Monitor Scenarios
This table shows the various monitor scenarios:
| Online lock file exists
|
Expected CNAME RR
|
Monitor returns
|
|---|
NO
|
N/A
|
OFFLINE
|
YES
|
NO
|
OFFLINE
|
YES
|
YES
|
ONLINE
|
Note
The DNS agent supports BIND version 8 and above.
Sample Configuration
Take the VERITAS corporate web server as an example. A person using a web browser specifies the URL www.veritas.com to view the VERITAS web page, where www.veritas.com maps to the canonical name mtv.veritas.com, which is a host in Mountain View running the web server. The browser, in turn, retrieves the IP address for the web server by querying the domain name servers. If the web server for www.veritas.com is failed over from Mountain View to Heathrow, the domain name servers need to be updated with the new canonical name mapping so that the web browsers are directed to Heathrow instead of Mountain View. In this case, the DNS agent should update the name server to change the mapping of www.veritas.com, from mtv.veritas.com to the canonical name of the standby machine in Heathrow, hro.veritas.com, in case of a failover.
Sample Configuration
This is a DNS sample configuration.
DNS www (
Domain = "veritas.com"
Alias = www
Hostname = mtv
)
Bringing the www resource online updates the authoritative nameservers for domain veritas.com with the following CNAME record:
www.veritas.com. 86400 IN CNAME mtv.veritas.com
Thus all DNS lookups for www.veritas.com resolve to mtv.veritas.com.
Secure DNS Update
The DNS agent by default---when the attribute 'TSIGKeyFile' is unspecified---expects the IP address of the hosts that can update the DNS records dynamically, to be specified in the allow-updates field of the zone. However, since IP addresses can be easily spoofed, a secure alternative is to use TSIG (Transaction Signature) as specified in RFC 2845. TSIG is a shared key message authentication mechanism available in DNS. A TSIG key provides a means to authenticate and verify the validity of DNS data exchanged, using a shared secret key between a resolver and either one or two servers.
In the following example, the domain is veritas.com.
To use secure updates using TSIG keys
-
Run the dnskeygen command with the HMAC-MD5 (-H) option to generate a pair of files that contain the TSIG key:
# dnskeygen -H 128 -h -n veritas.com.
Kveritas.com.+157+00000.key
Kveritas.com.+157+00000.private
-
Open either file. The contents of the file should look similar to:
veritas.com. IN KEY 513 3 157 +Cdjlkef9ZTSeixERZ433Q==
-
Copy the shared secret (the TSIG key), which should look similar to: +Cdjlkef9ZTSeixERZ433Q==
-
Configure the DNS server to only allow TSIG updates using the generated key.
Open the named.conf file and add these lines.
key veritas.com. {
algorithm hmac-md5;
secret "+Cdjlkef9ZTSeixERZ433Q==";
};
Where +Cdjlkef9ZTSeixERZ433Q== is the key.
-
In the named.conf file, edit the appropriate zone section and add the allow-updates substatement to reference the key:
allow-updates { key veritas.com. ; } ;
-
Save and restart the named process.
-
Place the files containing the keys on each of the nodes that is listed in your group's SystemList. The DNS agent uses this key to update the name server.
Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.
-
Set the TSIGKeyFile attribute for the DNS resource to specify the file containing the private key.
DNS www (
Domain = "veritas.com"
Alias = www
Hostname = north
TSIGKeyFile = "/var/tsig/Kveritas.com.+157+00000.private"
)
|
