[Opendnssec-user] Recovery of a single dnskey from softhsm backup

Casper Gielen c.gielen at uvt.nl
Wed Nov 28 17:37:05 UTC 2012 

Hello everyone,
today I had to recover a single keypair from backup, it was fairly easy but not the kind of thing you want to figure out in a pickle. so here is the log. I also have a version with comments in Dutch that I will mail out if anybody cares.
Please be carefull if you use this, the document below was not intended for publication and contains a lot of assumptions about our environment.

Most information came from:
- https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
- https://svn.opendnssec.org/trunk/softHSM/README

Our situation
- we use softhsm                    (dnssec-softhsm_12-11-17.bak)
- we use the mysql-backend of ODS   (dnssec-sql_12-11-17.bak)
- the domain is example.com


1. Create temporary mysql database from backup
$ mysqladmin -u debian-sys-maint -p create odstemp
$ echo "GRANT ALL ON odstemp.* to 'opendnssec'@'localhost';" | mysql -u debian-sys-maint -p odstemp
$ mysql -u debian-sys-maint -p odstemp < dnssec-sql_12-11-17.bak


2. Search the key info
mysql> SELECT HSMkey_id,active,retire FROM keypairs,dnsseckeys,zones
WHERE keypairs.id=dnsseckeys.keypair_id AND dnsseckeys.zone_id=zones.id
AND keytype=257 AND zones.name='example.com';
+----------------------------------+---------------------+---------------------+
| HSMkey_id                        | active              | retire              |
+----------------------------------+---------------------+---------------------+
| d4aeef65b2ce3b1c0f5192778ad40b0c | 2012-02-22 14:49:44 | 2013-02-21 14:49:44 |
+----------------------------------+---------------------+---------------------+


3. Create temporary SoftHSM
$ sqlite3 softhsm.db "PRAGMA user_version = 100;"  
$ sqlite3 softhsm.db < dnssec-softhsm_12-11-17.bak
$ echo 0:$PWD/softhsm.db > softhsm.conf
$ export SOFTHSM_CONF=$PWD/softhsm.conf


4. Export keypair from temporary SoftHSM
$ softhsm --export example.com.zsk.pem --slot 0 --pin <pincode> --id d4aeef65b2ce3b1c0f5192778ad40b0c


5. Import keypair into running softhsm with a _new_ ID
# export SOFTHSM_CONF=/etc/softhsm/softhsm.conf
# softhsm --import example.com.zsk.pem --slot 0 --label "recovered example.com" --id 00000065b2ce3b1c0f5192778ad40b0c --pin <pincode>


6. Import keypair into OpenDNSSEC
# ods-ksmutil key import --cka_id 00000065b2ce3b1c0f5192778ad40b0c  --repository LocalHSM --zone example.com \
  --bits 2048 --algorithm 8 --keystate ACTIVE --keytype ksk --time "2012-02-22 14:49:44"  --retire "2013-02-21 14:49:44"


7. Sign zone with imported key
# ods-signer sign example.com


-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list