<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#FFFFFF">
    <div class="moz-cite-prefix">On 25/06/14 15:56, Emil Natan wrote:<br>
    </div>
    <blockquote
cite="mid:CAG=4S2CXOMgCfD7FWosMAiwSXvztoDgZcKeKX9b64N3g0cpe1Q@mail.gmail.com"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=ISO-8859-1">
      <div dir="ltr">Hi Sion,
        <div><br>
        </div>
        <div>Thank you very much for your response. I actually never
          thought about scenario when the signer is running and the
          enforcer is down, but your point is perfectly valid and the
          idea can be useful in certain circumstances. Thanks.</div>
        <div><br>
        </div>
        <div>Emil</div>
      </div>
    </blockquote>
    <br>
    No problem.<br>
    <br>
    The most immediate event in most situations is likely to be
    signature expiry (or the need to update the zone); so getting a
    signer running and using the correct keys should be your first
    priority.<br>
    <br>
    Getting an enforcer running can wait. Assuming that you are happy
    with the keys you are using the only thing you might break is your
    policy of how often to roll, and this does not stop validation.<br>
    <br>
    Sion<br>
    <br>
    <blockquote
cite="mid:CAG=4S2CXOMgCfD7FWosMAiwSXvztoDgZcKeKX9b64N3g0cpe1Q@mail.gmail.com"
      type="cite">
      <div class="gmail_extra"><br>
        <br>
        <div class="gmail_quote">On Wed, Jun 25, 2014 at 5:42 PM, Siôn
          Lloyd <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:sion@nominet.org.uk" target="_blank">sion@nominet.org.uk</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0
            .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div text="#000000" bgcolor="#FFFFFF">
              <div>
                <div class="h5">
                  <div>On 25/06/14 14:13, Emil Natan wrote:<br>
                  </div>
                  <blockquote type="cite">
                    <div dir="ltr">Hello,
                      <div><br>
                      </div>
                      <div>My goal is to replicate the ODS configuration
                        between two nodes, one is active with ODS
                        running and one passive where ODS is not
                        running.</div>
                      <div><br>
                      </div>
                      <div><a moz-do-not-send="true"
                          href="https://wiki.opendnssec.org/display/DOCS/High+availability"
                          target="_blank">https://wiki.opendnssec.org/display/DOCS/High+availability</a><br>
                      </div>
                      <div><br>
                      </div>
                      <div>... states under the "What to copy" section:</div>
                      <div><br>
                      </div>
                      <div>"The state data - the minimum data required
                        are the signconf files (default location is the
                         /var/opendnssec/signconf directory)"</div>
                      <div><br>
                      </div>
                      <div>I see the files under signconf actually
                        contain configuration copied from kasp.conf and
                        information about the keys which is stored in
                        the database (in my case MySQL). If missing
                        these files, they are automatically created when
                        the enforcer starts. My point is I do not see a
                        reason to copy these files from one machine to
                        another if they are created when the enforcer
                        starts. Can I really omit this step or I'm
                        missing something?</div>
                      <div>Thanks.</div>
                      <div><br>
                      </div>
                      <div>Emil<br>
                      </div>
                    </div>
                  </blockquote>
                  <br>
                </div>
              </div>
              Hi Emil,<br>
              <br>
              I think that the meaning here is that so long as you have
              those files you can run a signer instance and so keep
              signatures from expiring.<br>
              <br>
              Your assertion about them being created by the enforcer is
              correct. However, when you start your backup enforcer you
              need to be sure that the keyset is the same and so these
              files can be useful for that too.<br>
              <br>
              Sion<br>
            </div>
            <br>
            _______________________________________________<br>
            Opendnssec-user mailing list<br>
            <a moz-do-not-send="true"
              href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a><br>
            <a moz-do-not-send="true"
              href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user"
              target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Opendnssec-user mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a>
<a class="moz-txt-link-freetext" href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>