My first DNSSEC setups were using OpenDNSSEC, but at some point I prefered to migrate to DNSSEC-Tools.

Here's a hack (howto) to migrate the KSK keys to .krf format. The ZSK keys will be generated by the first zonesigner run.

#!/bin/sh

ZONE="$1"
KEY="$2"
ALGO="$3"

cd keys
sudo softhsm --export $ZONE.zsk --slot 0 --pin 1234 --id $KEY
softhsm-keyconv --tobind --in $ZONE.zsk --name $ZONE. --algorithm $ALGO

BINDKEY=$(ls K$ZONE*key)
sed -i -e 's/256/257/' $BINDKEY
BASEKEY=$(basename $BINDKEY .key)

cd ..

cat > $ZONE.krf <<EOF
zone    "$ZONE"
    serial      "2011112202"
    kskcur      "$ZONE-signset-00001"
    signedzone  "$ZONE.signed"
    kskcount    "1"
    archivedir  "/var/lib/dnssec-tools/archive"
    kskdirectory    "/cb/ns.df7cb.de/keys"
    zskdirectory    "/cb/ns.df7cb.de/keys"
    endtime     "+2592000"
    lastset     "$ZONE-signset-00004"
    zonefile    "$ZONE"
    keyrec_type "zone"
    keyrec_signsecs "1321964086"
    keyrec_signdate "Tue Nov 22 12:14:46 2011"

set "$ZONE-signset-00001"
    keys        "$BASEKEY"
    set_type    "kskcur"
    zonename    "$ZONE"
    keyrec_setsecs  "1321961247"
    keyrec_setdate  "Tue Nov 22 11:27:27 2011"

key "$BASEKEY"
    zonename    "$ZONE"
    keyrec_type "kskcur"
    algorithm   "$ALGO"
    random      "/dev/urandom"
    keypath     "/cb/ns.df7cb.de/keys/$BINDKEY"
    ksklength   "2048"
    ksklife     "15552000"
    revperiod   "3888000"
    keyrec_gensecs  "1321961248"
    keyrec_gendate  "Tue Nov 22 11:27:28 2011"

EOF

zonesigner -keydirectory keys -usensec3 -genzsk -verbose $ZONE

rollinit $ZONE >> all.rollrec

echo "/cb/ns.df7cb.de/$ZONE.signed $ZONE cb@df7cb.de" >> checkzones.txt

(The filenames at the end are those used by http://www.incertum.net/archives/11-DNSSEC-mit-Debiansqueeze-dnssec-tools,-bind9.html)