[Opendnssec-user] About High Availablity for OpenDNSSEC

Emil Natan shlyoko at gmail.com
Sun Aug 24 13:20:09 UTC 2014 

Hi,


On Sun, Aug 24, 2014 at 3:59 PM, gaolei <gaolei at knet.cn> wrote:

>
>   Hi all,
>
> From KNET , I notice there is a topic about opendnssec High Availablity at
> https://wiki.opendnssec.org/display/DOCS/High+availability
>
> But I was a little puzzled by this page.
>
> It mentioned about master/slave like this:
>  Master/Slave
>
> Careful consideration should be given to which, if any, process are run on
> a slave (or on each master in a Master-Master) configuration. Some
> operators don't run either the enforcer or the signer on a slave instance
> but merely duplicate the data between the two instances in a timely
> fashion. Others run two master servers, both enforcing and signing but only
> publishing from an 'active' master.
>
>
>
> I'm wondering what will happen to the rollover of keys if we make a
> master-master deployment.
>
> 1.Mysql used to store keys data , and
>
> 2.HSM machine employed to generate keys , and
>
> 3.Two opendnssec instances running on seperate servers for the same zone
>
> Will the two opendnssec instances generate different keys for the same
> zone? If so , it seems as if it will bring troubles when the 'active'
> master is down ?
>
>
Yes, the two instances will generate different keys and that will cause
problems on switching between the two signers. It's not clear if you plan
to use separate HSM for each of the ODS instances, but what you generally
do is pre-generate keys and have them synced in case of two HSMs. The MySQL
on both signers should be in sync, the HSM key mapping files as well so
basically the two signers sign the zone using the same keys.
Here is  another thread of the mailing list discussing HA.
http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003024.html

HTH

Emil

>
>
> Can anyone give more suggestions on the High Availablity of opendnssec ?
>
>
>
> Best Regards!
>
> ------------------------------
> 2014-08-24 18:05:37
> gaolei
>
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140824/59b822b9/attachment.htm>

More information about the Opendnssec-user mailing list