Recovery of a single dnskey from SoftHSM backup

This document describes how to recover a single keypair from a backup.

Before you start

This is a rare procedure that should never be necessary in a production environment.  Before you start you should also consider restoring the entire environment from backup (instead of a single key) and/or regenerating the key.

Please be careful if you use this, the document below is a draft and contains a lot of assumptions about our environment.

Most information came from: 

• https://wiki.opendnssec.org/display/DOCS/Migrating+to+OpenDNSSEC
• https://svn.opendnssec.org/trunk/softHSM/README

Background

• we use softhsm 
  
  • backups are made with the sqlite 'dump' command
  • for this example the backup is in a file named dnssec-softhsm_12-11-17.bak
• we use the mysql-backend of ODS 
  
  • backups are made with the mysqldump utillity
  • for this example the backup is in a file named dnssec-sql_12-11-17.bak
• the domain is example.com
• we only care about Key Signing Keys
  
  • the procedure should also work for ZSK's but it's easier to generate a new ZSK
• the OS is Debian GNU/Linux 6
  
  • Ubuntu most likely works as well

Procedure

1. Create temporary mysql database from backup 
   $ mysqladmin -u debian-sys-maint -p create odstemp 
   $ echo "GRANT ALL ON odstemp.* to 'opendnssec'@'localhost';" | mysql -u debian-sys-maint -p odstemp 
   $ mysql -u debian-sys-maint -p odstemp < dnssec-sql_12-11-17.bak 
2. Search the key info 
   mysql> SELECT HSMkey_id,active,retire 
               FROM keypairs,dnsseckeys,zones
               WHERE keypairs.id=dnsseckeys.keypair_id AND dnsseckeys.zone_id=zones.id
               AND keytype=257 AND zones.name='example.com';
   

   +----------------------------------+---------------------+---------------------+ 

   | HSMkey_id                        | active              | retire              | 

   +----------------------------------+---------------------+---------------------+ 

   | d4aeef65b2ce3b1c0f5192778ad40b0c | 2012-02-22 14:49:44 | 2013-02-21 14:49:44 | 

   +----------------------------------+---------------------+---------------------+  

3. Create a temporary SoftHSM 
   

   $ sqlite3 softhsm.db "PRAGMA user_version = 100;" 

   $ sqlite3 softhsm.db < dnssec-softhsm_12-11-17.bak 

   $ echo 0:$PWD/softhsm.db > softhsm.conf 

   $ export SOFTHSM_CONF=$PWD/softhsm.conf 

4. Export keypair from temporary SoftHSM 
   $ softhsm --export example.com.zsk.pem --slot 0 --pin <pincode> --id d4aeef65b2ce3b1c0f5192778ad40b0c 
5. Import keypair into running softhsm with a _new_ ID 
   # export SOFTHSM_CONF=/etc/softhsm/softhsm.conf 
   # softhsm --import example.com.zsk.pem --slot 0 --label "recovered example.com" --id 00000065b2ce3b1c0f5192778ad40b0c --pin <pincode> 
6. Import keypair into OpenDNSSEC 
   # ods-ksmutil key import --cka_id 00000065b2ce3b1c0f5192778ad40b0c --repository LocalHSM --zone example.com \
     --bits 2048 --algorithm 8 --keystate ACTIVE --keytype ksk --time "2012-02-22 14:49:44" --retire "2013-02-21 14:49:44" 
7. Sign zone with imported key # ods-signer sign example.com