
<div dir="ltr">Hi,<div class="gmail_extra"><br><br><div class="gmail_quote">On Sun, Aug 24, 2014 at 3:59 PM, gaolei <span dir="ltr"><<a href="mailto:gaolei@knet.cn" target="_blank">gaolei@knet.cn</a>></span> wrote:<br>

<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex"><u></u>


<div style="margin:10px">

<div>

<div> </div></div>

<div>

<div style="background-color:white">

<div>

<div>

<div><font face="Verdana">Hi all,</font></div>

<div> </div>

<div style="text-indent:2em">From KNET , I notice there is a topic about 

opendnssec High Availablity at <a href="https://wiki.opendnssec.org/display/DOCS/High+availability" target="_blank">https://wiki.opendnssec.org/display/DOCS/High+availability</a> 

</div>

<div style="text-indent:2em"> </div>

<div style="text-indent:2em">But I was a little puzzled by this page.</div>

<div style="text-indent:2em"> </div>

<div style="text-indent:2em">It mentioned about master/slave like 

this:</div>

<div style="text-indent:2em">

<h2 style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(255,126,0);padding:0px;border-bottom-color:rgb(102,153,204);font-style:normal;font-variant:normal;font-weight:normal;font-size:20px;line-height:1.5;font-family:Arial,sans-serif;margin:30px 0px 0px;letter-spacing:normal;text-indent:0px;background-color:rgb(255,255,255)">

Master/Slave</h2>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:0px;background-color:rgb(255,255,255)">

<font color="#ff9900">Careful consideration should be given to which, if any, process 

are run on a slave (or on each master in a Master-Master) configuration. Some 

operators don't run either the enforcer or the signer on a slave instance but 

merely duplicate the data between the two instances in a timely fashion. Others 

run two master servers, both enforcing and signing but only publishing from an 

'active' master</font>.</p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:0px;background-color:rgb(255,255,255)">

 </p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

I'm 

wondering what will happen to the rollover of keys if we make a 

master-master deployment.</p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

1.Mysql 

used to store keys data , and</p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

2.HSM 

machine employed to generate keys , and</p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

3.Two 

opendnssec instances running on seperate servers for the same zone</p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

Will 

the two opendnssec instances generate different keys for the same zone? If so , 

it seems as if it will bring troubles when the 'active' master is down 

?</p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

</p></div></div></div></div></div></div></blockquote><div><br></div><div>Yes, the two instances will generate different keys and that will cause problems on switching between the two signers. It's not clear if you plan to use separate HSM for each of the ODS instances, but what you generally do is pre-generate keys and have them synced in case of two HSMs. The MySQL on both signers should be in sync, the HSM key mapping files as well so basically the two signers sign the zone using the same keys.</div>

<div>Here is  another thread of the mailing list discussing HA.</div><div><a href="http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003024.html">http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003024.html</a><br>

</div><div><br></div><div>HTH</div><div><br></div><div>Emil</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;padding-left:1ex">

<div style="margin:10px"><div><div style="background-color:white"><div><div><div style="text-indent:2em"><p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

 </p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

Can anyone 

give more suggestions on the High Availablity of opendnssec ?</p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

 </p>

<p style="white-space:normal;word-spacing:0px;text-transform:none;color:rgb(51,51,51);padding:0px;font-style:normal;font-variant:normal;font-weight:normal;font-size:14px;line-height:20px;font-family:Arial,sans-serif;margin:10px 0px 0px;letter-spacing:normal;text-indent:2em;background-color:rgb(255,255,255)">

Best 

Regards!</p></div></div></div>

<div> </div>

<hr style="min-height:1px;width:210px" align="left" color="#b5c4df" size="1">


<div>2014-08-24 18:05:37</div><span class=""><font color="#888888">

<div>gaolei</div></font></span></div></div></div>

<br>_______________________________________________<br>

Opendnssec-user mailing list<br>

<a href="mailto:Opendnssec-user@lists.opendnssec.org">Opendnssec-user@lists.opendnssec.org</a><br>

<a href="https://lists.opendnssec.org/mailman/listinfo/opendnssec-user" target="_blank">https://lists.opendnssec.org/mailman/listinfo/opendnssec-user</a><br>

<br></blockquote></div><br></div></div>