Tsig Keys; E.1.3 Tsig Keys; Dns Record Time-To-Live Values; Configuring The Dns Server For Dynamic Dns - Novell BUSINESS CONTINUITY CLUSTERING 1.2.1 - ADMINISTRATION Administration Manual

Another option for your DNS servers is to put them in your Novell Cluster Services cluster. This
creates a DNS service that is extremely resilient to failure. For information, see
with Novell Cluster
Linux.

E.1.3 TSIG Keys

TSIG (Transaction Signature) keys are used in the examples to authenticate dynamic updates of the
DNS server. It is not a requirement that you use TSIG. Other methods of authorizing updates can be
used instead, such as DNSSEC (DNS Security Extensions). In addition, good security requires more
then authorization keys. Logging, monitoring, firewalls, intrusion detection systems, and so on
should all be employed to keep your systems and network safe from unwanted access. However, it is
beyond the scope of this document to cover these alternatives.
The TSIG
server package.
E.1.4 DNS Record Time-to-Live Values
Selecting the proper Time-to-live (TTL) value for the DNS records can be a bit tricky. If the values
are too short, the DNS traffic on your network can increase dramatically. If the values are too long,
the end users are unable to reconnect to the cluster resources after a BCC migration until the DNS
records expire. There is no perfect TTL value. Each customer and environment is unique and has
different needs and goals. You should experiment with the TTL values while monitoring the DNS
traffic on your network to find the ideal value for your network.
E.2 Configuring the DNS Server for Dynamic
DNS
Begin by configuring the DNS server so that it accepts dynamic updates to a particular zone and
authenticates these updates using TSIG (Transaction Signature) keys.
Section E.2.1, "Creating the TSIG Keys for DNS Server Authentication," on page 154
Section E.2.2, "Configuring the DNS Server with the Public Key," on page 155
Section E.2.3, "Configuring the DNS Server Zones," on page 156
Section E.2.4, "Testing the DNS Server," on page 156
E.2.1 Creating the TSIG Keys for DNS Server Authentication
TSIG keys are used to authenticate dynamic updates of the DNS server. Use the
utility to create the public and private TSIG key files in the following format:
K<cluster_dns_name>.+157+<random number>.key
K<cluster_dns_name>.+157+<random number>.private
1 On a node in one of the peer clusters, log in as the
2 Use the
dnssec-keygen -a HMAC-MD5 -b 512 -n HOST cluster_dns_name
154 BCC 1.2.1: Administration Guide for OES 2 SP2 Linux
Services" in the
utility should be automatically installed as part of the ISC BIND 9 DNS
dnssec-keygen
utility to create the public and private TSIG keys by entering
dnssec-keygen
OES 2 SP2: Novell DNS/DHCP Administration Guide for
user, then open a terminal console.
root
"Configuring DNS
dnssec-keygen