On 12/04/13 02:57, Rick van Rein (OpenFortress) wrote: > Hello Ville, Hi Ville, Rick,
> >> What would be a proper way to snapshot the signing state of a zone >> from a server running OpenDNSSEC 1.4? > > If you mean the state of the ods-signer process, you do not need to > replicate it. It is perfectly safe to re-sign the zone as long as > you use the same key set. This means that you need to use the same > signconf process, which in turns means that the KASP database should > be replicated. And that should be all you need to do. Agreed with Rick about no need to replicate the signer status. Our setup have two signers, one active, one hot stand-by. The active sends a dump of the KASP, and a copy of all signconf files to the hot-standby. Zones are signed in both places at the same time, but only picked for publishing from the active one. There are also a set of sanity checks around the resulting zones, to ensure they are similar enough (signed with the same keys, no missing keys, signatures with keys not present, signature inception/expiry in the same ranges, etc). To keep the consistency, we run the enforcer manually one a day, and after that run, the KASP is synchronized. The signing policy for the SOA is to keep, so the unsigned zone controls the serial number. > > The only place where this scheme could get into trouble is with SOA > serial numbers, which would normally be resolved with the next day's > signing. Not sure how dynamic you need to be around a calamity. > Note that this last SOA value could be found in public space, namely > your authoritative name servers, so there is no real need for > replicating it `hot'. > >> Is there going to be something like 'ods-signer snapshot <zone> >> <serial>' suitable for this purpose? Or possibly have ods-signerd >> export the snapshot automatically in a spool file for NotifyCommand >> to consume? > > I don't understand this fully, but I'm intruiged. What exactly > should these do? > >> Note: A hot standby might not need a fully exact and complete >> snapshot of OpenDNSSEC state. We just need a hot standby ready to >> (be manually activated to) carry on signing the zones from the >> point of last _published_ version of the zones, should the primary >> server fail at any given time. > > That's how we also set it up, http://dnssec.surfnet.nl/ > > Hope this helps. I hope this helps as well :) Regards, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
