[Opendnssec-user] Signer/HSM redundancy and database replication

sion at nominet.org.uk sion at nominet.org.uk
Thu Feb 25 09:01:08 UTC 2010

> > In addition to the keystore, is it enough to replicate the KASP
> > (kasp.db) between the servers? It seems that the kasp.db contains all
> > the information about the keys and their states, but please let me know
> > if there are some other files that need to be synchronized.
> I recommend that you run with manual key generate, pregenerate keys
> for some time ahead and then replicate the keystore - this way you
> don't have to sync the keystore between the machines during normal
> operations. other than that the KASP database should be enough, but
> for now you should make sure that the enforcer is shut down when
> backuping up and restoring the database (this might change in the

There is a command "ods-ksmutil database backup" which will make a copy of
the kasp DB, ensuring that it is in a consistent state.

> a switch between the servers will most likely make all your
> signatures to be re-generated, but there might be ways to preserve
> this by syncing some additional state between the servers - Matthijs
> knows more about this.

Our procedure runs something like:

1) stop the system with "ods-control stop"
2) copy kasp.db file into place
3) clear out any old data in the unsigned and signed directories
4) re-transfer the unsigned zone
5) clear out the var/opendnssec/tmp directory
6) start the system up again "ods-control start"

So we accept the hit of regenerating all the signatures. However this is
for .uk which is a tiny zone and may not be the way we would work with
larger zones.


More information about the Opendnssec-user mailing list