Hi Thomas,
I don't think that simple backup using rsync is safe. In general,
Knot DNS manages up to 4 LMDB databases (confdb, journal, timers, and
kaspdb).
You should backup these databases using proper commands.
See
https://www.knot-dns.cz/docs/2.8/singlehtml/index.html#export-import-kasp-db
Probably you don't have to backup journal and timers.
Daniel
On 2019-03-20 13:48, Thomas E. wrote:
Hi!
We've been experimenting with backups and disaster recovery in our
knot test setup and have been running into a weird issue.
Basically our backup strategy right now is to perform incremental
backups of the /var/lib/knot and the /etc/knot directories via rsync.
When we try to restore these backups knot starts successfully, but
logs the following messages for each of the zones that are currently
in a signed template:
2019-03-08T11:43:05 info: [
example.com.] DNSSEC, signing zone
2019-03-08T11:43:05 error: [
example.com.] zone event 'DNSSEC re-sign'
failed (invalid parameter)
When we try to query information about these zones via dig we receive
a SERVFAIL rcode for them.
All of the zones that are not processed through the DNSSEC mechanism
are unaffected by this.
We also experienced th same behavior, when we were experimenting with
adding new zones that are signed immediately.
To workaround this problem we currently add the zone in an unsigned
state (aka default template) to knot and after that we switch the
template of the zone to "signed".
This works like a charm for new zones and can also be used to recover
each of the broken zones after restoring the backup, but we'd rather
not use this workaround during disaster recovery as it would impose
the danger of breaking the zones if it is not performed correctly.
The templates and policies in our knot.conf look like this right now:
policy:
- id: shared
algorithm: RSASHA256
ksk-size: 2048
zsk-size: 1024
zsk-lifetime: 1d
ksk-lifetime: 2d
ksk-shared: true
ksk-submission: resolver
nsec3: true
cds-cdnskey-publish: always
template:
- id: default
storage: "/var/lib/knot"
semantic-checks: on
global-module: mod-stats
master: primary
notify: secondaries
acl: [primary, secondaries]
serial-policy: unixtime
dnssec-signing: off
- id: signed
dnssec-signing: on
dnssec-policy: shared
master: primary
notify: secondaries
acl: [primary, secondaries]
serial-policy: unixtime
zone:
- domain:
example.com
template: signed
Thanks,
Thomas