[Opendnssec-user] Re: Backup/restore information

Paul Wouters paul at nohats.ca
Tue May 29 16:10:45 UTC 2012

On Tue, 29 May 2012, Sylvain wrote:

>>> 1) Shut down OpenDNSsec
>>> 2) create a tar file with the softHSM and OpenDNSsec configuration in etc
>>> and the OpenDNSsec state in /var/opendsnsec.
>>> 3) dump the database of /var/softhsm/slot0.db to another file
>>> 4) startup OpenDNSsec again.
> Hello !
> I make this same procedure of Backup/restore.
> But when I execute "ods-ksmutil key list --verbose", i have the zone list with
> CKA_ID but "SoftHSM NOT IN repository".

Grabbing /etc/softhsm* /etc/opendnssec* /var/opendnssec and /var/softhsm
should do it. If you have some hardware HSM, you might also need to grab
those files (eg the Keyper directory for AEP, or the /opt bits for the
Sun SCA-6000 card.

> And it seems that the repository are empty :

I always run ods-hsmuti update all to make sure everything is up to
date. Also make sure you have no user permissions issues. If you untar
as root, it might use the uids from the backup system, but the "ods" or
"opendnssec" user (at least on fedora/rhel) is not a static uid number,
and might differ from system to system.

Also make sure ods-enforcerd/ods-signerd are not running when you
restore, and then start them after restore.

And of course, when using hardware HSM, ensure the new system has the
proprietary code installed as well to access the HSM.


More information about the Opendnssec-user mailing list