[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter

Sebastian Castro sebastian at nzrs.net.nz
Thu Apr 11 20:52:28 UTC 2013

On 12/04/13 08:48, Rick van Rein (OpenFortress) wrote:
> Hello,

Hi Rick,

>> Agreed with Rick about no need to replicate the signer status. Our setup
>> have two signers, one active, one hot stand-by. The active sends a dump
>> of the KASP, and a copy of all signconf files to the hot-standby. Zones
>> are signed in both places at the same time, but only picked for
>> publishing from the active one.
> Ah, your standby is hotter than ours :) because we don't let the signer or
> enforcer run on the second.

Not quite then, because the run the signer in both, but the enforcer in
the active signer... so let's call it "mild" :)

>> There are also a set of sanity checks around the resulting zones, to
>> ensure they are similar enough (signed with the same keys, no missing
>> keys, signatures with keys not present, signature inception/expiry in
>> the same ranges, etc).
> Wow, interesting.  Maybe good to describe somewhere in the userspace of the Wiki?

We started with ideas from ldns-compare-zone, plus a couple of local
tweaks to account for different inception/expiration times in the

>> To keep the consistency, we run the enforcer manually one a day, and
>> after that run, the KASP is synchronized.
> Neat trick.  We use MySQL replication to get the database state accross instantly.

We didn't want to use MySQL to keep things closely tied (one less port
to open). We might be interested if the KASP could run over PostgreSQL.

> This is also (scratch my head and try to recall details) why we run only one of the
> components at the same time -- our servers are run as master/master so in
> theory they should be able to update each other.  MySQL has facilities for
> auto-incrementing with suitable steps to make that work reliably.  But we found
> in the past that OpenDNSSEC had its own ideas about that.  I am not sure if
> this has been resolved -- or if we ever filed it as a bug...
>> The signing policy for the SOA is to keep, so the unsigned zone controls
>> the serial number.
> Cheers,
>  -Rick

Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list