On 2010-02-01, Matthieu Herrb <mhe...@gmail.com> wrote: > I'm using net/unbound to implement the server, but still I don't trust > it enough to consider that as long the interface on one machine > running unbound is up and getting carp advertisements the name server > is answering. So I'm considering to use ifstated to monitor the > unbound process and demote the interface if something goes wrong. > > Does this look sane ?
In my experience, it's enough to just restart unbound if the process has died, that has happened to me once or twice (I've been running it since it was added to ports) but not often. I haven't yet seen it still running but failing to answer. I'm happier about doing that than running ifstated and tweaking carp state. > Hint if someone wants to do the same: in unbound.conf you have to > explicitly set 'interface:' to the IP of your carp group (setting > outgoing-interface is not enough) , otherwise unbound will answer from > the IP of the carpdev interface. Right; outgoing-interface is used for queries only. (If you have multiple addresses you can source queries from, list them all in outgoing-interface, it will improve randomness). There is an 'interface-automatic' feature but I've never checked to see if it works on OpenBSD. And a hint from me :) setup unbound-control (it's easy: run unbound-control-setup, set 'control-enable: yes' in config, restart). It gives you stats, the ability to flush individual records from the cache, etc.
