[Opendnssec-develop] Key (HSM) backup
John Dickinson
jad at jadickinson.co.uk
Fri Aug 14 08:59:55 UTC 2009
On 14 Aug 2009, at 08:48, sion at nominet.org.uk wrote:
>> Do we also want to have a backup-hook? So OpenDNSSEC can run a
>> command when a backup should be done according to the system.
>>
>> Maybe the user wants a backup script to be run.
>
> Maybe we should write an example script which would backup the
> softHSM and
> then call ksmutil; just to show the process?
>
The process will be completely different for every HSM. Usually (I
expect) it will be totally out of band and a script will be able to do
nothing.
IMHO a syslog message that can be parsed by a monitoring system like
nagios is all we should do. If we want OpenDNSSEC to be more "pro-
active" then send a SNMP trap. (If we want to future proof it then
NETCONF it :) ).
We could also write a net-snmp agent extension or nagios plugin to do
the monitoring if so desired.
We should not develop a whole notification system with emails/pages
being sent out. That is a problem already solved by snmp/netconf/
nagios etc.
John
More information about the Opendnssec-develop
mailing list