[Opendnssec-user] Using the PIN daemon to control redundant nodes

Rick van Rein rick at openfortress.nl
Wed Aug 8 14:59:12 UTC 2012


Will the upcoming PIN daemon functionality, HSM access by Enforcer
and is blocked until the proper PIN is entered with a command
"ods-control login".  Will this also enable database access, or at
least avoid database changes?

My reason of asking: We're running a redundant setup, and one of our
concerns is that we shouldn't have two signers and/or two enforcers
running in parallel [1].  The PIN daemon could be the tool to make
that happen.

   [1]	It may actually be possible to have a multi-master mode of
	DNS control, but this is not in line with common DNS
	management, so presently a bit academic.

As a matter of fact, it's a very intuitive place to arrange this -- the
admin staff must login to one host at a time, never both, which makes
sense.  If dabatase access is blocked (or at least, nothing happens
to the databsae contents until the PIN is entered) then both the
master and the hot-spare slave could automatically bootstrap both the
daemons, and be ready for action.

I already sneaked in a request for "ods-control logout" to be able
to halt access to the HSM and, hopefully, the database too, so we
could migrate actions from the master to the slave with a logout
on the master (if needed) and a login on the slave.  With the
hosts bootstrapped without PIN by default, a halted host for the
master would also provide the certainty needed.

To me, it makes a lot of sense to control a redundant setup by
having only one node logged in at a time.  Or does it sound like
an unintended hack?  How do other users feel about this?


More information about the Opendnssec-user mailing list