[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?
John Dickinson
jad at sinodun.com
Thu Sep 19 14:03:11 UTC 2013
On 19 Sep 2013, at 08:44, Jerry Lundström <jerry at opendnssec.org> wrote:
> On Sep 19, 2013, at 10:13 , Siôn Lloyd wrote:
>
>> If you have different salt it implies that you have an enforcer running
>> at both nodes, or at least that the signconfs are not in sync. The
>> problem that you need to worry about here is what happens when one node
>> kicks off a key roll?
>
> Yes, both will have enforcers since I will be trying to manage multiple instances with the interfaces we have and NOT mess around with the internal files (which you should really really really not do).
>
> Key rollovers will be set to manually in the policy and handled automatically by the management tool.
I have not had time to look at LIM, so this may be a stupid comment...
IMHO: This kind of makes some of the enforcer pointless if an external mgmt. app is doing the key rollover (even more so in v2 ????). I would imagine that most operators would prefer a active-active system where the two enforcers communicate state to each other and both signers act as masters for the zones. I do realise that this might be a lot more work :)
Out of interest, has there been any architecture discussion for this kind of functionality? I could not find it...
regards
John
>
>> As has been said the salt change is not in itself an issue; but it would
>> indicate that the two nodes are not in step - which could be serious.
>
>
> Not really, everything but the salt will be synchronized since we don't have interfaces to manage the salt. And since the salt does not seem to be a problem it should work.
>
> /Jerry
>
> --
> Jerry Lundström - OpenDNSSEC Developer
> http://www.opendnssec.org/
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
---
jad at sinodun.com
http://sinodun.com
Sinodun Internet Technologies Ltd.
Stables 4, Suite 11,
Howbery Park,
Wallingford,
Oxfordshire,
OX10 8BA,
U.K.
+44 (0)1491 834957
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130919/856440ad/attachment.bin>
More information about the Opendnssec-develop
mailing list