[Opendnssec-user] Backup/restore information
Dick Visser
visser at terena.org
Mon Apr 2 11:32:29 UTC 2012
On 2 April 2012 12:01, Fred Zwarts (KVI) <F.Zwarts at kvi.nl> wrote:
> We are considering to implement OpenDNSsec with softHSM voor our zones. We
> have set up a test system with Suse Linux Enterprise System 11 Service Pack
> 2 (SLES11SP2). We followed the instructions in the documentation and we have
> OpenDNSsec running now for a few weeks. It looks very promising. Once
> running, it needs little attention. It is stable, while resigning records
> and performing rollovers for ZSK keys at predefined intervals.
>
> Before we implement it on our real primary domain server, we need a backup
> policy.
> What we could not find in the documentation is a section about
> backup/restore procedures. Currently on our primary domain server we backup
> the zone files and the configuration files of our bind server. If, for some
> reason, the primary domain server fails and must be set up from scratch, we
> simple install a new SLES11SP2 system with the same IP address, restore the
> bind configuration and the zone files and everything is back to the
> situation of the last backup. In the down time of the primary server, the
> secondary domain servers will make our zone available for other systems.
> For OpenDNSsec and SoftHSM we want a similar procedure, but it is not clear
> to us what we need to save and restore in addition to our current backup. Of
> course we will backup the configuration files of OpenDNSsec and SoftHSM. But
> in addition, we need to save in some way the current key pairs and the state
> of OpenDNSsec.
> Is there documentation about what should be backed up and how it should be
> done? And how OpenDNSsec and SoftHSM are restored from such a backup so that
> it can resume to a known state, without losing the integrity of the zone?
We will run ODS on a VM, that will be backuped, and can be restored as a whole.
For the application only, I looks like the sqlite files in db/ contain
the information you need, for example:
root at ns3:/var/lib/opendnssec/db# sqlite3 kasp.db
SQLite version 3.6.22
Enter ".help" for instructions
Enter SQL statements terminated with a ";"
sqlite> .tables
KEYALLOC_VIEW dbadmin policies
KEYDATA_VIEW dnsseckeys securitymodules
PARAMETER_LIST keypairs serialmodes
PARAMETER_VIEW parameters zones
categories parameters_policies
sqlite> SELECT * FROM KEYDATA_VIEW;
1|4|2012-03-05 22:51:42|2012-03-05 22:51:42|2012-03-06
00:52:46|2012-03-15 15:21:44|2015-03-15
15:21:44||257|8|0abdfa7c8b02a8dbbb8243d7e57b53ff|1|2|1|2048||0
2|4|2012-03-05 22:51:42|2012-03-05 22:51:42||2012-03-05
22:51:42|2012-04-04
22:51:42||256|8|576776893293a4531f547371829857b4|1|2|2|1024||0
3|4|2012-03-05 22:51:42|2012-03-05 22:51:42|2012-03-06
00:52:46|2012-03-06 19:24:06|2015-03-06
19:24:06||257|8|47cafb6857d0b50e5a354a5fa7ca7559|2|3|1|2048||0
4|4|2012-03-05 22:51:42|2012-03-05 22:51:42||2012-03-05
22:51:42|2012-04-04
22:51:42||256|8|5b95540e2aa58c802acfb53d9da82de1|2|3|2|1024||0
sqlite> .quit
--
Dick Visser
System & Networking Engineer
TERENA Secretariat
Singel 468 D, 1017 AW Amsterdam
The Netherlands
More information about the Opendnssec-user
mailing list