On 25/08/14 2:33 pm, gaolei wrote: > Hi,Emil >
Hi GaoLei: > From the previous thread discussion in > http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003024.html , > I notice the idea is like this : > 1. the master runs enforcer and signer > 2. the slave runs signer only > 3. sync conf files from master to slave > 4. if master is down , run enforcer on slave immediately > > We plan to do like this : > > 1.Two opendnssec instances employed > 2.The same HSM cluster serves for keys production > 3.The same Mysql cluster serves for key data storage > > I wonder if enforcer runs on both nodes,what will happen ? Does the > enforcer on slave have to be stopped? > Because the enforcer takes care of executing the policy for a zone, changes will be made to the KASP when there are events like NSEC3 salt refresh, key rollovers, etc. We (.nz Registry Services) have a setup with two signers, and at any given time, one of the signers is the "active" signers, meaning the enforcer is allowed to run. If the active signer dies, a flag is switched to indicate the other signers is now active, and we run the enforcer only via crontab once a day on business day. In that way we keep all the changes to state under control. Cheers, > > > > ------------------------------------------------------------------------ > 2014-08-25 10:12:28 > gaolei > *From:* Emil Natan <mailto:[email protected]> > *Date:* 2014-08-24 21:20 > *To:* gaolei <mailto:[email protected]> > *CC:* opendnssec-user <mailto:[email protected]> > *Subject:* Re: [Opendnssec-user] About High Availablity for OpenDNSSEC > Hi, > > > On Sun, Aug 24, 2014 at 3:59 PM, gaolei <[email protected] > <mailto:[email protected]>> wrote: > > __ > > Hi all, > > From KNET , I notice there is a topic about opendnssec High > Availablity at > https://wiki.opendnssec.org/display/DOCS/High+availability > > But I was a little puzzled by this page. > > It mentioned about master/slave like this: > > > Master/Slave > > Careful consideration should be given to which, if any, process are > run on a slave (or on each master in a Master-Master) configuration. > Some operators don't run either the enforcer or the signer on a > slave instance but merely duplicate the data between the two > instances in a timely fashion. Others run two master servers, both > enforcing and signing but only publishing from an 'active' master. > > > > I'm wondering what will happen to the rollover of keys if we make a > master-master deployment. > > 1.Mysql used to store keys data , and > > 2.HSM machine employed to generate keys , and > > 3.Two opendnssec instances running on seperate servers for the same zone > > Will the two opendnssec instances generate different keys for the > same zone? If so , it seems as if it will bring troubles when the > 'active' master is down ? > > > Yes, the two instances will generate different keys and that will cause > problems on switching between the two signers. It's not clear if you > plan to use separate HSM for each of the ODS instances, but what you > generally do is pre-generate keys and have them synced in case of two > HSMs. The MySQL on both signers should be in sync, the HSM key mapping > files as well so basically the two signers sign the zone using the same > keys. > Here is another thread of the mailing list discussing HA. > http://lists.opendnssec.org/pipermail/opendnssec-user/2014-June/003024.html > > HTH > > Emil > > > > Can anyone give more suggestions on the High Availablity of opendnssec ? > > > > Best Regards! > > > ------------------------------------------------------------------------ > 2014-08-24 18:05:37 > gaolei > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > <mailto:[email protected]> > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > > > > > _______________________________________________ > Opendnssec-user mailing list > [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -- Sebastian Castro Technical Research Manager .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 495 2337 mobile: +64 21 400535 _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
