[Opendnssec-user] Migrating from SoftHSM1 to 2

Havard Eidnes he at uninett.no
Fri Feb 7 10:50:37 UTC 2020


...and a related question:

With SoftHSM 1.x and OpenDNSSEC 1.x, we were given a recipe to
perform backup of the SoftHSM database periodically.  As I
understood it, OpenDNSSEC could be configured to "require backup"
before using a KSK, and we have our 1.x configured with
<RequireBackup/>.  My upgrade notes to OpenDNSSEC 2.x contain
"remove this option", but it's a little unclear where that comes
from.

Is this option no longer supported in OpenDNSSEC 2.x?

How do you then provide the same kind of safety?

The documentation for SoftHSM 2.x has this to say about backups:

   All of the tokens and their objects are stored in the location
   given by softhsm2.conf. Backup can thus be done as a regular file
   copy.

This is contrary to what was provided with SoftHSM 1.x; my
previous procedure does

  ods-ksmutil backup prepare

  cd /var/db/softhsm/
  sqlite3 slot0.db ".backup slot0-backup.`date +%d`.db"

  cd /var/db/opendnssec/
  sqlite3 kasp.db ".backup kasp-backup.`date +%d`.db"

  ods-ksmutil backup commit

I understand this ("backup prepare" + "backup commit") would provide
consistent marking for whether each key has actually been properly
backed up or not.  Is there now with SoftHSM 2.x and OpenDNSSEC 2.x no
need to perform this function?  The documentation is conspicuously
silent on that matter.

I see that ods-enforcer still has the "backup" operations listed.
What purpose does those now serve?

Best regards,

- Håvard


More information about the Opendnssec-user mailing list