On 20/01/12 07:09, Tomas Simonaitis wrote:
Hello,
we are planning to have several signing machines with HSMs
for redundancy.
I found earlier discussion, that copying (dumping) kasp.db is enough
(assuming config files are identical and HSMs have identical
pregenerated keys) to have second opendnssec machine ready to take over
signing.
However, I wonder if opendnssec rolls/uses pregenerated keys from HSM in
defined order (i.e. picks key in alphabetical order), if so it should be
possible to start two instances (with same configs, same keys in their
HSMs) and the same keys should be picked when both opendnssec instances
roll?
Would such setup work, or would different opendnssec instances pick
their next keys at random and go out of sync?
When the enforcer picks a new key to add to a zone it uses the one with
the lowest id (the primary key created by the database when the keypair
is generated, not the cka_id).
So, with one zone this is deterministic... However, if multiple zones
are being signed then it is possible that on one machine they are seen
in a different order to the other.
This can be mitigated by having a different policy per zone (even if
they are identical apart from their names). In that case the keys are
created for the policy and not shared between them.
One other thing to worry about is the human interaction required at
rollover time; specifically issuing the "ds-seen" command on KSK roll.
This is a time when the 2 systems could/will get out of sync, it is also
the time when this could be most problematic.
Sion
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
