[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter

Ville Mattila vmattila at csc.fi
Thu Apr 11 14:50:08 UTC 2013


What would be a proper way to snapshot the signing state of a zone from
a server running OpenDNSSEC 1.4?

The goal is to setup a hot standby signing server to which the necessary
zone signing state is copied every time a zone has been signed on the
active server, before the signed zone is published in DNS.  A picture of
our planned hot standby setup:


Our zone management system can provide the unsigned zone data with
NOTIFY+IXFR/AXFR only.  Thus we'd prefer feeding the zone data to active
signer server using the DNS Input Adapter of OpenDNSSEC 1.4.

Zone changes arrive to primary signer at random times: whenever a person
using the zone management tool commits a change.  Thus ods-signerd must
be running all the time to avoid losing NOTIFYs and causing unnecessary
delays to propagation of the change to DNS.

Multiple updates for a single zone z1 can arrive within short time and
Enforcer might also initiate e.g. a key roll-over near an incoming
update; signing process of zone z1 change #2 could (could it really?)
start before NotifyCommand of zone z1 change #1 has completed.  Thus if
for example NotifyCommand of change #1 grabs a copy of
/var/opendnssec/tmp/z1.backup2 (which seems to have the
inbound/internal/outbound serials necessary for DNS Input Adapter
operation) and a dump of KASP database (seems to contain key roll-over
state and timing) we cannot know if they represent the zone's
signing state at completion of change #1 or do they possibly represent
change #2.  Right?

Is there going to be something like 'ods-signer snapshot <zone>
<serial>' suitable for this purpose?  Or possibly have ods-signerd
export the snapshot automatically in a spool file for NotifyCommand to

Note:  A hot standby might not need a fully exact and complete snapshot
of OpenDNSSEC state.  We just need a hot standby ready to (be manually
activated to) carry on signing the zones from the point of last
_published_ version of the zones, should the primary server fail at any
given time.

BTW, I wasn't able to find instructions for system backup and recovery
in v1.4 documentation:  The Backup section on page
is empty and
doesn't cover it either.

Ville Mattila

PS. We could of course setup up e.g. NSD or BIND on the signer servers
to receive the updates from zone management system, and have e.g. a cron
job or inotify listener to (a) check which zones have received updates
and run 'ods-signer sign <zone>' commands and (b) run ods-enforcerd for
example once every hour if necessary for rolling keys (not sure if
that's necessary).  But I hope there's a simpler OpenDNSSEC-native way.

More information about the Opendnssec-user mailing list