[Opendnssec-user] high availability

Siôn Lloyd sion at nominet.org.uk
Wed Jun 25 15:08:21 UTC 2014

On 25/06/14 15:56, Emil Natan wrote:
> Hi Sion,
> Thank you very much for your response. I actually never thought about
> scenario when the signer is running and the enforcer is down, but your
> point is perfectly valid and the idea can be useful in certain
> circumstances. Thanks.
> Emil

No problem.

The most immediate event in most situations is likely to be signature
expiry (or the need to update the zone); so getting a signer running and
using the correct keys should be your first priority.

Getting an enforcer running can wait. Assuming that you are happy with
the keys you are using the only thing you might break is your policy of
how often to roll, and this does not stop validation.


> On Wed, Jun 25, 2014 at 5:42 PM, Siôn Lloyd <sion at nominet.org.uk
> <mailto:sion at nominet.org.uk>> wrote:
>     On 25/06/14 14:13, Emil Natan wrote:
>>     Hello,
>>     My goal is to replicate the ODS configuration between two nodes,
>>     one is active with ODS running and one passive where ODS is not
>>     running.
>>     https://wiki.opendnssec.org/display/DOCS/High+availability
>>     ... states under the "What to copy" section:
>>     "The state data - the minimum data required are the signconf
>>     files (default location is the  /var/opendnssec/signconf directory)"
>>     I see the files under signconf actually contain configuration
>>     copied from kasp.conf and information about the keys which is
>>     stored in the database (in my case MySQL). If missing these
>>     files, they are automatically created when the enforcer starts.
>>     My point is I do not see a reason to copy these files from one
>>     machine to another if they are created when the enforcer starts.
>>     Can I really omit this step or I'm missing something?
>>     Thanks.
>>     Emil
>     Hi Emil,
>     I think that the meaning here is that so long as you have those
>     files you can run a signer instance and so keep signatures from
>     expiring.
>     Your assertion about them being created by the enforcer is
>     correct. However, when you start your backup enforcer you need to
>     be sure that the keyset is the same and so these files can be
>     useful for that too.
>     Sion
>     _______________________________________________
>     Opendnssec-user mailing list
>     Opendnssec-user at lists.opendnssec.org
>     <mailto:Opendnssec-user at lists.opendnssec.org>
>     https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
> _______________________________________________
> Opendnssec-user mailing list
> Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140625/a8131752/attachment.htm>

More information about the Opendnssec-user mailing list