[Opendnssec-user] running ODS concurrently on one server
Sara Dickinson
sara at sinodun.com
Tue Jul 9 09:23:18 UTC 2013
Hi Klaus,
You are correct - the OpenDNSSSEC implementation assumes only one signer daemon.
If your use case is High availability then have a look at our documentation pages:
- this has a couple of presentations on High availability user configurations including one from CIRA
https://wiki.opendnssec.org/display/USERDOCREF/OpenDNSSEC+User+Reference+Material
- this is a very general page on things to consider when running in High availability mode (and is still under construction)
https://wiki.opendnssec.org/display/DOCS/High+availability
Regards
Sara.
On 8 Jul 2013, at 16:53, Joe Abley wrote:
> Hi Klaus,
>
> On 2013-07-08, at 09:13, Klaus Darilion <klaus.mailinglists at pernau.at> wrote:
>
>> I want to sign a certain zone multiple times: 1x the original zone + 1x a modified "backup" zone (change SOA serial and maybe some other records)
>
> CIRA's signing infrastructure with .CA provides some experience for a somewhat similar setup. CIRA uses OpenDNSSEC to manage the key policy, and the identities of the keys required to make signature are extracted from the live policy in order to do their parallel signing with BIND9 (they sign with multiple signers and compare the results before publication).
>
> You could do similar -- extract the key identities from ODS, modify the unsigned zone automagically to your requirements and use the BIND9 tools to sign it with the appropriate keys.
>
> In addition to whatever risks you are mitigating by having the standby signed zone ready for publication, this would also give you an independent implementation (so, e.g., if there ever turns out to be a problem in the ODS signer you have an independently-signed zone to give you some extra comfort).
>
>
> Joe
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
More information about the Opendnssec-user
mailing list