DNSSEC and Zone transfer

Posts: 5
5586     0

Hello Community,


We are planning to go with DNSSEC. We have already signed and enabled DNSSEC for one Zone for which Infoblox is Primary and Secondary Nameserver. But we have another Zone with 3 Nameservers (two are Infoblox and one external:


- Zone XY

- Nameserver A (Infoblox)

- Nameserver B (Infoblox)

- Nameserver C (Zone transfer to another Provider)


When I sign the Zone XY, I think everything will work great as far as Nameserver A und Nameserver B is answering. But what I must do for the "external" Nameserver C? The Zone is transferred via Zone Transfer but what happens with the ZKS/KSK?


Is there a best practice?




Re: DNSSEC and Zone transfer

Posts: 77
5587     0

As far as I understand, the slaves/secondaries do not need to know anything about the ZSK/KSK. The zone is signed by the master/primary, slaves have to follow only.

Re: DNSSEC and Zone transfer

Posts: 46
5587     0

With Infoblox, only the Grid Master (GM) has anything to do with signing operations.  The GM will always act as the hidden primary for signed zones.  With your external name server, you will want to make sure it is in the list as an external secondary and that it can get the zone from whatever you list as your non-hidden NS's.  


At that point, the dnssec data (DNSKEYs, RRSig's, DS's, NSEC3 RRSets etc) is all just zone data like any other RRSet so nothing special has to be done.  You just have to make sure that the zone on your external NS is refreshed prior to the RRSig records expiring and that it updates the zone as expected on a regular basis via the zone transfer.

Re: DNSSEC and Zone transfer

Posts: 66
5587     0

Completely agree with DRudder on this!!


In short, the question is who is primary for the zone, if the external one is not the primary then there is no change in procedure to sign the zone.




Re: DNSSEC and Zone transfer

Posts: 1
5587     0

What if:

for any given zone.

Before DNSEC

 - nameserver A (Gridmaster) Located internal (not hosting the zone)

 - nameserver B Primairy (gridmember) Located external 

 - nameserver C External Secondary at the provider



 - nameserver A Hidden Primairy (Gridmaster) Located internal (hidden)

 - nameserver B Secondairy (gridmember) Located external 

 - nameserver C External Secondary at the provider


And I don't want to open up de interal gridmaster for traffic from the outside. In other words how do I make the zone transfer to C from B. Is that possible?


Showing results for 
Search instead for 
Did you mean: 

Recommended for You

Demo: Infoblox IPAM plug-in integration with OpenStack Newton