[Opendnssec-develop] OpenDNSSEC and Backups

John Dickinson jad at jadickinson.co.uk
Thu Apr 30 12:30:27 UTC 2009 

On 30 Apr 2009, at 13:09, Stephen.Morris at nominet.org.uk wrote:

> Whilst going through the requirements, a couple of issues concerning
> backups of the OpenDNSSEC system occurred to me:
>
>
> 1. Backing up DNSSEC key information
> As presently envisaged, DNSSEC keys are created on demand.  There is a
> (configurable) interval after creation during which the keys are not  
> used
> and a backup is assumed to take place.  After that, the keys are  
> available
> for use.
>
> It seems to me that the flaw here is that backups are only assumed  
> to take
> place - the system does not know that they actually have been done. If
> some problem causes the backup to fail, the system could end up in a
> position where a public key is being used but there is only a single  
> copy
> of the private key.  A failure of the hardware at that point could be
> catastrophic.
>
> It would be safer to require a positive action on behalf of the user  
> to
> confirm that a backup has been taken before the system uses those  
> keys.
> The sort of thing I have in mind is adding a command to ksm that will
> record the time of the latest backup.  Only keys whose creation time  
> (the
> "generate" time) is earlier than this are available for use.  It is  
> up to
> the operator how this is used, e.g. embedding it in the backup  
> script or
> running a job after their backup has finished.

Sounds good

>
>
> 2. Integrity of Key Information
> When backing up the files on disk, how do we guarantee that we have a
> coherent copy of the file if the OpenDNSSEC software is running at the
> time?  Since the OpenDNSSEC software is run as daemon processes  
> triggered
> by timers, is there a chance that one or more of the files  
> (including the
> key store for hardware HSMs) could be being written by OpenDNSSEC at  
> the
> time it is backed up?
>

What do we actually need to back up? I hope, but need to think about  
it, that we just need to back up the database. We should be able to  
get a consistent view of that. The backup interval above should cover  
the keystore.

If we lost the machine would recovering the DB and running the  
communicator be sufficient to get the signer going again without  
risking going insecure?

John


>
> Thoughts?
>
>
> Stephen
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

---
John Dickinson
http://www.jadickinson.co.uk

I am riding from Lands end to John O'Groats to raise money for  
Parkinson's Disease Research. Please sponsor me here http://justgiving.com/pedalforparkinsons2009

More information about the Opendnssec-develop mailing list