[Opendnssec-user] Backup/restore information

Dick Visser visser at terena.org
Mon Apr 2 11:32:29 UTC 2012

On 2 April 2012 12:01, Fred Zwarts (KVI) <F.Zwarts at kvi.nl> wrote:
> We are considering to implement OpenDNSsec with softHSM voor our zones. We
> have set up a test system with Suse Linux Enterprise System 11 Service Pack
> 2 (SLES11SP2). We followed the instructions in the documentation and we have
> OpenDNSsec running now for a few weeks. It looks very promising. Once
> running, it needs little attention. It is stable, while resigning records
> and performing rollovers for ZSK keys at predefined intervals.
> Before we implement it on our real primary domain server, we need a backup
> policy.
> What we could not find in the documentation is a section about
> backup/restore procedures. Currently on our primary domain server we backup
> the zone files and the configuration files of our bind server. If, for some
> reason, the primary domain server fails and must be set up from scratch, we
> simple install a new SLES11SP2 system with the same IP address, restore the
> bind configuration and the zone files and everything is back to the
> situation of the last backup. In the down time of the primary server, the
> secondary domain servers will make our zone available for other systems.
> For OpenDNSsec and SoftHSM we want a similar procedure, but it is not clear
> to us what we need to save and restore in addition to our current backup. Of
> course we will backup the configuration files of OpenDNSsec and SoftHSM. But
> in addition, we need to save in some way the current key pairs and the state
> of OpenDNSsec.
> Is there documentation about what should be backed up and how it should be
> done? And how OpenDNSsec and SoftHSM are restored from such a backup so that
> it can resume to a known state, without losing the integrity of the zone?

We will run ODS on a VM, that will be backuped, and can be restored as a whole.
For the application only, I looks like the sqlite files in db/ contain
the information you need, for example:

root at ns3:/var/lib/opendnssec/db# sqlite3 kasp.db
SQLite version 3.6.22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
KEYALLOC_VIEW        dbadmin              policies
KEYDATA_VIEW         dnsseckeys           securitymodules
PARAMETER_LIST       keypairs             serialmodes
PARAMETER_VIEW       parameters           zones
categories           parameters_policies
1|4|2012-03-05 22:51:42|2012-03-05 22:51:42|2012-03-06
00:52:46|2012-03-15 15:21:44|2015-03-15
2|4|2012-03-05 22:51:42|2012-03-05 22:51:42||2012-03-05
3|4|2012-03-05 22:51:42|2012-03-05 22:51:42|2012-03-06
00:52:46|2012-03-06 19:24:06|2015-03-06
4|4|2012-03-05 22:51:42|2012-03-05 22:51:42||2012-03-05
sqlite> .quit

Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands

More information about the Opendnssec-user mailing list