[Opendnssec-user] Signer/HSM redundancy and database replication

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Feb 25 08:56:44 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Jakob Schlyter wrote:
> On 25 feb 2010, at 08.04, Antti Ristimäki wrote:
> 
>> In addition to the keystore, is it enough to replicate the KASP database
>> (kasp.db) between the servers? It seems that the kasp.db contains all
>> the information about the keys and their states, but please let me know
>> if there are some other files that need to be synchronized.
> 
> I recommend that you run with manual key generate, pregenerate keys for some time ahead and then replicate the keystore - this way you don't have to sync the keystore between the machines during normal operations. other than that the KASP database should be enough, but for now you should make sure that the enforcer is shut down when backuping up and restoring the database (this might change in the future).
> 
> a switch between the servers will most likely make all your signatures to be re-generated, but there might be ways to preserve this by syncing some additional state between the servers - Matthijs knows more about this.

The current signatures are stored in the internal files (in the
/var/opendnssec/tmp/ directory). If you keep the .signed files,
signatures can be preserved and don't need to be re-generated.

Best regards,

Matthijs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLhjtEAAoJEA8yVCPsQCW57cUIAMQikkacIkd4gtRCXSyl/PlN
6vQE3SjJpdUYymL7c9WcbtoSCHwrjCNQ2gd91hQAsd0WQBpGoovEgWIhzW08mf/g
7LwVXMwG6lOivbuRuySPx2deBiV+OmFmJwdcfXXyM4LDaunlNB/9KBvkrU+o2Nxa
Dfxl/i2edqNFAzLP/dWZSbmBJgDUv/Kt3hGAX0rwp7i92qMJZh2HY5SnNSUcDhza
7LJhclk4JM1qSmoM6Igv5taTZik+DM0OEszSKZus9jqxO2wrCWwDLHuqKZy31aUL
B0DEArsHfeE6CvVJV8kNfM9M6rUFlKv8tJD+hBY8Pxc+zhPWp+C/IzwUi5AZc6Q=
=coIM
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list