[Opendnssec-user] Different behavior for <RequireBackup/>
Fred Zwarts (KVI)
F.Zwarts at KVI.nl
Thu Dec 13 11:10:20 CET 2012
We have a few OpenDNSsec test installations, one with opendnssec-1.4.0b1 and
softhsm-1.3.3 and on another system with opendnssec-1.3.9 and
softhsm-1.3.2/. I noticed a different behavior that I do not understand. Had
something changed, or is there a misconception in my understanding?
Both systems have a similar, but slightly different configuration, using
"SoftHSM" with the <RequireBackup/> option. Both systems do a ZSK rollover
once every few weeks.
After such a rollover the system with opendnssec-1.3.9, when I use the
"ods-ksmutil backup list -v" command, shows that there are keys not in the
backup. After a "ods-ksmutil backup done", another backup date is added to
The system with opendnssec-1.4.0b1, however, never shows that there are keys
not in the backup. If I try "ods-ksmutil backup done" it tells me that there
are no keys to backup and no date is added to the list. The last backup date
listed is several months ago. At least a few ZSK rollovers have been
processed since then. I do not remember whether these old backup dates are
related to a KSK rollover, or that we were still running another version of
opendnssec at that time on this test system.
More information about the Opendnssec-user