[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter

[Rick van Rein (OpenFortress)]

Hello Ville,

> What would be a proper way to snapshot the signing state of a zone from
> a server running OpenDNSSEC 1.4?

If you mean the state of the ods-signer process, you do not need to replicate it.  It is perfectly safe to re-sign the zone as long as you use the same key set.  This means that you need to use the same signconf process, which in turns means that the KASP database should be replicated.  And that should be all you need to do.

The only place where this scheme could get into trouble is with SOA serial numbers, which would normally be resolved with the next day's signing.  Not sure how dynamic you need to be around a calamity.  Note that this last SOA value could be found in public space, namely your authoritative name servers, so there is no real need for replicating it `hot'.

> Is there going to be something like 'ods-signer snapshot <zone>
> <serial>' suitable for this purpose?  Or possibly have ods-signerd
> export the snapshot automatically in a spool file for NotifyCommand to
> consume?

I don't understand this fully, but I'm intruiged.  What exactly should these do?

> Note:  A hot standby might not need a fully exact and complete snapshot
> of OpenDNSSEC state.  We just need a hot standby ready to (be manually
> activated to) carry on signing the zones from the point of last
> _published_ version of the zones, should the primary server fail at any
> given time.

That's how we also set it up, http://dnssec.surfnet.nl/

Hope this helps.

Cheers,
 -Rick