[Opendnssec-develop] Thoughts about redundancy

Roland van Rijswijk roland.vanrijswijk at surfnet.nl
Tue Feb 10 08:04:25 UTC 2009


Hi guys,

Just a thought I would like to bounce of you all... After yesterday's
meeting I started thinking a bit about redundancy and how we (as
SURFnet) could deploy OpenDNSSEC within our network.

We have four datacenters in The Netherlands and our current DNS
infrastructure is distributed over three of these points-of-presence.

Ideally, I would want an OpenDNSSEC deployment to be redundant as well
with at least two different points-of-presence within the network. This
would mean duplicating the entire setup, including a HSM.

This is where my questions/ponderings come in. This setup raises two
questions for me:

- How do I keep the two OpenDNSSEC systems synchronised? Is that
something that would need to be defined/designed (obviously this is a
2.0+ feature)?

- I think there is consensus within the project that HSMs and all things
related to HSM management fall outside of the OpenDNSSEC system. This
would mean that keeping the HSMs synchronised would be my job. But I can
imagine that OpenDNSSEC could/should in some way facilitate this, for
instance by firing of triggers when a modification of the data in the
HSM has taken place (e.g. key generation), and for instance by enabling
scheduled downtime (for a couple of minutes) to allow for HSM
synchronisation/snapshotting. (Both of these could be considered
policies, I guess)

I realise that these features may be way beyond version 1.0. My
impression was that some people in the project would like to postpone
discussion of such features, which I understand and agree with as the
focus should now be on version 1.0. I think it would be a shame,
however, if ideas about new features for future versions (starting with
2.0) cannot be discussed at all; so I would like to propose the
following: how about we define a second mailinglist for 'feature
requests' or 'future features' or something like that? In that way, the
development list stays "clean" and is only for current development, thus
maintaining focus. Just my 2 cents...

Cheers,

Roland

-- 

-- Roland M. van Rijswijk
-- SURFnet Middleware Services
-- t: +31-30-2305388
-- e: roland.vanrijswijk at surfnet.nl



More information about the Opendnssec-develop mailing list