Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

This document describes how to recover a single keypair from a backup.

Please be carefull if you use this, the document below is a draft and contains a lot of assumptions about our environment.

Most information came from: 

Our situation

  • we use softhsm (dnssec-softhsm_12-11-17.bak)
  • we use the mysql-backend of ODS (dnssec-sql_12-11-17.bak) 
  • the domain is example.com
  1. Create temporary mysql database from backup 
    $ mysqladmin -u debian-sys-maint -p create odstemp 
    $ echo "GRANT ALL ON odstemp.* to 'opendnssec'@'localhost';" | mysql -u debian-sys-maint -p odstemp 
    $ mysql -u debian-sys-maint -p odstemp < dnssec-sql_12-11-17.bak 
  2. Search the key info 
    mysql> SELECT HSMkey_id,active,retire 
                FROM keypairs,dnsseckeys,zones
                WHERE keypairs.id=dnsseckeys.keypair_id AND dnsseckeys.zone_id=zones.id
                AND keytype=257 AND zones.name='example.com';
    +----------------------------------+---------------------+---------------------+ 
    | HSMkey_id                        | active              | retire              | 
    +----------------------------------+---------------------+---------------------+ 
    | d4aeef65b2ce3b1c0f5192778ad40b0c | 2012-02-22 14:49:44 | 2013-02-21 14:49:44 | 
    +----------------------------------+---------------------+---------------------+  
  3. Create temporary SoftHSM 
    $ sqlite3 softhsm.db "PRAGMA user_version = 100;" 
    $ sqlite3 softhsm.db < dnssec-softhsm_12-11-17.bak 
    $ echo 0:$PWD/softhsm.db > softhsm.conf 
    $ export SOFTHSM_CONF=$PWD/softhsm.conf 
  4. Export keypair from temporary SoftHSM 
    $ softhsm --export example.com.zsk.pem --slot 0 --pin <pincode> --id d4aeef65b2ce3b1c0f5192778ad40b0c 
  5. Import keypair into running softhsm with a _new_ ID 
    # export SOFTHSM_CONF=/etc/softhsm/softhsm.conf 
    # softhsm --import example.com.zsk.pem --slot 0 --label "recovered example.com" --id 00000065b2ce3b1c0f5192778ad40b0c --pin <pincode> 
  6. Import keypair into OpenDNSSEC 
    # ods-ksmutil key import --cka_id 00000065b2ce3b1c0f5192778ad40b0c --repository LocalHSM --zone example.com \
      --bits 2048 --algorithm 8 --keystate ACTIVE --keytype ksk --time "2012-02-22 14:49:44" --retire "2013-02-21 14:49:44" 
  7. Sign zone with imported key # ods-signer sign example.com

 

  • No labels