[Opendnssec-user] high availability
shlyoko at gmail.com
Thu Jun 26 10:44:24 UTC 2014
On Thu, Jun 26, 2014 at 12:44 PM, Ville Mattila <vmattila at csc.fi> wrote:
> On 2014-06-26 11:13, Emil Natan wrote:
> > On Thu, Jun 26, 2014 at 10:45 AM, Klaus Darilion
> > <klaus.mailinglists at pernau.at <mailto:klaus.mailinglists at pernau.at>>
> > On 25.06.2014 15 <tel:25.06.2014%2015>:13, Emil Natan wrote:
> > > Hello,
> > >
> > > My goal is to replicate the ODS configuration between two nodes,
> > one is
> > > active with ODS running and one passive where ODS is not running.
> > >
> > > https://wiki.opendnssec.org/display/DOCS/High+availability
> > >
> > > ... states under the "What to copy" section:
> > >
> > > "The state data - the minimum data required are the signconf files
> > > (default location is the /var/opendnssec/signconf directory)"
> > >
> > > I see the files under signconf actually contain configuration
> > > from kasp.conf and information about the keys which is stored in
> > > database (in my case MySQL). If missing these files, they are
> > > automatically created when the enforcer starts. My point is I do
> > not see
> > > a reason to copy these files from one machine to another if they
> > > created when the enforcer starts. Can I really omit this step or
> > > missing something?
> > How will the enforcer on the backup server know which are the
> > used keys? E.g. how many key rollovers were done meanwhile?
> > I'm not sure I got your point. Information about the keys is stored in
> > the database which is replicated on the backup server. When the enforcer
> > is started it reads that information and it's configuration files and
> > creates the signconf xml files used by the signer including pointers to
> > the keys currently used for signing. Am I missing something?
> (I think your description is correct and you are not missing anything;
> our HA design is based on this idea and I would be very interested to
> know if it's wrong..)
> > We have the signer running on both servers, but the enforcer only
> > on the main server. And the output files of the enforcer are rsynced
> > the backup server. When the backup becomes the master, we start the
> > enforcer on the backup server and switch the rsync direction.
> > I'm considering that scenario as well. The problem which I have to
> > resolve is when to rsync the xml-s created by the enforcer. Using a
> > cronjob to run rsync at some intervals is not ideal because it can
> > create a gap when the files are changed and something happens with the
> > active server before the rsync is invoked. Another option is to use a
> > shared storage as DRBD, but my experience with DRBD is not so positive.
> > Now I'm considering to use Inotify to trigger the rsync. Can you please
> > share how are you managing the rsync process, I mean how/when do you
> > trigger the process?
> Signer writes the signed zone to a file and runs NotifyCommand script
> which runs rsync (and validns and ldns-verify-zone) before it pushes the
> signed zone to the DNS servers. Though I'm not sure if you can use
> NotifyCommand with DNS output adapters.
> You could also run 'ods-enforcerd -1' e.g. once a week instead of
> letting ods-enforcerd run continuosly as daemon:
> 1. Shut down ods-signerd.
> 2. Run 'ods-enforcerd -1' on primary server to let it update KASP
> database and signconf files.
> 3. Synchronize KASP db (and signconfs if you wish) from primary to
> standby OpenDNSSEC servers.
> 4. Start up ods-signerd again.
> Shutting down ods-signerd temporarily is to make sure the standby
> servers have the exact same KASP/signconf info which the signer daemon
> on the primary server is going to be using next. (Of course it's
> equally important to make sure there is not too much delay or drops in
> the propagation of signed zone data from OpenDNSSEC to all DNS servers
> of the zone, because currently there is no way to give feedback to
> enforcer about when the key rollover updates actually made it into DNS.)
> Ville Mattila, CSC
> Ok, so you actually rely on the signer invocation to trigger the rsync via
the NotifyCommand and the process includes a single run of the enforcer.
That's all fine, but it still can leave a gap between the data on the
active server and what you have on the stand-by servers if the enforcer is
invoked (manually or automatically each <Interval>) and changes are
introduced until the signer is invoked again. I do not know how often the
signer runs in your scenario, but theoretically your servers can run out of
sync. As far as I understand in the ideal scenario the rsync should be run
after each run of the enforcer, but the enforcer functionality lacks such
Thank you very much for sharing the above information.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Opendnssec-user