A quick guide about how to migrate a signed zone from dnssec-tools to OpenDNSSEC.
dnf install bind opendnssec
Initialize the SoftHSM slot. It will ask for two passwords to set to that slot:
softhsm2-util --init-token --slot 0 --label "OpenDNSSEC"
chown -R ods:ods /var/lib/softhsm/tokens/
Set the PIN to the password we entered initializing the SoftHSM slot
vi /etc/opendnssec/conf.xml
Optionally, we can configure the parameter <Serial> to datecounter to get serials of the kind 2015052001:
vi /etc/opendnssec/kasp.xml
Convert your current keys:
softhsm2-keyconv --in Kexample.com.+008+35941.private --out ksk.pem
softhsm2-keyconv --in Kexample.com.+008+30269.private --out zsk.pem
And import them:
softhsm2-util --import ksk.pem --slot 0 --label KSK --id 01
softhsm2-util --import zsk.pem --slot 0 --label ZSK --id 02
Initialize the DB, this will erase all the previous data if there were any:
ods-ksmutil setup
Create a directory to place your unsigned zones:
mkdir /var/opendnssec/unsigned
cp example.com.zone /var/opendnssec/unsigned/example.com
Now, we tell OpenDNSSEC to add our zone. The enforcer service must be stopped (ods-control stop) so it won’t generate new keys for our zone.
ods-ksmutil zone add -z example.com
Assign the keys we imported previously to our zone:
ods-ksmutil key import --cka_id 01 --repository SoftHSM --zone example.com --keystate active --keytype ksk --bits 2048 --algorithm 8 --time 20150604
ods-ksmutil key import --cka_id 02 --repository SoftHSM --zone example.com --keystate active --keytype zsk --bits 1024 --algorithm 8 --time 20150604
Now it’s time to start the services. When I’m writing this, there is a bug in one of the service units. The fix is in this bug report.
systemctl enable ods-enforcerd.service ods-signerd.service
systemctl start ods-enforcerd.service ods-signerd.service
Notify the enforcer:
ods-ksmutil notify
Start the enforcer:
ods-control start
For more information, this is a good guide: