[Opendnssec-user] high availability

Klaus Darilion klaus.mailinglists at pernau.at
Thu Jun 26 12:23:58 UTC 2014

Hi Emil, comments inline.

On 26.06.2014 10:13, Emil Natan wrote:
> Hi Klaus and thank you for your response.
> On Thu, Jun 26, 2014 at 10:45 AM, Klaus Darilion
> <klaus.mailinglists at pernau.at <mailto:klaus.mailinglists at pernau.at>> wrote:
>     On 25.06.2014 15 <tel:25.06.2014%2015>:13, Emil Natan wrote:
>     > Hello,
>     >
>     > My goal is to replicate the ODS configuration between two nodes,
>     one is
>     > active with ODS running and one passive where ODS is not running.
>     >
>     > https://wiki.opendnssec.org/display/DOCS/High+availability
>     >
>     > ... states under the "What to copy" section:
>     >
>     > "The state data - the minimum data required are the signconf files
>     > (default location is the  /var/opendnssec/signconf directory)"
>     >
>     > I see the files under signconf actually contain configuration copied
>     > from kasp.conf and information about the keys which is stored in the
>     > database (in my case MySQL). If missing these files, they are
>     > automatically created when the enforcer starts. My point is I do
>     not see
>     > a reason to copy these files from one machine to another if they are
>     > created when the enforcer starts. Can I really omit this step or I'm
>     > missing something?
>     How will the enforcer on the backup server know which are the currently
>     used keys? E.g. how many key rollovers were done meanwhile?
> I'm not sure I got your point. Information about the keys is stored in
> the database which is replicated on the backup server. When the enforcer
> is started it reads that information and it's configuration files and
> creates the signconf xml files used by the signer including pointers to
> the keys currently used for signing. Am I missing something?

I guess it depends on your setup. The kasp.db must be synced for sure.

As we do not know if there are any "random" activities in the enforcer,
and we are always signing on both nodes, we have chosen to sync the XML
files too. This way the generated signed zones should be always identical.

>     We have the signer running on both servers, but the enforcer only runs
>     on the main server. And the output files of the enforcer are rsynced to
>     the backup server. When the backup becomes the master, we start the
>     enforcer on the backup server and switch the rsync direction.
> I'm considering that scenario as well. The problem which I have to
> resolve is when to rsync the xml-s created by the enforcer. Using a
> cronjob to run rsync at some intervals is not ideal because it can
> create a gap when the files are changed and something happens with the
> active server before the rsync is invoked. Another option is to use a
> shared storage as DRBD, but my experience with DRBD is not so positive.
> Now I'm considering to use Inotify to trigger the rsync. Can you please
> share how are you managing the rsync process, I mean how/when do you
> trigger the process?

We use inotify to detect changes in the XML files.


More information about the Opendnssec-user mailing list