[Opendnssec-user] Signer/HSM redundancy and database replication

Jakob Schlyter jakob at kirei.se
Thu Feb 25 08:05:00 UTC 2010

On 25 feb 2010, at 08.04, Antti Ristimäki wrote:

> In addition to the keystore, is it enough to replicate the KASP database
> (kasp.db) between the servers? It seems that the kasp.db contains all
> the information about the keys and their states, but please let me know
> if there are some other files that need to be synchronized.

I recommend that you run with manual key generate, pregenerate keys for some time ahead and then replicate the keystore - this way you don't have to sync the keystore between the machines during normal operations. other than that the KASP database should be enough, but for now you should make sure that the enforcer is shut down when backuping up and restoring the database (this might change in the future).

a switch between the servers will most likely make all your signatures to be re-generated, but there might be ways to preserve this by syncing some additional state between the servers - Matthijs knows more about this.


Jakob Schlyter
Kirei AB - www.kirei.se

More information about the Opendnssec-user mailing list