-
Type:
Support
-
Status: Open
-
Priority:
Minor
-
Resolution: Unresolved
-
Affects Version/s: 2.1.10
-
Fix Version/s: None
-
Component/s: None
-
Labels:None
-
Environment:
OS:Rocky Linux release 8.8 (Green Obsidian)
OpenDNSSEC:2.1.13
SoftHSMv2:2.6.1
I want to deploy an opendnssec+softhsm HA cluster on two hosts. The steps are as follows
1: Initialize softhsmv2 on host A and synchronize the var/lib/softhsm/tokens directory to the same path on host B in real time (the two HSM will have the same key pair).
2: Host A starts ods-enforcerd. enforcer/zones.xml and signconf are generated on host A. synchronized to the same directory on host B
3: start ods-signerd on A
4: start ods-signerd on B
In the end, the RRSIG records in the zone files signed by the two hosts were only different in time stamps, which met my expectations
However, there are two real-time synchronizations in the above step, and I'm not sure this will cause confusion in HSM or ods-signerd
Is this a reasonable solution? In addition, I noticed that version 2.2.0(https://issues.opendnssec.org/browse/OPENDNSSEC-962) seems to support HA, is there any progress?