> > In addition to the keystore, is it enough to replicate the KASP database > > (kasp.db) between the servers? It seems that the kasp.db contains all > > the information about the keys and their states, but please let me know > > if there are some other files that need to be synchronized. > > I recommend that you run with manual key generate, pregenerate keys > for some time ahead and then replicate the keystore - this way you > don't have to sync the keystore between the machines during normal > operations. other than that the KASP database should be enough, but > for now you should make sure that the enforcer is shut down when > backuping up and restoring the database (this might change in the future).
There is a command "ods-ksmutil database backup" which will make a copy of the kasp DB, ensuring that it is in a consistent state. > a switch between the servers will most likely make all your > signatures to be re-generated, but there might be ways to preserve > this by syncing some additional state between the servers - Matthijs > knows more about this. Our procedure runs something like: 1) stop the system with "ods-control stop" 2) copy kasp.db file into place 3) clear out any old data in the unsigned and signed directories 4) re-transfer the unsigned zone 5) clear out the var/opendnssec/tmp directory 6) start the system up again "ods-control start" So we accept the hit of regenerating all the signatures. However this is for .uk which is a tiny zone and may not be the way we would work with larger zones. Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
