- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-20-2019 06:42 AM
Hi;
Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?
Kindly
Wasfi
Solved! Go to Solution.
Re: Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2019 06:44 AM
I don't know the answer but I would hazard a guess that it's a design decision taken by Infoblox because the grid master is generally the largest box in the grid and therefore has more horsepower to generate all the keys. Remember there's quite a lot of crypto work going on, so if that was shunted off to a TE-810/815 at the edge of the grid, it may not have the necessary CPU cycles to generate all the RRSIGs, NSEC records etc.
Having said that, it would be nice if there was a way to "nominate" another member to be the DNSSEC master, provided it met certain CPU/memory requirements (which could be calculated automatically by NIOS) - I don't know if the latest versions of NIOS have this capability or whether Infoblox plan to do it, but it would certainly provide a bit more flexibility for large environments that might want to have several DNSSEC masters deployed for different countries/regions etc. However this introduces a lot more complexity, so I guess having that role performed by the grid master just keeps things simple from an architectural perspective.
PCN (UK) Ltd
All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE
Re: Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-11-2019 07:45 AM
Thank you Paul