[Opendnssec-develop] OpenDNSSEC and Backups

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Fri May 1 10:16:48 UTC 2009

John Dickinson <jadsab at googlemail.com> wrote on 01/05/2009 09:33:20:

> On 30 Apr 2009, at 18:07, Stephen.Morris at nominet.org.uk wrote:
> > John Dickinson <jadsab at googlemail.com> wrote on 30/04/2009 16:05:40:
> >
> >> :
> >> Backing up the HSM should be done according to the HSM manufacturers
> >> specified method. Having the ability to make consistent backups 
> >> should
> >> be a feature of the HSM. In the case of a SCA6000 see http://
> >> docs.sun.com/source/820-4144-11/3_admin.html#50552899_pgfId-1009280
> >
> > This is seeming to argue for OpenDNSSEC making a copy of the data (if
> > possible) and backing that up.  Otherwise in the worse case backup 
> > could
> > require logging into an HSM and exporting the data, backing up the 
> > KASP
> > database according to the appropriate instructions, and copying the
> > configuration files.
> Sorry, I don't understand. What if the HSM doesn't store its keys in a 
> file on disk but has some completely out of band backup system? This 
> is a process issue that should not be solved by OpenDNSSEC.

In that case, you would need to follow the HSM backup instructions.

Maybe it is not part of the remit of OpenDNSSEC.  But we're writing the 
software to make it easier to operate signed zones: as backing up the data 
is an essential part of operations, I think we should try to make getting 
a consistent backup as easy as possible as well.


More information about the Opendnssec-develop mailing list