The DNS agent has the following notes:
The high availability fire drill detects discrepancies between the VCS configuration and the underlying infrastructure on a node; discrepancies that might prevent a service group from going online on a specific node.
For DNS resources, the high availability drill tests the following conditions:
For more information about using the high availability fire drill see the Veritas Cluster Server Administrator's Guide.
Depending on the existence of the Online lock file and the defined Resource Records (RR), you get different status messages from the Monitor function.
Take the former Veritas corporate web server as an example. A browser requests the URL http://www.example.com that maps to the canonical name location1.example.com. The browser retrieves the IP address for the web server by querying a domain name server. If the web server fails over from location one to location two (location2.example.com), the domain name servers need a new canonical name mapping for www.example.com. The www.example.com alias is now updated to point to the canonical name of the standby system in location two.
The DNS agent expects that the zone's allow-update field contains the IP address for the hosts that can dynamically update the DNS records. This functionality is default for the DNS agent. Since a competent black hat can, however, spoof IP addresses, consider TSIG as an alternative.
TSIG (Transaction Signature) as specified in RFC 2845 is a shared key message authentication mechanism that is available in DNS. A TSIG key provides the means to authenticate and verify the validity of exchanged DNS data. It uses a shared secret key between a resolver and either one or two servers to provide security.
In the following example, the domain is example.com.
To use secure updates using TSIG keys
dnssec-keygen
command with the HMAC-MD5 option to generate a pair of files that contain the TSIG key:
cat
command, the contents of the file resembles:
Copy both the private and public key files on to the node. A good location is in the /var/tsig/ directory.