OK, what I was doing wrong is that if I specify /tmp/pubkey as the name of the file, keymgr is going to look for the public key in a file named /tmp/pubkey.key. After doing so, I get the following:

# ./keymgr 00.mydomain.com. import-pub /tmp/pubkey
6b20f3002af4526101b2c99a166fe90d019765ba
OK

This ostensibly works - but I see no corresponding entry (or entries) added to the SoftHSM keystore. Where is the key that has just been imported?

On Tue, Nov 9, 2021 at 12:31 PM Luveh Keraph <1.41421@gmail.com> wrote:

I am trying to import a public key generated by BIND into Knot, when using the SoftHSM2 key store. I have the following pieces of information:

In my knot.conf file:

policy:
- id: SoftHSMRSAPolicy
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 2048
ksk-lifetime: 7h
zsk-lifetime: 6h
dnskey-ttl: 12s
zone-max-ttl: 15s
keystore: SoftHSM

zone:
- domain: 00.mydomain.com
storage: /srv/knot
file: db.mydomain00
dnssec-signing: on
dnssec-policy: SoftHSMRSAPolicy

The public key is in a file named pubkey, and has the following contents:

; This is a zone-signing key, keyid 14694, for 00.mydomain.com.
; Created: 20211109192137 (Tue Nov 9 12:21:37 2021)
; Publish: 20211109192137 (Tue Nov 9 12:21:37 2021)
; Activate: 20211109192137 (Tue Nov 9 12:21:37 2021)
00.mydomain.com. IN DNSKEY 256 3 8 AwEAAd1XmDMiF4/WWW+lneSg2hScxQl
TJHU/cIyBnDJDnW3MFkuyR7e+y3UqZScTXz5tfcGkDYGpqFqZ3+RgyN7A3ZAC3RsayivUuE9lec25IT97 jPZaTsHUjalDQjXkBhCIHBb79vVsz0SMZOeez78qzhRtpdkFYVNRcAW4EZVgdQAdiuJGeDEuxsaTkRnLwujnaqURyAzevqfQfjz319CPsYr4tN4K9nu2Fc0Sh+b5pdM6ejRieLnUUgZpuefRfgsSHJQErNe
FevdtihLpq93r E5OARwmK0c4vyzgpmREloMJlwV+lrZdlKqZnnIZIXgkD+59Tjh0XZ72exdvonun4uG8=

(The DNSKEY record is in a single line.)

The command I am using to import this key is

# ./keymgr 00.mydomain.com. import-pub ./pubkey

This spins for a few seconds and then prints out:

Error: file error

Any ideas as to what it is that I am doing wrong?

The command that I am invoking to import this public key is the following: