Reply

Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

Guru
Posts: 58
3811     0

Hi;

 

Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

 

 

Kindly

Wasfi

Re: Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

Expert
Posts: 188
3812     0

I don't know the answer but I would hazard a guess that it's a design decision taken by Infoblox because the grid master is generally the largest box in the grid and therefore has more horsepower to generate all the keys. Remember there's quite a lot of crypto work going on, so if that was shunted off to a TE-810/815 at the edge of the grid, it may not have the necessary CPU cycles to generate all the RRSIGs, NSEC records etc.

 

Having said that, it would be nice if there was a way to "nominate" another member to be the DNSSEC master, provided it met certain CPU/memory requirements (which could be calculated automatically by NIOS) - I don't know if the latest versions of NIOS have this capability or whether Infoblox plan to do it, but it would certainly provide a bit more flexibility for large environments that might want to have several DNSSEC masters deployed for different countries/regions etc. However this introduces a lot more complexity, so I guess having that role performed by the grid master just keeps things simple from an architectural perspective.

Paul Roberts
PCN (UK) Ltd

All opinions expressed are my own and not representative of PCN Inc./PCN (UK) Ltd. E&OE

Re: Why is it that the Grid Master must be the primary Name Server for any DNSSEC signed zone?

Guru
Posts: 58
3812     0

Thank you Paul

Showing results for 
Search instead for 
Did you mean: 

Recommended for You

NIOS 8.6.3 – What’s New in DDI