On 2 April 2012 12:01, Fred Zwarts (KVI) <[email protected]> wrote: > We are considering to implement OpenDNSsec with softHSM voor our zones. We > have set up a test system with Suse Linux Enterprise System 11 Service Pack > 2 (SLES11SP2). We followed the instructions in the documentation and we have > OpenDNSsec running now for a few weeks. It looks very promising. Once > running, it needs little attention. It is stable, while resigning records > and performing rollovers for ZSK keys at predefined intervals. > > Before we implement it on our real primary domain server, we need a backup > policy. > What we could not find in the documentation is a section about > backup/restore procedures. Currently on our primary domain server we backup > the zone files and the configuration files of our bind server. If, for some > reason, the primary domain server fails and must be set up from scratch, we > simple install a new SLES11SP2 system with the same IP address, restore the > bind configuration and the zone files and everything is back to the > situation of the last backup. In the down time of the primary server, the > secondary domain servers will make our zone available for other systems. > For OpenDNSsec and SoftHSM we want a similar procedure, but it is not clear > to us what we need to save and restore in addition to our current backup. Of > course we will backup the configuration files of OpenDNSsec and SoftHSM. But > in addition, we need to save in some way the current key pairs and the state > of OpenDNSsec. > Is there documentation about what should be backed up and how it should be > done? And how OpenDNSsec and SoftHSM are restored from such a backup so that > it can resume to a known state, without losing the integrity of the zone?
We will run ODS on a VM, that will be backuped, and can be restored as a whole. For the application only, I looks like the sqlite files in db/ contain the information you need, for example: root@ns3:/var/lib/opendnssec/db# sqlite3 kasp.db SQLite version 3.6.22 Enter ".help" for instructions Enter SQL statements terminated with a ";" sqlite> .tables KEYALLOC_VIEW dbadmin policies KEYDATA_VIEW dnsseckeys securitymodules PARAMETER_LIST keypairs serialmodes PARAMETER_VIEW parameters zones categories parameters_policies sqlite> SELECT * FROM KEYDATA_VIEW; 1|4|2012-03-05 22:51:42|2012-03-05 22:51:42|2012-03-06 00:52:46|2012-03-15 15:21:44|2015-03-15 15:21:44||257|8|0abdfa7c8b02a8dbbb8243d7e57b53ff|1|2|1|2048||0 2|4|2012-03-05 22:51:42|2012-03-05 22:51:42||2012-03-05 22:51:42|2012-04-04 22:51:42||256|8|576776893293a4531f547371829857b4|1|2|2|1024||0 3|4|2012-03-05 22:51:42|2012-03-05 22:51:42|2012-03-06 00:52:46|2012-03-06 19:24:06|2015-03-06 19:24:06||257|8|47cafb6857d0b50e5a354a5fa7ca7559|2|3|1|2048||0 4|4|2012-03-05 22:51:42|2012-03-05 22:51:42||2012-03-05 22:51:42|2012-04-04 22:51:42||256|8|5b95540e2aa58c802acfb53d9da82de1|2|3|2|1024||0 sqlite> .quit -- Dick Visser System & Networking Engineer TERENA Secretariat Singel 468 D, 1017 AW Amsterdam The Netherlands _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
