[Opendnssec-develop] Re: [OpenDNSSEC] #88: Race condition in key backup?

OpenDNSSEC owner-dnssec-trac at kirei.se
Thu Jan 28 11:38:03 UTC 2010


#88: Race condition in key backup?
--------------------+-------------------------------------------------------
Reporter:  vanrein  |       Owner:  sion    
    Type:  defect   |      Status:  new     
Priority:  major    |   Component:  Enforcer
 Version:           |    Keywords:          
--------------------+-------------------------------------------------------

Old description:

> If I read the documentation correctly, there is a race condition in the
> manual key backup procedure.
>
> While I am doing a backup, keys may still be generated automatically by
> OpenDNSSEC.  This makes it difficult to decide when I should submit the
> "ods-ksmutil backup done" command?
>
> If I submit the command before making the backup, I would initiate the
> use of keys that haven't been backed up yet.  But if I submit the command
> after making the backup, I could have missed backing up a key that just
> got created, and again, cause it to be used before it is backed up.
>
> I don't know if/how the key generation can be stopped during the backup
> procedure.  Also, using "ksmutil backup list" does not reveal the number
> of keys standing by for backup so I could verify that none got added, nor
> does "ksmutil backup done" tell me how many keys have been marked fit-
> for-use, let alone that it would have me constrain how many it could mark
> fit-for-use.
>
> Ideally, backups would be a 2-phase procedure, but a work-around could be
> anything that ensures that no keys were generated since the backup
> started.  Is there a way we can document how to avoid this race condition
> by following a (slightly more complicated) procedure, so DNS
> administrators can be absolutely certain that all the keys in use have
> been backed up if <RequireBackup/> is used?

New description:



--

Comment(by vanrein):

 We talked about this problem; it would be possible to backup keys with
 OpenDNSSEC down, or at least the KASP Enforcer.

 Sion, just to be sure: Is it always OK to run "ksmutil backup done" with
 OpenDNSSEC down (or at least the KASP Enforcer)?

-- 
Ticket URL: <http://trac.opendnssec.org/ticket/88#comment:2>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC


More information about the Opendnssec-develop mailing list