[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter
Sebastian Castro
sebastian at nzrs.net.nz
Thu Apr 11 20:34:28 UTC 2013
On 12/04/13 02:57, Rick van Rein (OpenFortress) wrote:
> Hello Ville,
Hi Ville, Rick,
>
>> What would be a proper way to snapshot the signing state of a zone
>> from a server running OpenDNSSEC 1.4?
>
> If you mean the state of the ods-signer process, you do not need to
> replicate it. It is perfectly safe to re-sign the zone as long as
> you use the same key set. This means that you need to use the same
> signconf process, which in turns means that the KASP database should
> be replicated. And that should be all you need to do.
Agreed with Rick about no need to replicate the signer status. Our setup
have two signers, one active, one hot stand-by. The active sends a dump
of the KASP, and a copy of all signconf files to the hot-standby. Zones
are signed in both places at the same time, but only picked for
publishing from the active one.
There are also a set of sanity checks around the resulting zones, to
ensure they are similar enough (signed with the same keys, no missing
keys, signatures with keys not present, signature inception/expiry in
the same ranges, etc).
To keep the consistency, we run the enforcer manually one a day, and
after that run, the KASP is synchronized.
The signing policy for the SOA is to keep, so the unsigned zone controls
the serial number.
>
> The only place where this scheme could get into trouble is with SOA
> serial numbers, which would normally be resolved with the next day's
> signing. Not sure how dynamic you need to be around a calamity.
> Note that this last SOA value could be found in public space, namely
> your authoritative name servers, so there is no real need for
> replicating it `hot'.
>
>> Is there going to be something like 'ods-signer snapshot <zone>
>> <serial>' suitable for this purpose? Or possibly have ods-signerd
>> export the snapshot automatically in a spool file for NotifyCommand
>> to consume?
>
> I don't understand this fully, but I'm intruiged. What exactly
> should these do?
>
>> Note: A hot standby might not need a fully exact and complete
>> snapshot of OpenDNSSEC state. We just need a hot standby ready to
>> (be manually activated to) carry on signing the zones from the
>> point of last _published_ version of the zones, should the primary
>> server fail at any given time.
>
> That's how we also set it up, http://dnssec.surfnet.nl/
>
> Hope this helps.
I hope this helps as well :)
Regards,
--
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535
More information about the Opendnssec-user
mailing list