[Opendnssec-user] About High Availablity for OpenDNSSEC

Sebastian Castro sebastian at nzrs.net.nz
Mon Aug 25 04:20:50 UTC 2014 


On 25/08/14 2:33 pm, gaolei wrote:
> Hi,Emil
>  

Hi GaoLei:


> From the previous thread discussion in
> http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003024.html ,
> I notice the idea is like this :
> 1. the master runs enforcer and signer
> 2. the slave runs signer only
> 3. sync conf files from master to slave
> 4. if master is down , run enforcer on slave immediately
>  
> We plan to do like this :
>  
> 1.Two opendnssec instances employed
> 2.The same HSM cluster serves for keys production
> 3.The same Mysql cluster serves for key data storage
>  
> I wonder if enforcer runs on both nodes,what will happen ? Does the
> enforcer on slave have to be stopped?
>

Because the enforcer takes care of executing the policy for a zone,
changes will be made to the KASP when there are events like NSEC3 salt
refresh, key rollovers, etc.

We (.nz Registry Services) have a setup with two signers, and at any
given time, one of the signers is the "active" signers, meaning the
enforcer is allowed to run. If the active signer dies, a flag is
switched to indicate the other signers is now active, and we run the
enforcer only via crontab once a day on business day. In that way we
keep all the changes to state under control.

Cheers,

>  
>  
>  
> ------------------------------------------------------------------------
> 2014-08-25 10:12:28
> gaolei
> *From:* Emil Natan <mailto:shlyoko at gmail.com>
> *Date:* 2014-08-24 21:20
> *To:* gaolei <mailto:gaolei at knet.cn>
> *CC:* opendnssec-user <mailto:opendnssec-user at lists.opendnssec.org>
> *Subject:* Re: [Opendnssec-user] About High Availablity for OpenDNSSEC
> Hi,
> 
> 
> On Sun, Aug 24, 2014 at 3:59 PM, gaolei <gaolei at knet.cn
> <mailto:gaolei at knet.cn>> wrote:
> 
>     __
>      
>     Hi all,
>      
>     From KNET , I notice there is a topic about opendnssec High
>     Availablity at
>     https://wiki.opendnssec.org/display/DOCS/High+availability
>      
>     But I was a little puzzled by this page.
>      
>     It mentioned about master/slave like this:
> 
> 
>         Master/Slave
> 
>     Careful consideration should be given to which, if any, process are
>     run on a slave (or on each master in a Master-Master) configuration.
>     Some operators don't run either the enforcer or the signer on a
>     slave instance but merely duplicate the data between the two
>     instances in a timely fashion. Others run two master servers, both
>     enforcing and signing but only publishing from an 'active' master.
> 
>      
> 
>     I'm wondering what will happen to the rollover of keys if we make a
>     master-master deployment.
> 
>     1.Mysql used to store keys data , and
> 
>     2.HSM machine employed to generate keys , and
> 
>     3.Two opendnssec instances running on seperate servers for the same zone
> 
>     Will the two opendnssec instances generate different keys for the
>     same zone? If so , it seems as if it will bring troubles when the
>     'active' master is down ?
> 
> 
> Yes, the two instances will generate different keys and that will cause
> problems on switching between the two signers. It's not clear if you
> plan to use separate HSM for each of the ODS instances, but what you
> generally do is pre-generate keys and have them synced in case of two
> HSMs. The MySQL on both signers should be in sync, the HSM key mapping
> files as well so basically the two signers sign the zone using the same
> keys.
> Here is  another thread of the mailing list discussing HA.
> http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003024.html
> 
> HTH
> 
> Emil
> 
>      
> 
>     Can anyone give more suggestions on the High Availablity of opendnssec ?
> 
>      
> 
>     Best Regards!
> 
>      
>     ------------------------------------------------------------------------
>     2014-08-24 18:05:37
>     gaolei
> 
>     _______________________________________________
>     Opendnssec-user mailing list
>     Opendnssec-user at lists.opendnssec.org
>     <mailto:Opendnssec-user at lists.opendnssec.org>
>     https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 
> 
> 
> 
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> 

-- 
Sebastian Castro
Technical Research Manager
.nz Registry Services (New Zealand Domain Name Registry Limited)
desk: +64 4 495 2337
mobile: +64 21 400535

More information about the Opendnssec-user mailing list