Hi Thomas, > we are planning to have several signing machines with HSMs > for redundancy. > I found earlier discussion, that copying (dumping) kasp.db is enough > (assuming config files are identical and HSMs have identical > pregenerated keys) to have second opendnssec machine ready to take over > signing.
We use MySQL replication for the KASP database, so we normally have pretty-near-live updates. Note that earlier versions of the KASP would not work under MySQL's autoincrement-by-N setup as is used for multi-master-mode-MySQL. > However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in > defined order (i.e. picks key in alphabetical order), if so it should be > possible to start two instances (with same configs, same keys in their > HSMs) and the same keys should be picked when both opendnssec instances > roll? How do you establish those duplicated keys? Are you using an HSM that does replicate keys, but that does not provide one integrated PKCS #11 service? > Would such setup work, or would different opendnssec instances pick > their next keys at random and go out of sync? You should think about the signatures as well. Are you generating those only on one machine at a time? (The other being a hot standby?) If both are actively signing, they might interface. The signatures generated could have slightly different timing AFAIK, due to the variations implemented to spread the computational load. Two KASP instances are likely to have different timing. With DSA, the signature involves some random material. Since the private DSA key can be derived if you could replay that randomness for two different signatures, you should not try to sync this random material if your life depended on it -- then better avoid DSA and use RSA instead, which is also a better idea than DSA anyway, for bitlength-scalable security and faster resolving. Hope this helps, -Rick _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
