[Opendnssec-develop] NSEC3 salt handling, do we need tools perhaps?
jad at sinodun.com
Thu Sep 19 14:03:11 UTC 2013
On 19 Sep 2013, at 08:44, Jerry Lundström <jerry at opendnssec.org> wrote:
> On Sep 19, 2013, at 10:13 , Siôn Lloyd wrote:
>> If you have different salt it implies that you have an enforcer running
>> at both nodes, or at least that the signconfs are not in sync. The
>> problem that you need to worry about here is what happens when one node
>> kicks off a key roll?
> Yes, both will have enforcers since I will be trying to manage multiple instances with the interfaces we have and NOT mess around with the internal files (which you should really really really not do).
> Key rollovers will be set to manually in the policy and handled automatically by the management tool.
I have not had time to look at LIM, so this may be a stupid comment...
IMHO: This kind of makes some of the enforcer pointless if an external mgmt. app is doing the key rollover (even more so in v2 ????). I would imagine that most operators would prefer a active-active system where the two enforcers communicate state to each other and both signers act as masters for the zones. I do realise that this might be a lot more work :)
Out of interest, has there been any architecture discussion for this kind of functionality? I could not find it...
>> As has been said the salt change is not in itself an issue; but it would
>> indicate that the two nodes are not in step - which could be serious.
> Not really, everything but the salt will be synchronized since we don't have interfaces to manage the salt. And since the salt does not seem to be a problem it should work.
> Jerry Lundström - OpenDNSSEC Developer
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
jad at sinodun.com
Sinodun Internet Technologies Ltd.
Stables 4, Suite 11,
+44 (0)1491 834957
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
More information about the Opendnssec-develop