On Mon, Aug 28, 2006 at 11:58:39AM -0600, Tim Pushor wrote:
> Travers Buda wrote:
> >>Hi Friends,
> >>
> >>I am wondering anyone can think of why I shouldn't provide secondary
> >>DNS services from a carp cluster of OpenBSD systems? I have an issue
> >>where my primary DNS server is non-redundant, and trying to find a
> >>good place for a secondary. I have a cluster of OpenBSD machines
> >>acting as a router/firewall and would be real convenient to put it
> >>there.
> >>
> >>I'd like it to respond to queries on the carp address ..
> >>
> >>Can anyone think of a reason to not do this?
> >
> >You could use carp, but easier redundancy is already built into the DNS
> >system. Look into a slave DNS server.
> >
> Sorry, I should have been more clear. I am looking for a good spot on my
> network to put a secondary/slave DNS, and I already have a cluster of
> OpenBSD machines acting as a router/firewall and was wondering if there
> was any reason why not to use those as as slaves, since they are already
> redundant and highly available.
>
> Only question is to whether or not to use the/a carp address for the DNS.
It will work, but as noted, there's no particular reason to do this;
redundancy is built into the DNS protocol.
The only caveat I can think of is that running services on a firewall
weakens your perimeter security.
Finally, don't sync master and CARP - sync master and slave(s) directly.
But that should be obvious.
Joachim
