[Opendnssec-user] Migrating signed zones from MS DNS 2008 to OpenDNSSEC

Rickard Bellgrim rickard at opendnssec.org
Sat Oct 11 09:44:18 UTC 2014

> Has anybody done this before and willing to share some tips/hints
> especially with regards to reusing the keys? If I'm not wrong, they
> are in PFX file format. I found
> https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC but
> it explains how to convert BIND files.

If you want to use the SoftHSM binaries to import the key into SoftHSM,
then you need to convert the PFX file into a PKCS#8 file. Maybe something
like this:

openssl pkcs12 -in file.p12 -nocerts -out key.pem
openssl pkcs8 -in key.pem -topk8 -out p8key.pem

> We can also afford start fresh. In that case, is it recommended to
> reduce TTL prior to removal of DS records from the parent zone?

If you can adjust the TTL of the DS records at the parent, then it is good
to reduce the TTL so that it goes quicker when you decide to move from
Windows 2008 to OpenDNSSEC. The same goes with the TTL within your own zone.

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20141011/a22c1bdd/attachment.htm>

More information about the Opendnssec-user mailing list