Terry Burton <[log in to unmask]> wrote:
>
> ISC's SNS-PB seems to fit the bill and we have been quoted ~$1000
> p.a. Anycast, multi-master, high-volume...
We have been eyeing that with interest. How many zones is the quote for?
> Secondly, in the broader context of disaster recovery perhaps people
> are prepared to describe any of their solutions (present or future) to
> remotely update DNS in the presence of DNSSEC signing?
We don't have a specific plan, but my approach would roughly be to have an
offsite slave which is used as a second master by our public secondaries.
(XFR distribution nets can be arbitrary graphs.) This would have a small
amout of tooling to convert it into a master in place. We would keep a
copy of the DNSSEC keys either offline somewhere (so they can be uploaded
to the backup server when required), or encrypted on the server. (Or a
local and offsite pair of HSMs perhaps?) After the conversion to master,
nsupdate would make the necessary changes, probably agreed in advance and
scripted.
--
Tony Finch - Mail and DNS - Cambridge University Information Services
<[log in to unmask]> <http://www-uxsup.csx.cam.ac.uk/~fanf2/>
|