[Opendnssec-user] Different behavior for <RequireBackup/>

Fred Zwarts (KVI) F.Zwarts at KVI.nl
Thu Dec 13 11:10:20 CET 2012

We have a few OpenDNSsec test installations, one with opendnssec-1.4.0b1 and 
softhsm-1.3.3 and on another system with opendnssec-1.3.9 and 
softhsm-1.3.2/. I noticed a different behavior that I do not understand. Had 
something changed, or is there a misconception in my understanding?

Both systems have a similar, but slightly different configuration, using 
"SoftHSM" with the <RequireBackup/> option. Both systems do a ZSK rollover 
once every few weeks.

After such a rollover the system with opendnssec-1.3.9, when I use the 
"ods-ksmutil backup list -v" command, shows that there are keys not in the 
backup. After a "ods-ksmutil backup done", another backup date is added to 
the list.

The system with opendnssec-1.4.0b1, however, never shows that there are keys 
not in the backup. If I try "ods-ksmutil backup done" it tells me that there 
are no keys to backup and no date is added to the list. The last backup date 
listed is several months ago. At least a few ZSK rollovers have been 
processed since then. I do not remember whether these old backup dates are 
related to a KSK rollover, or that we were still running another version of 
opendnssec at that time on this test system. 

More information about the Opendnssec-user mailing list