[Opendnssec-develop] Key (HSM) backup

John Dickinson jad at jadickinson.co.uk
Fri Aug 14 08:59:55 UTC 2009

On 14 Aug 2009, at 08:48, sion at nominet.org.uk wrote:

>> Do we also want to have a backup-hook? So OpenDNSSEC can run a
>> command when a backup should be done according to the system.
>> Maybe the user wants a backup script to be run.
> Maybe we should write an example script which would backup the  
> softHSM and
> then call ksmutil; just to show the process?
The process will be completely different for every HSM. Usually (I  
expect) it will be totally out of band and a script will be able to do  

IMHO a syslog message that can be parsed by a monitoring system like  
nagios is all we should do. If we want OpenDNSSEC to be more  "pro- 
active" then send a SNMP trap. (If we want to future proof it then  
NETCONF it :) ).

We could also write a net-snmp agent extension or nagios plugin to do  
the monitoring if so desired.

We should not develop a whole notification system with emails/pages  
being sent out. That is a problem already solved by snmp/netconf/ 
nagios etc.


More information about the Opendnssec-develop mailing list