[Opendnssec-develop] OpenDNSSEC and Backups
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Thu Apr 30 12:09:15 UTC 2009
Whilst going through the requirements, a couple of issues concerning
backups of the OpenDNSSEC system occurred to me:
1. Backing up DNSSEC key information
As presently envisaged, DNSSEC keys are created on demand. There is a
(configurable) interval after creation during which the keys are not used
and a backup is assumed to take place. After that, the keys are available
for use.
It seems to me that the flaw here is that backups are only assumed to take
place - the system does not know that they actually have been done. If
some problem causes the backup to fail, the system could end up in a
position where a public key is being used but there is only a single copy
of the private key. A failure of the hardware at that point could be
catastrophic.
It would be safer to require a positive action on behalf of the user to
confirm that a backup has been taken before the system uses those keys.
The sort of thing I have in mind is adding a command to ksm that will
record the time of the latest backup. Only keys whose creation time (the
"generate" time) is earlier than this are available for use. It is up to
the operator how this is used, e.g. embedding it in the backup script or
running a job after their backup has finished.
2. Integrity of Key Information
When backing up the files on disk, how do we guarantee that we have a
coherent copy of the file if the OpenDNSSEC software is running at the
time? Since the OpenDNSSEC software is run as daemon processes triggered
by timers, is there a chance that one or more of the files (including the
key store for hardware HSMs) could be being written by OpenDNSSEC at the
time it is backed up?
Thoughts?
Stephen
More information about the Opendnssec-develop
mailing list