[Opendnssec-user] How to do HA with opendnssec

Dave Knight dave at knig.ht
Fri Jul 20 19:11:16 UTC 2012


On 2012-07-18, at 11:52 PM, 刘硕 wrote:

> Hi all,
> I'm planning to setup a salve opendnssec server to backup the configuration files and .db files of the master, this will help when the master meets disastrous incident, like power-off.
> The method I have figured is as follows:
> 1.scp master's configuration files and .db files to slave at a fixed-rate which would be less than the resign period configured in kasp.xml
> 2.slave detects master's service status, when the master is down, slave will become master and starts all opendnssec processes, we assume the current master has the same configuration files and .db files.
> 3.start the former master and configure it as slave to detect the new master

I presented on something similar at OARC a couple of years ago: https://www.dns-oarc.net/files/workshop-201005/ha-opendnssec-oarc.pdf

> What I'm not sure is that, there may be a time when the master is down before it scps the latest configuration files and .db files, especially the .db files. How can I make sure the two server share the same keys? Can RequireBackup attribute guarantee this? If so, I have to develop a script to monitor newly created but not in use keys,right?

We solve the key synchronization problem by creating 2 years of keys in advance, ensure that they are present on all HSMs before using them in production. We don't run multiple OpenDNSSEC's concurrently. There is only one live at a time, but we back it up frequently and copy that full backup to the slave signer. When we need to use the slave signer we restore the last good backup onto it and then turn it up. That way the last known good key state is used.
We also don't do automatic failover, our signature expiry time is long enough to allow for us to detect a problem and have a human check it out and follow the change-management process before doing anything. We could surely do this differently to allow for fully automated failover, but we decided to err on the side of caution. Fortunately we're not in a situation where we have to guarantee that updates to zones passing through the signer have to always be made in less time than we typically take to do manual intervention in the case of problems. Others may not have that luxury.


More information about the Opendnssec-user mailing list