[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter

Rick van Rein (OpenFortress) rick at openfortress.nl
Thu Apr 11 20:48:07 UTC 2013


Hello,

> Agreed with Rick about no need to replicate the signer status. Our setup
> have two signers, one active, one hot stand-by. The active sends a dump
> of the KASP, and a copy of all signconf files to the hot-standby. Zones
> are signed in both places at the same time, but only picked for
> publishing from the active one.

Ah, your standby is hotter than ours :) because we don't let the signer or
enforcer run on the second.

> There are also a set of sanity checks around the resulting zones, to
> ensure they are similar enough (signed with the same keys, no missing
> keys, signatures with keys not present, signature inception/expiry in
> the same ranges, etc).

Wow, interesting.  Maybe good to describe somewhere in the userspace of the Wiki?

> To keep the consistency, we run the enforcer manually one a day, and
> after that run, the KASP is synchronized.

Neat trick.  We use MySQL replication to get the database state accross instantly.

This is also (scratch my head and try to recall details) why we run only one of the
components at the same time -- our servers are run as master/master so in
theory they should be able to update each other.  MySQL has facilities for
auto-incrementing with suitable steps to make that work reliably.  But we found
in the past that OpenDNSSEC had its own ideas about that.  I am not sure if
this has been resolved -- or if we ever filed it as a bug...

> The signing policy for the SOA is to keep, so the unsigned zone controls
> the serial number.

Cheers,
 -Rick


More information about the Opendnssec-user mailing list