[Opendnssec-user] Different behavior for <RequireBackup/>

Siôn Lloyd sion at nominet.org.uk
Thu Dec 13 12:17:05 CET 2012

On 13/12/12 10:10, Fred Zwarts (KVI) wrote:
> We have a few OpenDNSsec test installations, one with
> opendnssec-1.4.0b1 and softhsm-1.3.3 and on another system with
> opendnssec-1.3.9 and softhsm-1.3.2/. I noticed a different behavior
> that I do not understand. Had something changed, or is there a
> misconception in my understanding?
> Both systems have a similar, but slightly different configuration,
> using "SoftHSM" with the <RequireBackup/> option. Both systems do a
> ZSK rollover once every few weeks.
> After such a rollover the system with opendnssec-1.3.9, when I use the
> "ods-ksmutil backup list -v" command, shows that there are keys not in
> the backup. After a "ods-ksmutil backup done", another backup date is
> added to the list.
> The system with opendnssec-1.4.0b1, however, never shows that there
> are keys not in the backup. If I try "ods-ksmutil backup done" it
> tells me that there are no keys to backup and no date is added to the
> list. The last backup date listed is several months ago. At least a
> few ZSK rollovers have been processed since then. I do not remember
> whether these old backup dates are related to a KSK rollover, or that
> we were still running another version of opendnssec at that time on
> this test system.

This could be related to a change made in 1.4 that deprecates the backup
done command. See:


So if your backup done was scripted it now needs to include the --force
flag or cope with the "Do you wish to continue" question. (Or better
still it should use the two-step backup process.)


More information about the Opendnssec-user mailing list