Hi Ondrej. THANK YOU.
I understand what you have suggested.
I considered that earlier : it would've increased 1 more server
rent cost, and additional setup, maintenance/update, etc times, ...
and during consideration i was using a dnssec-policy opPolicy2W
with KSK changing every 20 days, & ZSK every 10 days.
Now I changed to another dnssec-policy opPolicy3M : KSK changing
every ~ 3 months & ZSK every 22 days.
Those who uses keys with longer validity period, for such cases,
this single master/primary (additional server) solution is easy &
better.
On the other hand, if single master/primary nameserver is used, &
if it go/stay down (for longer time), at key add/remove scheduled
time, ... that can cause problems receiving current replies from
slave/secondary nameservers.
and this also needed nameserver to nameserver data-transfer related
secure key/channel.
so single master/primary is indeed a single-point-of-failure.
To overcome, i would need to backup the zone/key etc files
elsewhere, (to allow me to start a new single master/primary
nameserver, in such case of long delay/down time).
So why not backup in a shared online storage, that is also mounted
inside each nameserver ? as that is surely better.
and i also needed the same KSK (and ZSKs) available in other
nameservers, so again a shared online storage is needed.
But that shared online storage can also be a single-point-of-failure.
...
So these ... very easily deduct/indicated : i needed a shared
online storage that is INSIDE EACH SERVER itself , NOT-OUTSIDE.
And server is copying/overwriting + syncing/replicating, & keeping
the last edited files, into same storage mount-point.
in that way ... it is NOT-a-single-point-of-failure.
instead, by itself fully sufficient to run+perform DNSSEC activities.
just small size 300 MB to 1 GB shared space/volume/directory inside
each nameserver is sufficient, for this DNS/DNSSEC purpose.
And thats why+what i have done.
operator/user can create shared directory inbetween their servers
with various methods, that is op's/user's choice.
I added extra info to make a point its completely & easily doable,
& can also be secure (TLS encrypted).
I did this shared-directory earlier with SSH secure tunnel based
copy/syncing method.
The end result need to be a Shared/Synced/Replicated COMMON storage
Directory/Volume/mount-point, for BIND, inside each nameserver.
I needed 3 servers located in 3 different geo location for users
data privacy jurisdiction & separation.
Thanks in advance.
Erik.
Erik T Ashfolk.
On 9/26/24 8:13 PM, Ondřej Surý wrote:
Hi Erik,
whatever you did below is complicated, unnecessary, and prone to break.
Just create one hidden primary that will do the signing and two to three public
secondaries that are independent of each other.
Then setup DNSSEC in a way that it’s ok for the primary to be down for a
specified period of time, so you don’t have to wake up in the middle of the
night, e.g. the signatures should be long enough and be resigned at least a
weak before expiration.
The DNS itself can handle a failure of the secondaries itself.
Sure, if you want to be fancy, you can do a local VRRP at each secondary site,
or use anycast for each primary, but since you are hosting “example.com” I
don’t think it matters much.
Ondrej
--
Ondřej Surý — ISC (He/Him)
My working hours and your working hours may be different. Please do not feel
obligated to reply outside your normal working hours.
On 27. 9. 2024, at 4:27, TErik Ashfolk <ate...@outlook.com> wrote:
<snip>
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/ for more information.
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
