[Opendnssec-user] Hot standby redundancy with OpenDNSSEC 1.4 and DNS Input Adapter

Sebastian Castro sebastian at nzrs.net.nz
Thu Apr 11 20:52:28 UTC 2013 

On 12/04/13 08:48, Rick van Rein (OpenFortress) wrote:
> Hello,
> 

Hi Rick,

>> Agreed with Rick about no need to replicate the signer status. Our setup
>> have two signers, one active, one hot stand-by. The active sends a dump
>> of the KASP, and a copy of all signconf files to the hot-standby. Zones
>> are signed in both places at the same time, but only picked for
>> publishing from the active one.
> 
> Ah, your standby is hotter than ours :) because we don't let the signer or
> enforcer run on the second.

Not quite then, because the run the signer in both, but the enforcer in
the active signer... so let's call it "mild" :)

> 
>> There are also a set of sanity checks around the resulting zones, to
>> ensure they are similar enough (signed with the same keys, no missing
>> keys, signatures with keys not present, signature inception/expiry in
>> the same ranges, etc).
> 
> Wow, interesting.  Maybe good to describe somewhere in the userspace of the Wiki?

We started with ideas from ldns-compare-zone, plus a couple of local
tweaks to account for different inception/expiration times in the
signatures.

> 
>> To keep the consistency, we run the enforcer manually one a day, and
>> after that run, the KASP is synchronized.
> 
> Neat trick.  We use MySQL replication to get the database state accross instantly.
> 

We didn't want to use MySQL to keep things closely tied (one less port
to open). We might be interested if the KASP could run over PostgreSQL.


> This is also (scratch my head and try to recall details) why we run only one of the
> components at the same time -- our servers are run as master/master so in
> theory they should be able to update each other.  MySQL has facilities for
> auto-incrementing with suitable steps to make that work reliably.  But we found
> in the past that OpenDNSSEC had its own ideas about that.  I am not sure if
> this has been resolved -- or if we ever filed it as a bug...
> 
>> The signing policy for the SOA is to keep, so the unsigned zone controls
>> the serial number.
> 
> Cheers,
>  -Rick
> 

Cheers,
-- 
Sebastian Castro
DNS Specialist
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list