It is possible to migrate a DNSSEC signed zone over to OpenDNSSEC. How to migrate your DNSSEC signed zone over to OpenDNSSEC really depends on how your current solution looks like.

The zone data is no problem. Just place a copy of the unsigned zone in the directory for unsigned zones. But the trick is to maintain the private and public keys.

When moving from one system to another, you need to exchange public keys between them in order to always have a valid DNSSEC state. There are three possible solutions:

  • Export the keys
  • Prepublish DNSKEY record
  • Start fresh

On this Page

Export the keys

One solution is to move the key pairs and make them accessible by OpenDNSSEC. The goal is to have the key pairs available to the system using PKCS#11.

The key pairs can e.g. be stored:

On disc

When the key pairs are stored on disc, it means that you have access to files containing the key pairs. The key pairs can be imported into your new HSM using the PKCS#11 API or any tool available from your HSM vendor.

The BIND .private-key file can be convert into the PKCS#8 file format using the tool available with SoftHSM. If you have another file format, then OpenSSL probably can help you to convert it into the PKCS#8 file format.

softhsm-keyconv --topkcs8 --in --out key.pem

The PKCS#8 file can then be imported into the SoftHSM token (if you are using SoftHSM as your HSM).

softhsm --import key.pem --slot 1 --pin 123456 --label A2 --id A2

On a smartcard with no PKCS#11 interface

Just connect a smartcard reader to your system and insert your smartcard. Then use opensc and pcscd to give it a PKCS#11 interface. Remember to protect the location where you have your smartcard reader, since the smartcard needs to be online.

On an HSM

You can either move the HSM to the new server and install it there. Or some vendors may have some functionality to export/transfer the key pairs.

Add the keys to OpenDNSSEC

Once you have the key pairs available on the system via PKCS#11, then you must add them to OpenDNSSEC. Give this command before you start OpenDNSSEC. Also make sure that the zone is properly configured with OpenDNSSEC.

ods-ksmutil key import --cka_id <CKA_ID> --repository <repository> --zone <zone> --bits <size> --algorithm <algorithm> --keystate <state> --keytype <type> --time <time>

The difference between active and ready is:

Prepublish DNSKEY record

A second alternative, when migrating a signed zone to OpenDNSSEC, is to do a manual key rollover. When moving from one system to another, you need to exchange public keys between them in order to always have a valid DNSSEC state.

The steps below will perform a manual Double-DS KSK rollover and a manual Pre-Publication ZSK rollover. There must be a period of time between each step and the system rollover; otherwise there will not be sufficient time for the information to propagate out on the Internet. The exact time depends on your setup, but it is typically between two and four weeks. Read more in the DNSSEC Key Timing draft from IETF.

  1. Before the system rollover you need to:
  2. System rollover:
  3. After the system rollover you need to:

Start fresh

A third solution is to start fresh. Remove any DS records from the parent zone. Stop signing your zone when the DS records are removed from the DNS caches. It is safe to remove the public keys from your zone when the signatures are not present in any DNS caches. Then transfer the zone over to OpenDNSSEC. And let OpenDNSSEC start signing it again.

Your zone will not be secured by DNSSEC during this transfer.