Hello, > Agreed with Rick about no need to replicate the signer status. Our setup > have two signers, one active, one hot stand-by. The active sends a dump > of the KASP, and a copy of all signconf files to the hot-standby. Zones > are signed in both places at the same time, but only picked for > publishing from the active one.
Ah, your standby is hotter than ours :) because we don't let the signer or enforcer run on the second. > There are also a set of sanity checks around the resulting zones, to > ensure they are similar enough (signed with the same keys, no missing > keys, signatures with keys not present, signature inception/expiry in > the same ranges, etc). Wow, interesting. Maybe good to describe somewhere in the userspace of the Wiki? > To keep the consistency, we run the enforcer manually one a day, and > after that run, the KASP is synchronized. Neat trick. We use MySQL replication to get the database state accross instantly. This is also (scratch my head and try to recall details) why we run only one of the components at the same time -- our servers are run as master/master so in theory they should be able to update each other. MySQL has facilities for auto-incrementing with suitable steps to make that work reliably. But we found in the past that OpenDNSSEC had its own ideas about that. I am not sure if this has been resolved -- or if we ever filed it as a bug... > The signing policy for the SOA is to keep, so the unsigned zone controls > the serial number. Cheers, -Rick_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
