Thanks! Looking at preparing a package update, I noticed a few things:

A new directory /var/opendnssec/enforcer is needed? It tries chdir()
in there and failed for me. If this is just a rundir with no other
requirements, the better default location would be /var/run/ and it
should either use /var/run/<packagename>/ or /var/run/<service name>.
I also see this as a string in ods-signerd. It might just be that I
haven't found the appropriate configure option to tweak these.
Why isnt it using the already existing /var/run/opendnssec/ ?

I also noticed /var/opendnssec/tmp got renamed to /var/opendnssec/signer
in conf.xml. I am a little worried because this is specified in
conf.xml but also seems hardcoded in ods-enforcerd if I run strings on
ods-enforcerd. I haven't found yet where this gets configured or set
during build, so this might be perfectly fine.

And ods-signerd seems to want to bind to 0.0.0.0:53 for me, so on a
combination DNS server + opendnssec server that is not using XFR (like
my own nohats.ca setup), this will fail to start at all. I might need
to disable that feature in our standard configuration file, and let
users set it specifically to some IP if they want this. Possibly, a
better default would have been something on loopback?

Paul