[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?

John Dickinson jad at sinodun.com
Thu Sep 19 16:03:11 CEST 2013


On 19 Sep 2013, at 08:44, Jerry Lundström <jerry at opendnssec.org> wrote:

> On Sep 19, 2013, at 10:13 , Siôn Lloyd wrote:
> 
>> If you have different salt it implies that you have an enforcer running
>> at both nodes, or at least that the signconfs are not in sync. The
>> problem that you need to worry about here is what happens when one node
>> kicks off a key roll?
> 
> Yes, both will have enforcers since I will be trying to manage multiple instances with the interfaces we have and NOT mess around with the internal files (which you should really really really not do).
> 
> Key rollovers will be set to manually in the policy and handled automatically by the management tool.

I have not had time to look at LIM, so this may be a stupid comment...

IMHO: This kind of makes some of the enforcer pointless if an external mgmt. app is doing the key rollover (even more so in v2 ????). I would imagine that most operators would prefer a active-active system where the two enforcers communicate state to each other and both signers act as masters for the zones. I do realise that this might be a lot more work :)

Out of interest, has there been any architecture discussion for this kind of functionality? I could not find it...

regards
John

> 
>> As has been said the salt change is not in itself an issue; but it would
>> indicate that the two nodes are not in step - which could be serious.
> 
> 
> Not really, everything but the salt will be synchronized since we don't have interfaces to manage the salt. And since the salt does not seem to be a problem it should work.
> 
> /Jerry
> 
> --
> Jerry Lundström - OpenDNSSEC Developer
> http://www.opendnssec.org/
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

---
jad at sinodun.com

http://sinodun.com

Sinodun Internet Technologies Ltd.
Stables 4, Suite 11,
Howbery Park,
Wallingford,
Oxfordshire,
OX10 8BA,
U.K.

+44 (0)1491 834957

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <https://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20130919/856440ad/attachment.sig>


More information about the Opendnssec-develop mailing list