...
This feature is designed to increase availability of the DNS service by allowing multiple primaries for a zone. It will not increase overall throughput of DNS update traffic, as ultimately all updates must be replicated to (and processed by) all of the primaries.
When determining which appliances should act as primaries for the zone, consider that an additional SOA record will be required in the database for each primary. This will add to the overall record count for the zone, and each SOA will need to be updated for any change to the zone, which can impact performance.
Enable NTP for all members (at the member level) and ensure that their times are properly synchronized with their local time servers. Ensure that you select the "Exclude the Grid Master as an NTP server" option. The appliance selects the latest zone updates based on the timestamps the updates were made by clients to the primary servers. This is especially important when there are conflicts between two or more zone updates. For information about NTP, see Using NTP for Time Settings.
When specifying the primary server for secondaries, you can choose to have the appliance automatically select it for you based on latency determination or you can manually specify it. When manually selecting a primary for zone updates, consider using one that is close in proximity to the secondary servers, which can result in better service performance. For information about setting preference for the primary server, see Adding Grid Secondaries below.
You can configure a default primary for DDNS updates to a zone with multiple primary servers. To enhance service performance, select a default primary that is close in proximity to the DHCP server that provides DDNS updates. This is especially useful if you have DHCP members that are located in different locations. You can configure a different default primary for each DHCP member based on their locations. For more information, see Defining the Default Primary for DDNS Updates to Zones with Multiple Primaries.
DNSSEC is not supported for zones with multiple primary servers. These zones must be unsigned. For information about DNSSEC, see Configuring DNSSEC.
When determining which appliances should act as primaries for the zone, consider that an additional SOA record will be required in the database for each primary. This will add to the overall record count for the zone, and each SOA will need to be updated for any change to the zone, which can impact performance.
...
When you create a zone, the primary server can be a Grid member, an external DNS server that you specify, or a Microsoft DNS server that is managed by a Grid member. For information about managing Microsoft Windows DNS servers, see About Managing Microsoft Windows Servers.
Although a zone typically has only one primary server, you can specify multiple primary servers for an authoritative zone. You can configure multiple Grid primaries or multiple external primaries (including Microsoft AD-integrated servers) for a zone, but you cannot configure both at the same time for the same zone. In addition, you can configure one Microsoft server, but not multiple Microsoft servers (except for Microsoft AD-integrated servers), as the primary server for a zone. Note that each primary server that you configure for a zone has its own MNAME for the SOA record and serial number. For information about how to view and modify certain values in the SOA record, see Viewing and Modifying SOA Records .
A hidden primary provides data to its secondary servers, which in turn respond to DNS queries using this data. One of several advantages of this approach is that you can take the primary server offline for administrative or maintenance reasons without causing a disruption to DNS service (within the expiration interval set for the validity of its zone data—the default is 30 days).
When you add an authoritative forward-mapping zone and assign responsibility for the zone to a primary name server whose host name belongs to the name space of the zone, the NIOS appliance automatically generates an NS (name server) record and an A (address) record for the name server. This type of A record is called a glue record because it "glues" the NS record to the IP address (in the A record) of the name server.
In Grid Manager, you can specify the primary server for a zone when you create it using the Add Authoritative Zone wizard or when you edit an existing zone using the Authoritative Zone editor. For information on how to add a new zone through the wizard, see Configuring Authoritative Zones. The following procedure describes how to access the editor of a zone. To specify a primary server for an existing zone:
From the Data Management tab, select the DNS tab -> Zones tab -> zone checkbox, and then click the Edit icon.
In the Authoritative Zone editor, click Name Servers.
Select Use this set of name servers.
Click the Add icon and select one of the following options for a primary server:
Grid Primary: Choose this option to select a Grid member as the primary server for the zone. See Specifying Grid Primary Servers below.
Microsoft Primary: Choose this option to select a Microsoft DNS server as the primary server for the zone. See Specifying Microsoft Primary Servers below.
