On 12/04/13 08:48, Rick van Rein (OpenFortress) wrote: > Hello, > Hi Rick,
>> Agreed with Rick about no need to replicate the signer status. Our setup >> have two signers, one active, one hot stand-by. The active sends a dump >> of the KASP, and a copy of all signconf files to the hot-standby. Zones >> are signed in both places at the same time, but only picked for >> publishing from the active one. > > Ah, your standby is hotter than ours :) because we don't let the signer or > enforcer run on the second. Not quite then, because the run the signer in both, but the enforcer in the active signer... so let's call it "mild" :) > >> There are also a set of sanity checks around the resulting zones, to >> ensure they are similar enough (signed with the same keys, no missing >> keys, signatures with keys not present, signature inception/expiry in >> the same ranges, etc). > > Wow, interesting. Maybe good to describe somewhere in the userspace of the > Wiki? We started with ideas from ldns-compare-zone, plus a couple of local tweaks to account for different inception/expiration times in the signatures. > >> To keep the consistency, we run the enforcer manually one a day, and >> after that run, the KASP is synchronized. > > Neat trick. We use MySQL replication to get the database state accross > instantly. > We didn't want to use MySQL to keep things closely tied (one less port to open). We might be interested if the KASP could run over PostgreSQL. > This is also (scratch my head and try to recall details) why we run only one > of the > components at the same time -- our servers are run as master/master so in > theory they should be able to update each other. MySQL has facilities for > auto-incrementing with suitable steps to make that work reliably. But we > found > in the past that OpenDNSSEC had its own ideas about that. I am not sure if > this has been resolved -- or if we ever filed it as a bug... > >> The signing policy for the SOA is to keep, so the unsigned zone controls >> the serial number. > > Cheers, > -Rick > Cheers, -- Sebastian Castro DNS Specialist .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
