[Opendnssec-user] Re: Backup/restore information

Fred Zwarts (KVI) F.Zwarts at KVI.nl
Mon Apr 2 15:27:11 UTC 2012 

"Jerry Lundström"  wrote in message 
news:FED80B7D-A637-441D-9836-24EDCB4CD57C at opendnssec.org...
>
>Hi Fred,
>
>On Apr 2, 2012, at 13:56 , Fred Zwarts (KVI) wrote:
>
>>> Here is what I do:
>>
>>> ods-ksmutil backup prepare
>>> sqlite3 /var/lib/softhsm/slot0.db .dump | gzip | mygpg > $shsmfile
>>> mysqldump -u opendnssec opendnssec | gzip | mygpg > $kaspfile
>>> invoke-system-backup
>>> ods-ksmutil backup commit
>>
>> I assume that $shsmfile and $kaspfile are stored on a safe place and 
>> contain all the information needed to restore the SoftHSM and OpenDNSsec 
>> state. They are probably included in your system backup.
>>
>> I am not familiar with mysql or sqlite. What are the commands needed to 
>> restore the state from these two safe files?
>> Have you verified that it is sufficient to restore your zones and keys 
>> from these two files (and the unsigned zone files, of course)?
>
>There isn't any guide to backup and restore but there are some 
>documentation about the backups for each software.
>OpenDNSSEC - 
>https://wiki.opendnssec.org/display/DOCS/Key+Management#KeyManagement-Markingkeysasbackedup

As far as I can see, this one only tells how to tell OpenDNSsec that a 
backup will be made, not how a backup of the OpenDNSstate is made.

>SoftHSM - 
>https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+Home#SoftHSMDocumentationHome-Backup

>If your running MySQL there should be plenty of documentation on how to 
>backup/restore on mysql.com or if your running SQLite it's basically just a 
>database in a file so you could .dump it or copy it.

Thanks, I think this is the strategy that I will use for the softHSM 
database. (With OpenDNSsec shut down.)

>If you want to keep state in the backup the best bet is to shutdown 
>OpenDNSSEC and copy everything in /etc/opendnssec and /var/opendnssec (or 
>/var/lib/opendnssec, depending on your installation).

Thanks, this is what I need to know, concerning the locations where 
OpenDNSsec stores its state.

So, I think I will make a daily cron job that performs the following steps.
1) Shut down OpenDNSsec
2) create a tar file with the softHSM and OpenDNSsec configuration in etc 
and the OpenDNSsec state in /var/opendsnsec.
3) dump the database of /var/softhsm/slot0.db to another file
4) startup OpenDNSsec again.

The next step is that I will try to use these backup files to restore the 
OpenDNSsec and softHSM state on another server, just to prove that it is 
sufficient.

More information about the Opendnssec-user mailing list