[Opendnssec-user] Re: Different behavior for <RequireBackup/>

Fred Zwarts (KVI) F.Zwarts at KVI.nl
Fri Dec 14 14:27:05 CET 2012

"Fred Zwarts (KVI)"  wrote in message news:kachfo$jj1$1 at ger.gmane.org...
>"Siôn Lloyd"  wrote in message 
>news:50C9B931.6090606 at nominet.org.uk...
>>On 13/12/12 10:10, Fred Zwarts (KVI) wrote:
>>> We have a few OpenDNSsec test installations, one with
>>> opendnssec-1.4.0b1 and softhsm-1.3.3 and on another system with
>>> opendnssec-1.3.9 and softhsm-1.3.2/. I noticed a different behavior
>>> that I do not understand. Had something changed, or is there a
>>> misconception in my understanding?
>>> Both systems have a similar, but slightly different configuration,
>>> using "SoftHSM" with the <RequireBackup/> option. Both systems do a
>>> ZSK rollover once every few weeks.
>>> After such a rollover the system with opendnssec-1.3.9, when I use the
>>> "ods-ksmutil backup list -v" command, shows that there are keys not in
>>> the backup. After a "ods-ksmutil backup done", another backup date is
>>> added to the list.
>>> The system with opendnssec-1.4.0b1, however, never shows that there
>>> are keys not in the backup. If I try "ods-ksmutil backup done" it
>>> tells me that there are no keys to backup and no date is added to the
>>> list. The last backup date listed is several months ago. At least a
>>> few ZSK rollovers have been processed since then. I do not remember
>>> whether these old backup dates are related to a KSK rollover, or that
>>> we were still running another version of opendnssec at that time on
>>> this test system.
>>This could be related to a change made in 1.4 that deprecates the backup
>>done command. See:
>>So if your backup done was scripted it now needs to include the --force
>>flag or cope with the "Do you wish to continue" question. (Or better
>>still it should use the two-step backup process.)
>That does not explain why the back list does no longer mention the 
>unbackuped keys.
>I do not use a script. There is no such question. It simply tells me that 
>there are no keys to backup.
>The two-step backup process also tells me that there are no keys to backup.

It seems that the difference can be explained with differences in 
preallocating a pool of keys for future use.  Thanks to Siôn Lloyd for 
pointing at this possibility.

More information about the Opendnssec-user mailing list