[Opendnssec-develop] OpenDNSSEC and Backups

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Thu Apr 30 14:46:58 UTC 2009

John Dickinson <jadsab at googlemail.com> wrote on 30/04/2009 13:30:27:

> > 2. Integrity of Key Information
> > When backing up the files on disk, how do we guarantee that we have a
> > coherent copy of the file if the OpenDNSSEC software is running at the
> > time?  Since the OpenDNSSEC software is run as daemon processes 
> > triggered
> > by timers, is there a chance that one or more of the files 
> > (including the
> > key store for hardware HSMs) could be being written by OpenDNSSEC at 
> > the
> > time it is backed up?
> >
> What do we actually need to back up? I hope, but need to think about 
> it, that we just need to back up the database. We should be able to 
> get a consistent view of that. The backup interval above should cover 
> the keystore.

I think that we would need to backup the contents of the database, the key 
stores and, while we are at it, all configuration files.

My question was really about the contents of the HSMs though; for example, 
the SCA6000 stores its keys in an encrypted file on disk.  As we have no 
control over how HSMs operate, the possibility exists that backing them up 
while they are being used could lead to the backup being inconsistent. 
Admittedly, this possibility is small and perhaps would only occur if the 
keys were being generated (and the file being written to) when the backup 
took place.  Nevertheless, it could exist and might lead to a backup that 
could not be recovered.

One solution would be for OpenDNSSEC itself to make a consistent copy of 
the data and for the end user to back up that copy.  An advantage of such 
a scheme would be that if KASP were using a database such as MySql or 
Oracle, KASP could export the data to one or more files, and the operator 
would only have to worry about backup up those files; they would not have 
to be concerned with backing up a database whilst it is running.

However, this only complicates the software and perhaps the risk is not 
worth worrying about?

> If we lost the machine would recovering the DB and running the 
> communicator be sufficient to get the signer going again without 
> risking going insecure?

I think so, although you would need to recover the keystore as well.


More information about the Opendnssec-develop mailing list