On 13/12/12 10:10, Fred Zwarts (KVI) wrote: > We have a few OpenDNSsec test installations, one with > opendnssec-1.4.0b1 and softhsm-1.3.3 and on another system with > opendnssec-1.3.9 and softhsm-1.3.2/. I noticed a different behavior > that I do not understand. Had something changed, or is there a > misconception in my understanding? > > Both systems have a similar, but slightly different configuration, > using "SoftHSM" with the <RequireBackup/> option. Both systems do a > ZSK rollover once every few weeks. > > After such a rollover the system with opendnssec-1.3.9, when I use the > "ods-ksmutil backup list -v" command, shows that there are keys not in > the backup. After a "ods-ksmutil backup done", another backup date is > added to the list. > > The system with opendnssec-1.4.0b1, however, never shows that there > are keys not in the backup. If I try "ods-ksmutil backup done" it > tells me that there are no keys to backup and no date is added to the > list. The last backup date listed is several months ago. At least a > few ZSK rollovers have been processed since then. I do not remember > whether these old backup dates are related to a KSK rollover, or that > we were still running another version of opendnssec at that time on > this test system. >
This could be related to a change made in 1.4 that deprecates the backup done command. See: https://wiki.opendnssec.org/display/DOCSTRUNK/ods-ksmutil#ods-ksmutil-Commandbackupdone So if your backup done was scripted it now needs to include the --force flag or cope with the "Do you wish to continue" question. (Or better still it should use the two-step backup process.) Sion _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
