[Opendnssec-user] Export KSK/ZSK

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue May 8 18:24:27 UTC 2018

On 04/26/2018 04:56 PM, Volker Janzen wrote:
> has somebody managed to export KSK/ZSK in bind format for zones in
> I am not sure how I get the information which zone uses which key in the
> softhsm1.

It will depend on whether your using OpenDNSSEC version 1.x or version
2.x, because first you need to find out the key id that you want to
export.  OpenDNSSEC version 2 has the command ods-enforcer with an
additional option, unfortunately called debug that you can use to
find out the identifier:

    ods-enforcer key list -d -z example.com

This will list all keys, including their type and current usage, along
with the identifier (a long hexadecimal number, e.g.:

    > ods-enforcer key list -d -z example.com
    Zone:                           Key role:     DS:          DNSKEY:
   RRSIGDNSKEY: RRSIG:       Pub: Act: Id:
    example.com                     KSK           hidden
omnipresent  omnipresent  NA           1    1
    example.com                     ZSK           NA
omnipresent  NA           rumoured     1    1

Suppose you want to export the ZSK, then you can use the softhsm command
to export the private (and embedded its public) key.

    softhsm --slot=0 --pin=0000 --id=8c122822abf1814f6473d0630b784f58
--export key.pkcs8

Note that the order of the options for this command matters.  It will
produce a file named key.pkcs8 which is in PKCS#8 format (which bind

SoftHSM version 2 has an equivalence in the softhsm2-util command.

If you just want the public key out of this file then you can use
OpenSSL utility command to extract this:

    openssl pkey -inform pem -in key.pkcs8 -outform pem -out publickey.pem

The equivalent of the ods-enforcer command for OpenDNSSEC version 1,
which is ods-ksmutil, does have the key export command as well,
but not the option -d to list the identifiers.  Instead you need
to dig into the signconf file that is written by the enforcer and
read by the signer daemon.  The exact location will differ on
where your installation is, if installed in /usr/local will
usually be in /usr/local/var/opendnssec/signconf/example.com.xml
for the example.com zone.
It is pretty easy to get the appropriate key id (the long hex
number) from this file, as it contains which keys are ZSKs/KSKs
and are used for publishing.


More information about the Opendnssec-user mailing list