[Opendnssec-user] high availability

Thu Jun 26 09:44:22 UTC 2014

Hi,

On 2014-06-26 11:13, Emil Natan wrote:

> On Thu, Jun 26, 2014 at 10:45 AM, Klaus Darilion
> <klaus.mailinglists at pernau.at <mailto:klaus.mailinglists at pernau.at>> wrote:
> 
> 
> 
>     On 25.06.2014 15 <tel:25.06.2014%2015>:13, Emil Natan wrote:
>     > Hello,
>     >
>     > My goal is to replicate the ODS configuration between two nodes,
>     one is
>     > active with ODS running and one passive where ODS is not running.
>     >
>     > https://wiki.opendnssec.org/display/DOCS/High+availability
>     >
>     > ... states under the "What to copy" section:
>     >
>     > "The state data - the minimum data required are the signconf files
>     > (default location is the  /var/opendnssec/signconf directory)"
>     >
>     > I see the files under signconf actually contain configuration copied
>     > from kasp.conf and information about the keys which is stored in the
>     > database (in my case MySQL). If missing these files, they are
>     > automatically created when the enforcer starts. My point is I do
>     not see
>     > a reason to copy these files from one machine to another if they are
>     > created when the enforcer starts. Can I really omit this step or I'm
>     > missing something?
> 
>     How will the enforcer on the backup server know which are the currently
>     used keys? E.g. how many key rollovers were done meanwhile?
> 
> I'm not sure I got your point. Information about the keys is stored in
> the database which is replicated on the backup server. When the enforcer
> is started it reads that information and it's configuration files and
> creates the signconf xml files used by the signer including pointers to
> the keys currently used for signing. Am I missing something?

(I think your description is correct and you are not missing anything;
our HA design is based on this idea and I would be very interested to
know if it's wrong..)

>     We have the signer running on both servers, but the enforcer only runs
>     on the main server. And the output files of the enforcer are rsynced to
>     the backup server. When the backup becomes the master, we start the
>     enforcer on the backup server and switch the rsync direction.
> 
> I'm considering that scenario as well. The problem which I have to
> resolve is when to rsync the xml-s created by the enforcer. Using a
> cronjob to run rsync at some intervals is not ideal because it can
> create a gap when the files are changed and something happens with the
> active server before the rsync is invoked. Another option is to use a
> shared storage as DRBD, but my experience with DRBD is not so positive.
> Now I'm considering to use Inotify to trigger the rsync. Can you please
> share how are you managing the rsync process, I mean how/when do you
> trigger the process?

Signer writes the signed zone to a file and runs NotifyCommand[1] script
which runs rsync (and validns and ldns-verify-zone) before it pushes the
signed zone to the DNS servers.  Though I'm not sure if you can use
NotifyCommand with DNS output adapters.

[1]
https://wiki.opendnssec.org/display/DOCS/conf.xml#conf.xml-SignerConfiguration

You could also run 'ods-enforcerd -1' e.g. once a week instead of
letting ods-enforcerd run continuosly as daemon:
1. Shut down ods-signerd.
2. Run 'ods-enforcerd -1' on primary server to let it update KASP
database and signconf files.
3. Synchronize KASP db (and signconfs if you wish) from primary to
standby OpenDNSSEC servers.
4. Start up ods-signerd again.
Shutting down ods-signerd temporarily is to make sure the standby
servers have the exact same KASP/signconf info which the signer daemon
on the primary server is going to be using next.  (Of course it's
equally important to make sure there is not too much delay or drops in
the propagation of signed zone data from OpenDNSSEC to all DNS servers
of the zone, because currently there is no way to give feedback to
enforcer about when the key rollover updates actually made it into DNS.)

Thanks,
-- 
Ville Mattila, CSC

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140626/d0cf3843/attachment.bin>