Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

This document describes how to recover a single keypair from a backup.

Before you start

This is a rare procedure that should never be necessary in a production environment.  Before you start you should also consider restoring the entire environment from backup (instead of a single key) and/or regenerating the key.

Please be careful if you use this, the document below is a draft and contains a lot of assumptions about our environment.

Most information came from: 


  • we use softhsm 
    • backups are made with the sqlite 'dump' command
    • for this example the backup is in a file named dnssec-softhsm_12-11-17.bak
  • we use the mysql-backend of ODS 
    • backups are made with the mysqldump utillity
    • for this example the backup is in a file named dnssec-sql_12-11-17.bak
  • the domain is
  • we only care about Key Signing Keys
    • the procedure should also work for ZSK's but it's easier to generate a new ZSK
  • the OS is Debian GNU/Linux 6
    • Ubuntu most likely works as well



  1. Create temporary mysql database from backup 
    $ mysqladmin -u debian-sys-maint -p create odstemp 
    $ echo "GRANT ALL ON odstemp.* to 'opendnssec'@'localhost';" | mysql -u debian-sys-maint -p odstemp 
    $ mysql -u debian-sys-maint -p odstemp < dnssec-sql_12-11-17.bak 
  2. Search the key info 
    mysql> SELECT HSMkey_id,active,retire 
                FROM keypairs,dnsseckeys,zones
                WHERE AND
                AND keytype=257 AND'';
    | HSMkey_id                        | active              | retire              | 
    | d4aeef65b2ce3b1c0f5192778ad40b0c | 2012-02-22 14:49:44 | 2013-02-21 14:49:44 | 
  3. Create a temporary SoftHSM 
    $ sqlite3 softhsm.db "PRAGMA user_version = 100;" 
    $ sqlite3 softhsm.db < dnssec-softhsm_12-11-17.bak 
    $ echo 0:$PWD/softhsm.db > softhsm.conf 
    $ export SOFTHSM_CONF=$PWD/softhsm.conf 
  4. Export keypair from temporary SoftHSM 
    $ softhsm --export --slot 0 --pin <pincode> --id d4aeef65b2ce3b1c0f5192778ad40b0c 
  5. Import keypair into running softhsm with a _new_ ID 
    # export SOFTHSM_CONF=/etc/softhsm/softhsm.conf 
    # softhsm --import --slot 0 --label "recovered" --id 00000065b2ce3b1c0f5192778ad40b0c --pin <pincode> 
  6. Import keypair into OpenDNSSEC 
    # ods-ksmutil key import --cka_id 00000065b2ce3b1c0f5192778ad40b0c --repository LocalHSM --zone \
      --bits 2048 --algorithm 8 --keystate ACTIVE --keytype ksk --time "2012-02-22 14:49:44" --retire "2013-02-21 14:49:44" 
  7. Sign zone with imported key # ods-signer sign


  • No labels