[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter

Thu Apr 11 14:50:08 UTC 2013

Hi,

What would be a proper way to snapshot the signing state of a zone from
a server running OpenDNSSEC 1.4?

The goal is to setup a hot standby signing server to which the necessary
zone signing state is copied every time a zone has been signed on the
active server, before the signed zone is published in DNS.  A picture of
our planned hot standby setup:

https://info.funet.fi/wiki/display/avoin/Funet+DNSSEC+signer+hot+standby+redundancy

Our zone management system can provide the unsigned zone data with
NOTIFY+IXFR/AXFR only.  Thus we'd prefer feeding the zone data to active
signer server using the DNS Input Adapter of OpenDNSSEC 1.4.

Zone changes arrive to primary signer at random times: whenever a person
using the zone management tool commits a change.  Thus ods-signerd must
be running all the time to avoid losing NOTIFYs and causing unnecessary
delays to propagation of the change to DNS.

Multiple updates for a single zone z1 can arrive within short time and
Enforcer might also initiate e.g. a key roll-over near an incoming
update; signing process of zone z1 change #2 could (could it really?)
start before NotifyCommand of zone z1 change #1 has completed.  Thus if
for example NotifyCommand of change #1 grabs a copy of
/var/opendnssec/tmp/z1.backup2 (which seems to have the
inbound/internal/outbound serials necessary for DNS Input Adapter
operation) and a dump of KASP database (seems to contain key roll-over
state and timing) we cannot know if they represent the zone's
signing state at completion of change #1 or do they possibly represent
change #2.  Right?

Is there going to be something like 'ods-signer snapshot <zone>
<serial>' suitable for this purpose?  Or possibly have ods-signerd
export the snapshot automatically in a spool file for NotifyCommand to
consume?

Note:  A hot standby might not need a fully exact and complete snapshot
of OpenDNSSEC state.  We just need a hot standby ready to (be manually
activated to) carry on signing the zones from the point of last
_published_ version of the zones, should the primary server fail at any
given time.

BTW, I wasn't able to find instructions for system backup and recovery
in v1.4 documentation:  The Backup section on page
  https://wiki.opendnssec.org/display/DOCSTRUNK/Quick+guides
is empty and
  https://wiki.opendnssec.org/display/DOCSTRUNK/Running+OpenDNSSEC
doesn't cover it either.

Thanks,
Ville Mattila
CSC/Funet

PS. We could of course setup up e.g. NSD or BIND on the signer servers
to receive the updates from zone management system, and have e.g. a cron
job or inotify listener to (a) check which zones have received updates
and run 'ods-signer sign <zone>' commands and (b) run ods-enforcerd for
example once every hour if necessary for rolling keys (not sure if
that's necessary).  But I hope there's a simpler OpenDNSSEC-native way.