[Opendnssec-user] About High Availablity for OpenDNSSEC

gaolei gaolei at knet.cn
Tue Sep 16 10:28:09 CEST 2014

Hi, all
On the HA of opendnssec , I committed a test like this:
1. Enforcer and Signer were running on serverA to serve as master opendnssec
2. Another Singer was running on serverB to serve as slave opendnssec
3. Outbind BIND serverC took serverA and B both as master BIND.

       /       \
     /           \
serverA                  serverB
opendnssec master         opendnssec slave 
                          \           /
                           \        /

I found when i shutdown server A, dns update cannot transfer from serverB to outbind serverC.
Since serverA serial was greater than serverB , serverC can get dns update data from serverA but cannot get update from serverB.
How to deal with this serial problem , can anyone give some advice?


2014-09-16 16:10:44
From: Emil Natan
Date: 2014-08-24 21:20
To: gaolei
CC: opendnssec-user
Subject: Re: [Opendnssec-user] About High Availablity for OpenDNSSEC

On Sun, Aug 24, 2014 at 3:59 PM, gaolei <gaolei at knet.cn> wrote:

Hi all,

From KNET , I notice there is a topic about opendnssec High Availablity at https://wiki.opendnssec.org/display/DOCS/High+availability 

But I was a little puzzled by this page.

It mentioned about master/slave like this:
Careful consideration should be given to which, if any, process are run on a slave (or on each master in a Master-Master) configuration. Some operators don't run either the enforcer or the signer on a slave instance but merely duplicate the data between the two instances in a timely fashion. Others run two master servers, both enforcing and signing but only publishing from an 'active' master.

I'm wondering what will happen to the rollover of keys if we make a master-master deployment.
1.Mysql used to store keys data , and
2.HSM machine employed to generate keys , and
3.Two opendnssec instances running on seperate servers for the same zone
Will the two opendnssec instances generate different keys for the same zone? If so , it seems as if it will bring troubles when the 'active' master is down ?

Yes, the two instances will generate different keys and that will cause problems on switching between the two signers. It's not clear if you plan to use separate HSM for each of the ODS instances, but what you generally do is pre-generate keys and have them synced in case of two HSMs. The MySQL on both signers should be in sync, the HSM key mapping files as well so basically the two signers sign the zone using the same keys.
Here is  another thread of the mailing list discussing HA.



Can anyone give more suggestions on the High Availablity of opendnssec ?

Best Regards!

2014-08-24 18:05:37

Opendnssec-user mailing list
Opendnssec-user at lists.opendnssec.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20140916/3db1de81/attachment.html>

More information about the Opendnssec-user mailing list