| 1 | KEY BACKUP |
|---|
| 2 | |
|---|
| 3 | 1. Backup your keys |
|---|
| 4 | 2. ods-ksmutil backup prepare |
|---|
| 5 | ods-ksmutil backup commit |
|---|
| 6 | |
|---|
| 7 | KEY PRE-CREATION |
|---|
| 8 | |
|---|
| 9 | Take a look at the existing keys: |
|---|
| 10 | |
|---|
| 11 | # ods-ksmutil key list -v |
|---|
| 12 | |
|---|
| 13 | Notice the keytypes, the tags |
|---|
| 14 | |
|---|
| 15 | Notice that these keys are stored in the SoftHSM |
|---|
| 16 | |
|---|
| 17 | # ods-hsmutil list |
|---|
| 18 | |
|---|
| 19 | We can let OpenDNSSEC create keys "on the fly", or we can |
|---|
| 20 | prepare some in advance: |
|---|
| 21 | |
|---|
| 22 | # ods-ksmutil key generate --p default --interval PT12H |
|---|
| 23 | |
|---|
| 24 | (this would generate keys for the "default" policy, for the next 12 hours) |
|---|
| 25 | |
|---|
| 26 | Look again at the list of keys in the HSM: |
|---|
| 27 | |
|---|
| 28 | # ods-hsmutil list |
|---|
| 29 | |
|---|
| 30 | ZSK ROLLOVER |
|---|
| 31 | |
|---|
| 32 | # ods-ksmutil key rollover --zone mydomain --keytype ZSK |
|---|
| 33 | |
|---|
| 34 | Now control the list of keys again: |
|---|
| 35 | |
|---|
| 36 | # ods-ksmutil key list -v |
|---|
