requires manual configuration before the signer and enforcer daemons can be started. One of these configuration steps consists in installing and configuring a Hardware Security Module (HSM) that will handle the cryptographic key operations. Most people will want to use the software HSM implementation provided by the recommended softhsm2 package, but other options are possible. The file /etc/opendnssec/prevent-startup is created during fresh installations and prevents the daemons from being automatically started. You should remove this file and start the daemons once you have configured OpenDNSSEC. -- Mathieu Mirmont , Wed, 30 Jan 2019 17:46:07 +0100