Hi Klaus, You are correct - the OpenDNSSSEC implementation assumes only one signer daemon.
If your use case is High availability then have a look at our documentation pages: - this has a couple of presentations on High availability user configurations including one from CIRA https://wiki.opendnssec.org/display/USERDOCREF/OpenDNSSEC+User+Reference+Material - this is a very general page on things to consider when running in High availability mode (and is still under construction) https://wiki.opendnssec.org/display/DOCS/High+availability Regards Sara. On 8 Jul 2013, at 16:53, Joe Abley wrote: > Hi Klaus, > > On 2013-07-08, at 09:13, Klaus Darilion <klaus.mailingli...@pernau.at> wrote: > >> I want to sign a certain zone multiple times: 1x the original zone + 1x a >> modified "backup" zone (change SOA serial and maybe some other records) > > CIRA's signing infrastructure with .CA provides some experience for a > somewhat similar setup. CIRA uses OpenDNSSEC to manage the key policy, and > the identities of the keys required to make signature are extracted from the > live policy in order to do their parallel signing with BIND9 (they sign with > multiple signers and compare the results before publication). > > You could do similar -- extract the key identities from ODS, modify the > unsigned zone automagically to your requirements and use the BIND9 tools to > sign it with the appropriate keys. > > In addition to whatever risks you are mitigating by having the standby signed > zone ready for publication, this would also give you an independent > implementation (so, e.g., if there ever turns out to be a problem in the ODS > signer you have an independently-signed zone to give you some extra comfort). > > > Joe > > _______________________________________________ > Opendnssec-user mailing list > Opendnssec-user@lists.opendnssec.org > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
