"Fred Zwarts (KVI)" wrote in message news:[email protected]...
"Siôn Lloyd" wrote in message
news:[email protected]...
On 13/12/12 10:10, Fred Zwarts (KVI) wrote:
We have a few OpenDNSsec test installations, one with
opendnssec-1.4.0b1 and softhsm-1.3.3 and on another system with
opendnssec-1.3.9 and softhsm-1.3.2/. I noticed a different behavior
that I do not understand. Had something changed, or is there a
misconception in my understanding?
Both systems have a similar, but slightly different configuration,
using "SoftHSM" with the <RequireBackup/> option. Both systems do a
ZSK rollover once every few weeks.
After such a rollover the system with opendnssec-1.3.9, when I use the
"ods-ksmutil backup list -v" command, shows that there are keys not in
the backup. After a "ods-ksmutil backup done", another backup date is
added to the list.
The system with opendnssec-1.4.0b1, however, never shows that there
are keys not in the backup. If I try "ods-ksmutil backup done" it
tells me that there are no keys to backup and no date is added to the
list. The last backup date listed is several months ago. At least a
few ZSK rollovers have been processed since then. I do not remember
whether these old backup dates are related to a KSK rollover, or that
we were still running another version of opendnssec at that time on
this test system.
This could be related to a change made in 1.4 that deprecates the backup
done command. See:
https://wiki.opendnssec.org/display/DOCSTRUNK/ods-ksmutil#ods-ksmutil-Commandbackupdone
So if your backup done was scripted it now needs to include the --force
flag or cope with the "Do you wish to continue" question. (Or better
still it should use the two-step backup process.)
That does not explain why the back list does no longer mention the
unbackuped keys.
I do not use a script. There is no such question. It simply tells me that
there are no keys to backup.
The two-step backup process also tells me that there are no keys to backup.
It seems that the difference can be explained with differences in
preallocating a pool of keys for future use. Thanks to Siôn Lloyd for
pointing at this possibility.
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
