[Opendnssec-develop] Key (HSM) backup

sion at nominet.org.uk sion at nominet.org.uk
Wed Aug 12 08:38:02 UTC 2009


we have a requirement that we do not use keys until they are backed up
(this is currently not implemented). To deal with this we have the concept
of a "backup delay" in conf.xml; in theory the time that might pass before
a key can be considered to be backed up.

This has a number of issues, so I have a task to add a "backup done" call
to ksmutil which can be called as part of any backup routine.

My question is, does this remove the need for the backup delay parameter?
Or do we want a system where a key is considered to be backed up either if
that period of time has passed, or if we have been explicitly told that the
backup has happened?

My preference is to remove the "backup delay" and force use of "ksmutil
backup done".


p.s. If a key has not been backed up is it still okay to prepublish it? I
was only going to stop it from becoming active, please tell me if this is

More information about the Opendnssec-develop mailing list