29 Lis
2025
29 Lis
'25
18:47
Hi Einar,
To be clear, if you use a PKCS #11 keystore, the zone backup doesn't and can't
back up the
stored private keys. It only backs up metadata stored in the KASP DB. Therefore, you must
also
synchronize contents of the HSM. In the case of SoftHSM, you just copy the tokens
directory.
In my opinion, SoftHSM is perfect for testing or if your software requires a PKCS #11
device (OpenDNSSEC), but for production (with Knot DNS) it only complicates the setup
without providing significant security benefits. I would recommend migrating to a PEM
keystore.
Daniel
On 11/28/25 16:34, Einar Bjarni Halldórsson wrote:
Hi Daniel,
On 28 Nov 2025, at 15:09, Daniel Salzman via
knot-dns-users <knot-dns-users(a)lists.nic.cz> wrote:
Are you able to reproduce the issue with a different key set?
Yes, but always the same kind, RSASHA256 outgoing, ECDSAP256SHA256 incoming.
Starts happening after I run knotc zone-ksk-submitted.
How do you synchronize data in softhsm? Do you
simply replace the whole directory?
The script cleans the destination directory, rsyncs the results of knotc zone-backup and
runs knotc zone-restore on the destination host.
.einar