Multi Master/Primary Authoritative DNSSEC DNS Nameserver With Synced/Replicated COMMON Dir/Vol For BIND
Terik Erik Ashfolk
aterik at outlook.com
Fri Sep 27 23:31:20 UTC 2024
Hi Ondrej. THANK YOU.
I understand what you have suggested.
I considered that earlier : it would've increased 1 more server
rent cost, and additional setup, maintenance/update, etc times, ...
and during consideration i was using a dnssec-policy opPolicy2W
with KSK changing every 20 days, & ZSK every 10 days.
Now I changed to another dnssec-policy opPolicy3M : KSK changing
every ~ 3 months & ZSK every 22 days.
Those who uses keys with longer validity period, for such cases,
this single master/primary (additional server) solution is easy &
better.
On the other hand, if single master/primary nameserver is used, &
if it go/stay down (for longer time), at key add/remove scheduled
time, ... that can cause problems receiving current replies from
slave/secondary nameservers.
and this also needed nameserver to nameserver data-transfer related
secure key/channel.
so single master/primary is indeed a single-point-of-failure.
To overcome, i would need to backup the zone/key etc files
elsewhere, (to allow me to start a new single master/primary
nameserver, in such case of long delay/down time).
So why not backup in a shared online storage, that is also mounted
inside each nameserver ? as that is surely better.
and i also needed the same KSK (and ZSKs) available in other
nameservers, so again a shared online storage is needed.
But that shared online storage can also be a single-point-of-failure.
...
So these ... very easily deduct/indicated : i needed a shared
online storage that is INSIDE EACH SERVER itself , NOT-OUTSIDE.
And server is copying/overwriting + syncing/replicating, & keeping
the last edited files, into same storage mount-point.
in that way ... it is NOT-a-single-point-of-failure.
instead, by itself fully sufficient to run+perform DNSSEC activities.
just small size 300 MB to 1 GB shared space/volume/directory inside
each nameserver is sufficient, for this DNS/DNSSEC purpose.
And thats why+what i have done.
operator/user can create shared directory inbetween their servers
with various methods, that is op's/user's choice.
I added extra info to make a point its completely & easily doable,
& can also be secure (TLS encrypted).
I did this shared-directory earlier with SSH secure tunnel based
copy/syncing method.
The end result need to be a Shared/Synced/Replicated COMMON storage
Directory/Volume/mount-point, for BIND, inside each nameserver.
I needed 3 servers located in 3 different geo location for users
data privacy jurisdiction & separation.
Thanks in advance.
Erik.
Erik T Ashfolk.
On 9/26/24 8:13 PM, Ondřej Surý wrote:
> Hi Erik,
>
> whatever you did below is complicated, unnecessary, and prone to break.
>
> Just create one hidden primary that will do the signing and two to three public secondaries that are independent of each other.
>
> Then setup DNSSEC in a way that it’s ok for the primary to be down for a specified period of time, so you don’t have to wake up in the middle of the night, e.g. the signatures should be long enough and be resigned at least a weak before expiration.
>
> The DNS itself can handle a failure of the secondaries itself.
>
> Sure, if you want to be fancy, you can do a local VRRP at each secondary site, or use anycast for each primary, but since you are hosting “example.com” I don’t think it matters much.
>
> Ondrej
> --
> Ondřej Surý — ISC (He/Him)
>
> My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.
>
>> On 27. 9. 2024, at 4:27, TErik Ashfolk <aterik at outlook.com> wrote:
> <snip>
More information about the bind-users
mailing list