Hello, we are planning to have several signing machines with HSMs for redundancy. I found earlier discussion, that copying (dumping) kasp.db is enough (assuming config files are identical and HSMs have identical pregenerated keys) to have second opendnssec machine ready to take over signing.
However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in defined order (i.e. picks key in alphabetical order), if so it should be possible to start two instances (with same configs, same keys in their HSMs) and the same keys should be picked when both opendnssec instances roll? Would such setup work, or would different opendnssec instances pick their next keys at random and go out of sync? Regards, Tomas _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
