[Opendnssec-develop] OpenDNSSEC and Backups

John Dickinson jad at jadickinson.co.uk
Thu Apr 30 15:05:40 UTC 2009


On 30 Apr 2009, at 15:46, Stephen.Morris at nominet.org.uk wrote:

> John Dickinson <jadsab at googlemail.com> wrote on 30/04/2009 13:30:27:
>
>>> 2. Integrity of Key Information
>>> When backing up the files on disk, how do we guarantee that we  
>>> have a
>>> coherent copy of the file if the OpenDNSSEC software is running at  
>>> the
>>> time?  Since the OpenDNSSEC software is run as daemon processes
>>> triggered
>>> by timers, is there a chance that one or more of the files
>>> (including the
>>> key store for hardware HSMs) could be being written by OpenDNSSEC at
>>> the
>>> time it is backed up?
>>>
>>
>> What do we actually need to back up? I hope, but need to think about
>> it, that we just need to back up the database. We should be able to
>> get a consistent view of that. The backup interval above should cover
>> the keystore.
>
> I think that we would need to backup the contents of the database,  
> the key
> stores and, while we are at it, all configuration files.
>
> My question was really about the contents of the HSMs though; for  
> example,
> the SCA6000 stores its keys in an encrypted file on disk.  As we  
> have no
> control over how HSMs operate, the possibility exists that backing  
> them up
> while they are being used could lead to the backup being inconsistent.

Backing up the HSM should be done according to the HSM manufacturers  
specified method. Having the ability to make consistent backups should  
be a feature of the HSM. In the case of a SCA6000 see http://docs.sun.com/source/820-4144-11/3_admin.html#50552899_pgfId-1009280

> Admittedly, this possibility is small and perhaps would only occur  
> if the
> keys were being generated (and the file being written to) when the  
> backup
> took place.  Nevertheless, it could exist and might lead to a backup  
> that
> could not be recovered.
>
> One solution would be for OpenDNSSEC itself to make a consistent  
> copy of
> the data and for the end user to back up that copy.

OpenDNSSEC can not get the private keys.

>  An advantage of such
> a scheme would be that if KASP were using a database such as MySql or
> Oracle, KASP could export the data to one or more files, and the  
> operator
> would only have to worry about backup up those files; they would not  
> have
> to be concerned with backing up a database whilst it is running.
>
> However, this only complicates the software and perhaps the risk is  
> not
> worth worrying about?
>
>
>> If we lost the machine would recovering the DB and running the
>> communicator be sufficient to get the signer going again without
>> risking going insecure?
>
> I think so, although you would need to recover the keystore as well.

Yes.

John

---
John Dickinson
http://www.jadickinson.co.uk

I am riding from Lands end to John O'Groats to raise money for  
Parkinson's Disease Research. Please sponsor me here http://justgiving.com/pedalforparkinsons2009






More information about the Opendnssec-develop mailing list