[Opendnssec-develop] OpenDNSSEC and Backups
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Thu Apr 30 17:07:23 UTC 2009
John Dickinson <jadsab at googlemail.com> wrote on 30/04/2009 16:05:40:
> :
> Backing up the HSM should be done according to the HSM manufacturers
> specified method. Having the ability to make consistent backups should
> be a feature of the HSM. In the case of a SCA6000 see http://
> docs.sun.com/source/820-4144-11/3_admin.html#50552899_pgfId-1009280
This is seeming to argue for OpenDNSSEC making a copy of the data (if
possible) and backing that up. Otherwise in the worse case backup could
require logging into an HSM and exporting the data, backing up the KASP
database according to the appropriate instructions, and copying the
configuration files.
>
> > Admittedly, this possibility is small and perhaps would only occur
> > if the
> > keys were being generated (and the file being written to) when the
> > backup
> > took place. Nevertheless, it could exist and might lead to a backup
> > that
> > could not be recovered.
> >
> > One solution would be for OpenDNSSEC itself to make a consistent
> > copy of
> > the data and for the end user to back up that copy.
>
> OpenDNSSEC can not get the private keys.
Accepted. What I was meaning was being able to take a copy of the HSM
data (stored as a encrypted file on disk), sure in the knowledge that the
file is not being accessed and is therefore consistent.
Stephen
More information about the Opendnssec-develop
mailing list