On Fri, 20 Jan 2012, Tomas Simonaitis wrote:
we are planning to have several signing machines with HSMs
for redundancy.
I found earlier discussion, that copying (dumping) kasp.db is enough
(assuming config files are identical and HSMs have identical
pregenerated keys) to have second opendnssec machine ready to take over
signing.
However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in
defined order (i.e. picks key in alphabetical order), if so it should be
possible to start two instances (with same configs, same keys in their
HSMs) and the same keys should be picked when both opendnssec instances
roll?
Would such setup work, or would different opendnssec instances pick
their next keys at random and go out of sync?
It picks it based on age, so it should be the same on multiple
instances, provided you copy everything. In my tests, I copied:
/etc/opendnssec
/var/opendnssec
/root/Keyper (for the hardware HSM I used in this setup)
Then of course you also need to use the HSM vendor procedure for copying
the HSM content from one unit to the backup unit.
Paul
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
