[Opendnssec-develop] face2face agenda: design diagrams

Olaf Kolkman olaf at NLnetLabs.nl
Mon Feb 2 11:57:47 UTC 2009

On Jan 30, 2009, at 4:05 AM, Rick van Rein wrote:

> * Robustness through redundancy
>  For some applications, such as TLDs and the root zone, we should look
>  into what it takes to create a robust setup.  We do not want to fail
>  our most important domains "just" because of a local earthquake.
>  Designing this into the system is not very difficult, using existing
>  clustering techniques, but it is good to have in mind early in the
>  design process.

Although I agree that you need to design for robustness I think that  
you will need to define some timescales that one would like to achieve  
here. If you say clustering I interpret that as near-real-time  
replication of the systems state.

Following the first-walk-then-run principle I wonder if we want to  
design towards that in version 1.

>  This can probably be established in the KASP with either of the  
> following
>  approaches:
>    a) The KASP is redundant, for example because it uses a distributed
>       redundancy mechanism (think of MySQL replication, DRBD, ...) and
>       the result is that keys are available to all signers.  Slaves  
> can
>       simply be directed to the signer that is currently to be  
> trusted.
>    b) The DNSKEY records of each of two (or more) independent  
> signers are
>       brought into all the signers, in some way that integrates with  
> the
>       IXFR approach and/or with the master name server.

Remember... version 1 does not do IXFR!

As for b): My first thoughts on that  that seem to lead to redundancy  
at the cost of packet size: if you want to do a valid rollover from  
system 1 to system 2 you have to pre-publish the DNSKEY...



Olaf M. Kolkman                        NLnet Labs
                                        Science Park 140,
http://www.nlnetlabs.nl/               1098 XG Amsterdam

NB: The street at which our offices are located has been
renamed to the above.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: PGP.sig
Type: application/pgp-signature
Size: 194 bytes
Desc: This is a digitally signed message part
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090202/db762c1f/attachment.bin>

More information about the Opendnssec-develop mailing list