[Opendnssec-user] How to do HA with opendnssec

Casper Gielen c.gielen at uvt.nl
Fri Jul 20 14:46:27 UTC 2012

Op 19-07-12 05:52, 刘硕 schreef:
> Hi all,
> I'm planning to setup a salve opendnssec server to backup the
> configuration files and .db files of the master, this will help when the
> master meets disastrous incident, like power-off.
> The method I have figured is as follows:
> 1.scp master's configuration files and .db files to slave at a
> fixed-rate which would be less than the resign period configured in kasp.xml
> 2.slave detects master's service status, when the master is down, slave
> will become master and starts all opendnssec processes, we assume the
> current master has the same configuration files and .db files.
> 3.start the former master and configure it as slave to detect the new master

sounds about right

> What I'm not sure is that, there may be a time when the master is down
> before it scps the latest configuration files and .db files, especially
> the .db files. How can I make sure the two server share the same keys?
> Can RequireBackup attribute guarantee this? If so, I have to develop a
> script to monitor newly created but not in use keys,right?

You are on the right track. If you turn RequireBackup on keys will not
be used before they have been backed up. Losing keys that have not yet
been backed up does not matter, they are not used and new keys can be
generated by the backup-server.
Just copy the backups to the slave server and you should be ok.
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl

More information about the Opendnssec-user mailing list