[Opendnssec-user] Signer/HSM redundancy and database replication

Antti Ristimäki aristima at csc.fi
Thu Feb 25 07:04:21 UTC 2010

Hi folks,

We're planning to set up a signing environment with redundant signer
servers that both have their own hardware HSM. The keys and the key
information should thus be synchronized between the servers in order to
reduce the amount of manual work when switching over to the secondary
server. That is, the secondary server should always have the same keys
as the primary server and should always know, which keys are currently

The keys can be obviously synchronized by replicating the encrypted
keystore file between the servers (at least when using Sun SCA). In
addition to the keystore, is it enough to replicate the KASP database
(kasp.db) between the servers? It seems that the kasp.db contains all
the information about the keys and their states, but please let me know
if there are some other files that need to be synchronized.



More information about the Opendnssec-user mailing list