[Opendnssec-user] Question about DNSSEC
Havard Eidnes
he at uninett.no
Mon Sep 1 08:59:19 UTC 2014
Hi,
picking just a few of your questions:
> 3) How can i backup keys and slots?
> 4) How to backup DB?
This is the script I use to backup the slot0.db, the only one, on
my installation:
#! /bin/sh
cd /var/db/softhsm/
ods-ksmutil backup prepare
sqlite3 slot0.db ".backup slot0-backup.`date +%d`.db"
ods-ksmutil backup commit
This is done each night, and the backup files are then subject to
normal system backups (you get a total of 31 backup files where
each one is re-used and overwritten approximately every month).
The "ods-ksmutil backup ..." dance is so that the keys only get a
"backed up" flag if they were actually part of the backup, and
the sqlite3 .backup should ensure that the backup is in a
consistent state, "database-wise".
(I hope I've got that right.)
> 5) How to upgrade OpenDNSSEC? are there any notes about that?
That's version-specific. Usually, upgrades within a given major
version go smoothly and require no particular actions, but do
consult the relevant release notes, e.g.
http://www.opendnssec.org/2014/07/21/opendnssec-1-4-6/
You obviously need to ensure that you're actually running the new
bits after you've done the upgrade, i.e. you need to restart
long-running processes which are part of OpenDNSSEC.
An example of information supplied with a major version upgrade
can e.g. be found at
https://wiki.opendnssec.org/display/DOCS/New+in+OpenDNSSEC+1.4
> 6) How can i clone the current system to another one without
> any failure? are there any notes about that?
Here I'm a little sketchy because I've not yet done this myself,
but I'm thinking that if you have a "cold standby" with the exact
same software versions installed (kept in sync when you upgrade),
and you suffer a catastrophic breakdown on your production
system, copying the latest backup of the SoftHSM database,
putting it in place of slot0.db, and ensuring that zones can
enter and leave the OpenDNSSEC installation on the former cold
standby, now active OpenDNSSEC system, you should be good to go
(this obviously needs testing to ensure confidence in the
required procedure).
I see one stumbling block, though: the SoftHSM sofware uses
"unsigned long" in on-disk data storage, and that causes a
SoftHSM database to not be portable between 32- and 64-bit
systems, ref.
https://wiki.opendnssec.org/display/SoftHSMDOCS/SoftHSM+Documentation+v1.3#SoftHSMDocumentationv1.3-Backup
> 7) are there any yum repo to install opendnssec?
I don't know. Maybe
http://www.opendnssec.org/download/packages/
can give some directions.
Regards,
- Håvard
More information about the Opendnssec-user
mailing list