[Opendnssec-user] Signer stuck after migration from 32-bit to 64-bit

Ondřej Surý ondrej at sury.org
Tue Jan 24 14:20:28 UTC 2012

Could you please document that somewhere?

- the arch bits non-portability (that's really braindead on PKCS#11
API to use variable length integers)
- the export/import including the label stuff

This worked:
ods-hsmutil list 2>/dev/null | tr -s " " | grep "RSA/" | cut -f 2 -d "
" | xargs -i softhsm --pin 1234 --slot 0 --export /tmp/softhsm/{} --id
cd /tmp/softhsm/
softhsm --slot 0 --init-token --label "DNSSEC Token" --pin 1234 --so-pin 9876
ls -1 | xargs -i softhsm --slot 0 --pin 1234 --import {} --label {} --id {}

Prefferably both README and website.

Thanks it works again now,

On Tue, Jan 24, 2012 at 14:06, Rickard Bellgrim <rickard at opendnssec.org> wrote:
>> Export the key you have in the signconf:
>> sudo softhsm --slot 0 --pin 1234 --export key.pem --id
>> 1e71b7ccea75aca4ca7106fb94e4c275
> The export functionality in the softhsm tool is not supported by
> PKCS#11. The program gets the information directly from the token
> database. This functionality will be dropped in v2 where all of the
> interaction is only done using PKCS#11. The reason that this
> functionality exists now is that the information is stored unencrypted
> and is available if you have the right privilege.
> It is recommended that you treat this migration between a 32-bit
> system to a 64-bit system as a system rollover. Where you pre- and
> postpublish the ZSK and have double DS in the parent zone. Then you do
> not need to move the keys.
> // Rickard

Ondřej Surý <ondrej at sury.org>

More information about the Opendnssec-user mailing list