06-20-2019 06:42 AM
2 weeks ago
I don't know the answer but I would hazard a guess that it's a design decision taken by Infoblox because the grid master is generally the largest box in the grid and therefore has more horsepower to generate all the keys. Remember there's quite a lot of crypto work going on, so if that was shunted off to a TE-810/815 at the edge of the grid, it may not have the necessary CPU cycles to generate all the RRSIGs, NSEC records etc.
Having said that, it would be nice if there was a way to "nominate" another member to be the DNSSEC master, provided it met certain CPU/memory requirements (which could be calculated automatically by NIOS) - I don't know if the latest versions of NIOS have this capability or whether Infoblox plan to do it, but it would certainly provide a bit more flexibility for large environments that might want to have several DNSSEC masters deployed for different countries/regions etc. However this introduces a lot more complexity, so I guess having that role performed by the grid master just keeps things simple from an architectural perspective.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE