[Opendnssec-develop] OpenDNSSEC and Backups

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Thu Apr 30 17:07:23 UTC 2009

John Dickinson <jadsab at googlemail.com> wrote on 30/04/2009 16:05:40:

> :
> Backing up the HSM should be done according to the HSM manufacturers 
> specified method. Having the ability to make consistent backups should 
> be a feature of the HSM. In the case of a SCA6000 see http://
> docs.sun.com/source/820-4144-11/3_admin.html#50552899_pgfId-1009280

This is seeming to argue for OpenDNSSEC making a copy of the data (if 
possible) and backing that up.  Otherwise in the worse case backup could 
require logging into an HSM and exporting the data, backing up the KASP 
database according to the appropriate instructions, and copying the 
configuration files.

> > Admittedly, this possibility is small and perhaps would only occur 
> > if the
> > keys were being generated (and the file being written to) when the 
> > backup
> > took place.  Nevertheless, it could exist and might lead to a backup 
> > that
> > could not be recovered.
> >
> > One solution would be for OpenDNSSEC itself to make a consistent 
> > copy of
> > the data and for the end user to back up that copy.
> OpenDNSSEC can not get the private keys.

Accepted.  What I was meaning was being able to take a copy of the HSM 
data (stored as a encrypted file on disk), sure in the knowledge that the 
file is not being accessed and is therefore consistent.


More information about the Opendnssec-develop mailing list