On 20/01/2012 10:50, Siôn Lloyd wrote:
One other thing to worry about is the human interaction required at
rollover time; specifically issuing the "ds-seen" command on KSK roll.
This is a time when the 2 systems could/will get out of sync, it is also
the time when this could be most problematic.
Since KSK roll is rare and needs manual work anyway, I think we can
fully re-sync instances (copy kasp.db etc.) then and continue.
Currently we have two replicated registry back-end systems,
to which we plan directly attach signing servers with HSM cards
(utimaco) (with hundreds of keys pregenerated and cloned).
Second signing server should be ready to sign in case of registry system
switch over, however we don't need to reuse signatures (full zone resign
is fine).
I would prefer to avoid replicating opendnssec servers to keep it more
simple and have identical zone-in-zone-out sign boxes, so that I can
just replace one with other in case of hw failure etc.
Thanks all for information.
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
