The TSIG Signed Dynamic DNS update method is basically the same as the Standard Dynamic DNS update method, only with encrypted authentication added, making it safe to use across the Internet.
TSIG Signed Dynamic DNS updates are supported by the Simple DNS Plus and BIND DNS servers.
When using this update method, you must specify a key name and a key value (similar to user name / password).
These must be setup on your DNS server with permissions to update DNS records for the Server Set domain name.
Update can only be performed on primary DNS servers for a DNS zone.
To ensure that DNS can always be updated (with any one of the DNS servers unavailable), you must configure the DNS zone as primary on all DNS servers.
This also means that you will have to keep the DNS servers synchronized manually by always making all zone/record updates on both servers.
Simple Failover performs the following steps to check and update DNS:
First, based on the monitoring results, it figures out what the DNS records should be for the Server Set domain name:
- If the Server Set is configured to use DNS round robin (load balancing), then it will configure one A-record for each of the functional servers.
- If the Server Set is not configured to use DNS round robin, then it will configure a single A-record for the first functional server.
- If none of the servers were functional, then Simple Failover will assume that the problem must be local, and it will configure A-records as if the first/all servers did respond correctly.
- If the Server Set Failed Polls Accepted setting is greater than zero, then each server is considered functional, until it has been found non-functional more times than this number.
Then it sends a DNS request to the DNS server to check the current DNS A-records for the Server Set domain name.
If this is already what it should be (1), then the process stops here as there is no need to update anything.
Next it sends a DNS request to the DNS server to get the SOA-record for the Server Set domain name.
This will return the DNS zone name that the domain name belongs to (needed for the update process).
And finally it sends an TSIG signed update request to the DNS server saying:
a) Delete any existing A- and CNAME-records for the Server Set domain name.
b) Add new A-records as per the monitoring results (1).
While communicating with the DNS server, Simple Failover may encounter communication errors (winsock error), time outs, or unexpected responses from the DNS server. Such problems will be logged, listed in the problems list, and invoke e-mail and script notifications.
TSIG Signed Dynamic DNS update
First, based on the monitoring results, it figures out what the DNS records should be for the Server Set domain name:
Then it sends a DNS request to the DNS server to check the current DNS A-records for the Server Set domain name.
Next it sends a DNS request to the DNS server to get the SOA-record for the Server Set domain name.
And finally it sends an TSIG signed update request to the DNS server saying:
