Reply
Accepted Solution

Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

Guru
Posts: 185
99     0

Hi;

 

Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

 

 

Kindly

Wasfi

Re: Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

Expert
Posts: 217
99     0

I don't know the answer but I would hazard a guess that it's a design decision taken by Infoblox because the grid master is generally the largest box in the grid and therefore has more horsepower to generate all the keys. Remember there's quite a lot of crypto work going on, so if that was shunted off to a TE-810/815 at the edge of the grid, it may not have the necessary CPU cycles to generate all the RRSIGs, NSEC records etc.

 

Having said that, it would be nice if there was a way to "nominate" another member to be the DNSSEC master, provided it met certain CPU/memory requirements (which could be calculated automatically by NIOS) - I don't know if the latest versions of NIOS have this capability or whether Infoblox plan to do it, but it would certainly provide a bit more flexibility for large environments that might want to have several DNSSEC masters deployed for different countries/regions etc. However this introduces a lot more complexity, so I guess having that role performed by the grid master just keeps things simple from an architectural perspective.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Highlighted

Re: Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

Guru
Posts: 185
99     0

Thank you Paul

Showing results for 
Search instead for 
Do you mean 

Recommended for You