[Opendnssec-develop] Re: [OpenDNSSEC] #88: Race condition in key backup?
OpenDNSSEC
owner-dnssec-trac at kirei.se
Thu Jan 28 11:38:03 UTC 2010
#88: Race condition in key backup?
--------------------+-------------------------------------------------------
Reporter: vanrein | Owner: sion
Type: defect | Status: new
Priority: major | Component: Enforcer
Version: | Keywords:
--------------------+-------------------------------------------------------
Old description:
> If I read the documentation correctly, there is a race condition in the
> manual key backup procedure.
>
> While I am doing a backup, keys may still be generated automatically by
> OpenDNSSEC. This makes it difficult to decide when I should submit the
> "ods-ksmutil backup done" command?
>
> If I submit the command before making the backup, I would initiate the
> use of keys that haven't been backed up yet. But if I submit the command
> after making the backup, I could have missed backing up a key that just
> got created, and again, cause it to be used before it is backed up.
>
> I don't know if/how the key generation can be stopped during the backup
> procedure. Also, using "ksmutil backup list" does not reveal the number
> of keys standing by for backup so I could verify that none got added, nor
> does "ksmutil backup done" tell me how many keys have been marked fit-
> for-use, let alone that it would have me constrain how many it could mark
> fit-for-use.
>
> Ideally, backups would be a 2-phase procedure, but a work-around could be
> anything that ensures that no keys were generated since the backup
> started. Is there a way we can document how to avoid this race condition
> by following a (slightly more complicated) procedure, so DNS
> administrators can be absolutely certain that all the keys in use have
> been backed up if <RequireBackup/> is used?
New description:
--
Comment(by vanrein):
We talked about this problem; it would be possible to backup keys with
OpenDNSSEC down, or at least the KASP Enforcer.
Sion, just to be sure: Is it always OK to run "ksmutil backup done" with
OpenDNSSEC down (or at least the KASP Enforcer)?
--
Ticket URL: <http://trac.opendnssec.org/ticket/88#comment:2>
OpenDNSSEC <http://www.opendnssec.org/>
OpenDNSSEC
More information about the Opendnssec-develop
mailing list