- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
DNSSEC and Zone transfer
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
08-30-2017 12:44 AM
Hello Community,
We are planning to go with DNSSEC. We have already signed and enabled DNSSEC for one Zone for which Infoblox is Primary and Secondary Nameserver. But we have another Zone with 3 Nameservers (two are Infoblox and one external:
- Zone XY
- Nameserver A (Infoblox)
- Nameserver B (Infoblox)
- Nameserver C (Zone transfer to another Provider)
When I sign the Zone XY, I think everything will work great as far as Nameserver A und Nameserver B is answering. But what I must do for the "external" Nameserver C? The Zone is transferred via Zone Transfer but what happens with the ZKS/KSK?
Is there a best practice?
Cheers,
Patrick
Re: DNSSEC and Zone transfer
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
08-30-2017 05:35 AM
As far as I understand, the slaves/secondaries do not need to know anything about the ZSK/KSK. The zone is signed by the master/primary, slaves have to follow only.
Re: DNSSEC and Zone transfer
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
08-30-2017 07:42 AM
With Infoblox, only the Grid Master (GM) has anything to do with signing operations. The GM will always act as the hidden primary for signed zones. With your external name server, you will want to make sure it is in the list as an external secondary and that it can get the zone from whatever you list as your non-hidden NS's.
At that point, the dnssec data (DNSKEYs, RRSig's, DS's, NSEC3 RRSets etc) is all just zone data like any other RRSet so nothing special has to be done. You just have to make sure that the zone on your external NS is refreshed prior to the RRSig records expiring and that it updates the zone as expected on a regular basis via the zone transfer.
Re: DNSSEC and Zone transfer
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
08-31-2017 07:41 AM
Completely agree with DRudder on this!!
In short, the question is who is primary for the zone, if the external one is not the primary then there is no change in procedure to sign the zone.
Regards,
Syam.
Re: DNSSEC and Zone transfer
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
09-05-2018 07:10 AM
What if:
for any given zone.
Before DNSEC
- nameserver A (Gridmaster) Located internal (not hosting the zone)
- nameserver B Primairy (gridmember) Located external
- nameserver C External Secondary at the provider
After DNSSEC
- nameserver A Hidden Primairy (Gridmaster) Located internal (hidden)
- nameserver B Secondairy (gridmember) Located external
- nameserver C External Secondary at the provider
And I don't want to open up de interal gridmaster for traffic from the outside. In other words how do I make the zone transfer to C from B. Is that possible?