[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter
Ville Mattila
vmattila at csc.fi
Thu Apr 11 14:50:08 UTC 2013
Hi,
What would be a proper way to snapshot the signing state of a zone from
a server running OpenDNSSEC 1.4?
The goal is to setup a hot standby signing server to which the necessary
zone signing state is copied every time a zone has been signed on the
active server, before the signed zone is published in DNS. A picture of
our planned hot standby setup:
https://info.funet.fi/wiki/display/avoin/Funet+DNSSEC+signer+hot+standby+redundancy
Our zone management system can provide the unsigned zone data with
NOTIFY+IXFR/AXFR only. Thus we'd prefer feeding the zone data to active
signer server using the DNS Input Adapter of OpenDNSSEC 1.4.
Zone changes arrive to primary signer at random times: whenever a person
using the zone management tool commits a change. Thus ods-signerd must
be running all the time to avoid losing NOTIFYs and causing unnecessary
delays to propagation of the change to DNS.
Multiple updates for a single zone z1 can arrive within short time and
Enforcer might also initiate e.g. a key roll-over near an incoming
update; signing process of zone z1 change #2 could (could it really?)
start before NotifyCommand of zone z1 change #1 has completed. Thus if
for example NotifyCommand of change #1 grabs a copy of
/var/opendnssec/tmp/z1.backup2 (which seems to have the
inbound/internal/outbound serials necessary for DNS Input Adapter
operation) and a dump of KASP database (seems to contain key roll-over
state and timing) we cannot know if they represent the zone's
signing state at completion of change #1 or do they possibly represent
change #2. Right?
Is there going to be something like 'ods-signer snapshot <zone>
<serial>' suitable for this purpose? Or possibly have ods-signerd
export the snapshot automatically in a spool file for NotifyCommand to
consume?
Note: A hot standby might not need a fully exact and complete snapshot
of OpenDNSSEC state. We just need a hot standby ready to (be manually
activated to) carry on signing the zones from the point of last
_published_ version of the zones, should the primary server fail at any
given time.
BTW, I wasn't able to find instructions for system backup and recovery
in v1.4 documentation: The Backup section on page
https://wiki.opendnssec.org/display/DOCSTRUNK/Quick+guides
is empty and
https://wiki.opendnssec.org/display/DOCSTRUNK/Running+OpenDNSSEC
doesn't cover it either.
Thanks,
Ville Mattila
CSC/Funet
PS. We could of course setup up e.g. NSD or BIND on the signer servers
to receive the updates from zone management system, and have e.g. a cron
job or inotify listener to (a) check which zones have received updates
and run 'ods-signer sign <zone>' commands and (b) run ods-enforcerd for
example once every hour if necessary for rolling keys (not sure if
that's necessary). But I hope there's a simpler OpenDNSSEC-native way.
More information about the Opendnssec-user
mailing list