[Opendnssec-develop] OpenDNSSEC and Backups

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Thu Apr 30 12:09:15 UTC 2009

Whilst going through the requirements, a couple of issues concerning 
backups of the OpenDNSSEC system occurred to me:

1. Backing up DNSSEC key information
As presently envisaged, DNSSEC keys are created on demand.  There is a 
(configurable) interval after creation during which the keys are not used 
and a backup is assumed to take place.  After that, the keys are available 
for use.

It seems to me that the flaw here is that backups are only assumed to take 
place - the system does not know that they actually have been done. If 
some problem causes the backup to fail, the system could end up in a 
position where a public key is being used but there is only a single copy 
of the private key.  A failure of the hardware at that point could be 

It would be safer to require a positive action on behalf of the user to 
confirm that a backup has been taken before the system uses those keys. 
The sort of thing I have in mind is adding a command to ksm that will 
record the time of the latest backup.  Only keys whose creation time (the 
"generate" time) is earlier than this are available for use.  It is up to 
the operator how this is used, e.g. embedding it in the backup script or 
running a job after their backup has finished.

2. Integrity of Key Information
When backing up the files on disk, how do we guarantee that we have a 
coherent copy of the file if the OpenDNSSEC software is running at the 
time?  Since the OpenDNSSEC software is run as daemon processes triggered 
by timers, is there a chance that one or more of the files (including the 
key store for hardware HSMs) could be being written by OpenDNSSEC at the 
time it is backed up?



More information about the Opendnssec-develop mailing list