Infoblox Exchange Cybersecurity Roadshow 2020 – Join us!
North America | Europe | Middle East/Africa | Asia-Pacific

Register Now

DNS DHCP IPAM

Reply

DNSSEC and Zone transfer
mr_white
mr_white
Techie
Posts: 5

‎08-30-2017 12:44 AM

3338     0

Hello Community,

 

We are planning to go with DNSSEC. We have already signed and enabled DNSSEC for one Zone for which Infoblox is Primary and Secondary Nameserver. But we have another Zone with 3 Nameservers (two are Infoblox and one external:

 

- Zone XY

- Nameserver A (Infoblox)

- Nameserver B (Infoblox)

- Nameserver C (Zone transfer to another Provider)

 

When I sign the Zone XY, I think everything will work great as far as Nameserver A und Nameserver B is answering. But what I must do for the "external" Nameserver C? The Zone is transferred via Zone Transfer but what happens with the ZKS/KSK?

 

Is there a best practice?

 

Cheers,

Patrick

Labels:
Reply
0 Kudos

Re: DNSSEC and Zone transfer
harrys
Adviser
Posts: 77

‎08-30-2017 05:35 AM

3339     0

As far as I understand, the slaves/secondaries do not need to know anything about the ZSK/KSK. The zone is signed by the master/primary, slaves have to follow only.

Reply
0 Kudos

Re: DNSSEC and Zone transfer
DRudder
Authority
Posts: 44

‎08-30-2017 07:42 AM

3339     0

With Infoblox, only the Grid Master (GM) has anything to do with signing operations.  The GM will always act as the hidden primary for signed zones.  With your external name server, you will want to make sure it is in the list as an external secondary and that it can get the zone from whatever you list as your non-hidden NS's.  

 

At that point, the dnssec data (DNSKEYs, RRSig's, DS's, NSEC3 RRSets etc) is all just zone data like any other RRSet so nothing special has to be done.  You just have to make sure that the zone on your external NS is refreshed prior to the RRSig records expiring and that it updates the zone as expected on a regular basis via the zone transfer.

Reply

Re: DNSSEC and Zone transfer
syam
Moderator syam
Moderator
Posts: 66

‎08-31-2017 07:41 AM

3339     0

Completely agree with DRudder on this!!

 

In short, the question is who is primary for the zone, if the external one is not the primary then there is no change in procedure to sign the zone.

 

Regards,

Syam.

Reply
0 Kudos

Re: DNSSEC and Zone transfer
Dion-ben
Dion-ben
Techie
Posts: 1

‎09-05-2018 07:10 AM

3339     0

What if:

for any given zone.

Before DNSEC

 - nameserver A (Gridmaster) Located internal (not hosting the zone)

 - nameserver B Primairy (gridmember) Located external 

 - nameserver C External Secondary at the provider

 

After DNSSEC

 - nameserver A Hidden Primairy (Gridmaster) Located internal (hidden)

 - nameserver B Secondairy (gridmember) Located external 

 - nameserver C External Secondary at the provider

 

And I don't want to open up de interal gridmaster for traffic from the outside. In other words how do I make the zone transfer to C from B. Is that possible?

 

Reply
0 Kudos
Turn on suggestions Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Do you mean 

Recommended for You

Latest Annoucements

Demo: Infoblox IPAM plug-in integration with OpenStack Newton

playicon

Infolbox Experts Community

You have reached the maximum number of topics allowed as a visitor. Please Login or Join the community to continue to read.

Join for free

TOPICS REMAINING

Register for unlimited browsing. Registration is FREE.

Join Community