[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter

Sebastian Castro sebastian at nzrs.net.nz
Thu Apr 11 20:34:28 UTC 2013

On 12/04/13 02:57, Rick van Rein (OpenFortress) wrote:
> Hello Ville,

Hi Ville, Rick,

>> What would be a proper way to snapshot the signing state of a zone
>> from a server running OpenDNSSEC 1.4?
> If you mean the state of the ods-signer process, you do not need to
> replicate it.  It is perfectly safe to re-sign the zone as long as
> you use the same key set.  This means that you need to use the same
> signconf process, which in turns means that the KASP database should
> be replicated.  And that should be all you need to do.

Agreed with Rick about no need to replicate the signer status. Our setup
have two signers, one active, one hot stand-by. The active sends a dump
of the KASP, and a copy of all signconf files to the hot-standby. Zones
are signed in both places at the same time, but only picked for
publishing from the active one.

There are also a set of sanity checks around the resulting zones, to
ensure they are similar enough (signed with the same keys, no missing
keys, signatures with keys not present, signature inception/expiry in
the same ranges, etc).

To keep the consistency, we run the enforcer manually one a day, and
after that run, the KASP is synchronized.

The signing policy for the SOA is to keep, so the unsigned zone controls
the serial number.

> The only place where this scheme could get into trouble is with SOA
> serial numbers, which would normally be resolved with the next day's
> signing.  Not sure how dynamic you need to be around a calamity.
> Note that this last SOA value could be found in public space, namely
> your authoritative name servers, so there is no real need for
> replicating it `hot'.
>> Is there going to be something like 'ods-signer snapshot <zone> 
>> <serial>' suitable for this purpose?  Or possibly have ods-signerd 
>> export the snapshot automatically in a spool file for NotifyCommand
>> to consume?
> I don't understand this fully, but I'm intruiged.  What exactly
> should these do?
>> Note:  A hot standby might not need a fully exact and complete
>> snapshot of OpenDNSSEC state.  We just need a hot standby ready to
>> (be manually activated to) carry on signing the zones from the
>> point of last _published_ version of the zones, should the primary
>> server fail at any given time.
> That's how we also set it up, http://dnssec.surfnet.nl/
> Hope this helps.

I hope this helps as well :)

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list