[Opendnssec-develop] backup race condition

Rick van Rein rick at openfortress.nl
Thu Jan 28 14:17:19 UTC 2010


Hello Sion,

> Shall I create a story in pivotal for this? (Otherwise it may well get
> forgotten.)

Good idea, yeah, thanks!

> Should a "backup start" command time out after a while? Or should there be
> some other protection against forgetting to run "backup done"?

Thinking out aloud:

The current "backup done" moves keys from a state "just generated" to
"ready for use" -- I imagine you'd split this into two transitions with
an intermediate state: "backup start" moves keys from "just generated"
to "standing by for backup" and "backup done" moves keys from "standing
by for backup" to "ready for use".  It may not be an explicit state
diagram, but it's probably comparable in function.

In that situation, forgetting to backup is not an operator error that can
lead to problems: keys will runout, which may lead to error messages, but
that's all.

What would be a problem is doing "backup done" (like we currently do)
when there are no keys "standing by for backup".  So what I would propose:

"backup start"
     ->	See if any keys were "standing by for backup" prior to this
	invocation and log a warning but continue;
     ->	See if any keys are "just generated" and give a message and
	exit with a warning value to signal that nothing needs backup;
     ->	Change any keys that were "just generated" to "standing by for
	backup" and exit with no error code.

"backup done"
     ->	If no keys are in state "standing by for backup" raise an error that
	"backup start" should be issued on >0 keys first;
     ->	Any keys in state "standing by for backup" are moved over to
	"ready for use".

I can't find any way of misusing that system... but let that be a
challenge to others ;-)


Cheers,
 -Rick



More information about the Opendnssec-develop mailing list