[Opendnssec-user] Syncing keys to backup server

Berry A.W. van Halderen berry at nlnetlabs.nl
Tue Sep 1 08:55:32 UTC 2020

On 8/28/20 10:40 AM, Einar B. Halldórsson via Opendnssec-user wrote:
> Hi,
> We are finally planning a migration from 1.4 to 2.1 and at the same time looking
> at having a proper backup signer setup. We're using SoftHSM, my question is
> whether we have to pre-generate keys, copy them to the backup and trust that
> ODS rollovers are in close enough sync? Is it feasible to instead constantly
> sync keys from master to slave, with the backup set to manual rollover, so if and
> when the master goes offline we can switch the backup "on" and have it be the new
> signer with automatic rollovers?
> All ideas and information welcome.

Hello Einar,

This is more a operational and policy requirement question than a
technical one.  From a policy perspective you might want to require
pregenerated keys that can be validated months in advance, approved by

Technically there isn't much of a difference from both scenarios apart
from the time when keys are generated.  There is ample time which can be
made longer is which you can transfer the backed-up state from the keys
from master to slave.

If you just need to be able to switch over to a secondary system as
a manual, relatively quick, step.  And you're using SoftHSM, then
restoring a back-up to the secondary system of the key database is
the easiest operational method.

DO however keep a history of back-ups.  Even though with SoftHSMv2
I've never heart of any corruption nor lost keys, having a history
of backups is just common sense.  And you have a validation process
in place to ensure the secondary system is properly working.

With kind regard,

More information about the Opendnssec-user mailing list