[Opendnssec-user] high availability

Emil Natan shlyoko at gmail.com
Thu Jun 26 08:13:58 UTC 2014

Hi Klaus and thank you for your response.

On Thu, Jun 26, 2014 at 10:45 AM, Klaus Darilion <
klaus.mailinglists at pernau.at> wrote:

> On 25.06.2014 15:13, Emil Natan wrote:
> > Hello,
> >
> > My goal is to replicate the ODS configuration between two nodes, one is
> > active with ODS running and one passive where ODS is not running.
> >
> > https://wiki.opendnssec.org/display/DOCS/High+availability
> >
> > ... states under the "What to copy" section:
> >
> > "The state data - the minimum data required are the signconf files
> > (default location is the  /var/opendnssec/signconf directory)"
> >
> > I see the files under signconf actually contain configuration copied
> > from kasp.conf and information about the keys which is stored in the
> > database (in my case MySQL). If missing these files, they are
> > automatically created when the enforcer starts. My point is I do not see
> > a reason to copy these files from one machine to another if they are
> > created when the enforcer starts. Can I really omit this step or I'm
> > missing something?
> How will the enforcer on the backup server know which are the currently
> used keys? E.g. how many key rollovers were done meanwhile?
> I'm not sure I got your point. Information about the keys is stored in the
database which is replicated on the backup server. When the enforcer is
started it reads that information and it's configuration files and creates
the signconf xml files used by the signer including pointers to the keys
currently used for signing. Am I missing something?

> We have the signer running on both servers, but the enforcer only runs
> on the main server. And the output files of the enforcer are rsynced to
> the backup server. When the backup becomes the master, we start the
> enforcer on the backup server and switch the rsync direction.
> I'm considering that scenario as well. The problem which I have to resolve
is when to rsync the xml-s created by the enforcer. Using a cronjob to run
rsync at some intervals is not ideal because it can create a gap when the
files are changed and something happens with the active server before the
rsync is invoked. Another option is to use a shared storage as DRBD, but my
experience with DRBD is not so positive. Now I'm considering to use Inotify
to trigger the rsync. Can you please share how are you managing the rsync
process, I mean how/when do you trigger the process?


> regards
> Klaus
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140626/a270f84e/attachment.htm>

More information about the Opendnssec-user mailing list