Hi, What would be a proper way to snapshot the signing state of a zone from a server running OpenDNSSEC 1.4?
The goal is to setup a hot standby signing server to which the necessary zone signing state is copied every time a zone has been signed on the active server, before the signed zone is published in DNS. A picture of our planned hot standby setup: https://info.funet.fi/wiki/display/avoin/Funet+DNSSEC+signer+hot+standby+redundancy Our zone management system can provide the unsigned zone data with NOTIFY+IXFR/AXFR only. Thus we'd prefer feeding the zone data to active signer server using the DNS Input Adapter of OpenDNSSEC 1.4. Zone changes arrive to primary signer at random times: whenever a person using the zone management tool commits a change. Thus ods-signerd must be running all the time to avoid losing NOTIFYs and causing unnecessary delays to propagation of the change to DNS. Multiple updates for a single zone z1 can arrive within short time and Enforcer might also initiate e.g. a key roll-over near an incoming update; signing process of zone z1 change #2 could (could it really?) start before NotifyCommand of zone z1 change #1 has completed. Thus if for example NotifyCommand of change #1 grabs a copy of /var/opendnssec/tmp/z1.backup2 (which seems to have the inbound/internal/outbound serials necessary for DNS Input Adapter operation) and a dump of KASP database (seems to contain key roll-over state and timing) we cannot know if they represent the zone's signing state at completion of change #1 or do they possibly represent change #2. Right? Is there going to be something like 'ods-signer snapshot <zone> <serial>' suitable for this purpose? Or possibly have ods-signerd export the snapshot automatically in a spool file for NotifyCommand to consume? Note: A hot standby might not need a fully exact and complete snapshot of OpenDNSSEC state. We just need a hot standby ready to (be manually activated to) carry on signing the zones from the point of last _published_ version of the zones, should the primary server fail at any given time. BTW, I wasn't able to find instructions for system backup and recovery in v1.4 documentation: The Backup section on page https://wiki.opendnssec.org/display/DOCSTRUNK/Quick+guides is empty and https://wiki.opendnssec.org/display/DOCSTRUNK/Running+OpenDNSSEC doesn't cover it either. Thanks, Ville Mattila CSC/Funet PS. We could of course setup up e.g. NSD or BIND on the signer servers to receive the updates from zone management system, and have e.g. a cron job or inotify listener to (a) check which zones have received updates and run 'ods-signer sign <zone>' commands and (b) run ods-enforcerd for example once every hour if necessary for rolling keys (not sure if that's necessary). But I hope there's a simpler OpenDNSSEC-native way. _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
