[Opendnssec-user] Re: Different behavior for <RequireBackup/>

Fred Zwarts (KVI) F.Zwarts at KVI.nl
Thu Dec 13 12:25:29 UTC 2012


"Siôn Lloyd"  wrote in message news:50C9B931.6090606 at nominet.org.uk...
>
>On 13/12/12 10:10, Fred Zwarts (KVI) wrote:
>> We have a few OpenDNSsec test installations, one with
>> opendnssec-1.4.0b1 and softhsm-1.3.3 and on another system with
>> opendnssec-1.3.9 and softhsm-1.3.2/. I noticed a different behavior
>> that I do not understand. Had something changed, or is there a
>> misconception in my understanding?
>>
>> Both systems have a similar, but slightly different configuration,
>> using "SoftHSM" with the <RequireBackup/> option. Both systems do a
>> ZSK rollover once every few weeks.
>>
>> After such a rollover the system with opendnssec-1.3.9, when I use the
>> "ods-ksmutil backup list -v" command, shows that there are keys not in
>> the backup. After a "ods-ksmutil backup done", another backup date is
>> added to the list.
>>
>> The system with opendnssec-1.4.0b1, however, never shows that there
>> are keys not in the backup. If I try "ods-ksmutil backup done" it
>> tells me that there are no keys to backup and no date is added to the
>> list. The last backup date listed is several months ago. At least a
>> few ZSK rollovers have been processed since then. I do not remember
>> whether these old backup dates are related to a KSK rollover, or that
>> we were still running another version of opendnssec at that time on
>> this test system.
>>
>
>This could be related to a change made in 1.4 that deprecates the backup
>done command. See:
>
>https://wiki.opendnssec.org/display/DOCSTRUNK/ods-ksmutil#ods-ksmutil-Commandbackupdone
>
>So if your backup done was scripted it now needs to include the --force
>flag or cope with the "Do you wish to continue" question. (Or better
>still it should use the two-step backup process.)

That does not explain why the back list does no longer mention the 
unbackuped keys.
I do not use a script. There is no such question. It simply tells me that 
there are no keys to backup.
The two-step backup process also tells me that there are no keys to backup. 





More information about the Opendnssec-user mailing list