External Primary: Choose this option if the appliance is in a Grid and you want to specify a primary server outside the Grid ("external" to the Grid). See Specifying External Primary Servers below.
Save the configuration and click Restart if it appears at the top of the screen. or
Click the Schedule icon at the top of the wizard to schedule this task. In the Schedule Change panel, enter a date, time, and time zone. For information, see Scheduling Tasks.
...
If the primary name server of a zone is a Grid member, the NIOS appliance allows you to change the SOA (start of authority) name that is automatically created when you initially configure the zone. For example, you might want to hide the primary server for a zone. If your appliance is named dns1.zone.tld, and for security reasons, you may want to show a secondary server called dns2.zone.tld as the primary server. To do so, you would go to dns1.zone.tld zone (being the true primary) and change the SOA to dns2.zone.tld to hide the true identity of the real primary server.
To change the SOA name for a zone:
From the Data Management tab, select the DNS tab > Zones tab> dns_view -> zone checkbox -> Edit icon.
In the Authoritative Zone editor, click Settings.
Click Override beside the Primary name server field and enter the new SOA name. This field supports IDN.
Save the configuration and click Restart if it appears at the top of the screen.
or
Click the Schedule icon at the top of the wizard to schedule this task. In the Schedule Change panel, enter a date, time, and time zone. For information, see Scheduling Tasks.
Specifying Microsoft Primary Servers
You can assign a Microsoft server as the primary server of a zone when it is managed by a Grid member in read/write mode. For information, see About Managing Microsoft Windows Servers. When a Microsoft server is the primary server of a zone, the zone supports only standard DNS resource records. It does not support the Infoblox record types host records, bulk host records, and shared record groups. You cannot add any of these records to the zone nor assign a DNS zone with these records to a Microsoft server as the primary server.
In the Add Grid Primary panel, do the following to assign a Microsoft primary server:
Complete the following:
Select Use this set of name servers.
Click the Add icon and select Microsoft Primary.
In the Add Microsoft Primary panel, do the following, and then click Add to add the Microsoft primary server to the list of name servers for the zone:
If no server is displayed, click Select Server to specify a Microsoft server. When there are multiple servers, Grid Manager displays the Server Selector dialog box from which you can select a Microsoft server. Grid Manager lists Microsoft servers that are managed in read/write mode. It does not include Microsoft servers managed in read-only mode.
Information to create NS record: Grid Manager automatically creates the NS record. After you select a server, Grid Manager populates the Name and IP Address fields. Grid Manager uses this information when it creates the NS record, unless you select Stealth. You can specify a different FQDN or IP address for the NS record; for example, for a multihomed server.
Store the zone in Active Directory (AD Integrated Zone): This is enabled and selected by default only if the Microsoft server is a domain controller. Note that you can enable Active Directory integration only after the Microsoft server has been synchronized at least once because its AD ability is not known before the synchronization. This is disabled when the Microsoft server is not a domain controller.
Stealth: Select this option to hide the NS record for the primary name server from DNS queries. Grid Manager does not create an NS record for the primary name server in the zone data. Clear this option to display the NS record for the primary name server in responses to queries. Note that this option is not available for AD-integrated zones.
Specifying External Primary Servers
...
A secondary name server is as authoritative for a zone as a primary server. Like a primary server, a secondary server answers queries from resolvers and other name servers. The main difference between a secondary and primary server is that a secondary server receives all its data from a primary server, or possibly from another secondary server that relays zone data it receives. The zone data passes from a primary to a secondary server (and possibly from that secondary server on to another secondary server). This process is called a zone transfer.
The advantage of using primary and secondary name servers is that you enter and maintain zone data in one place— on the primary server. The data is then distributed to the one or more secondary servers.
Secondary servers can be Grid members, external DNS servers or Microsoft DNS servers that are managed by Grid members. In Grid Manager, you can specify the secondary server for a zone when you create it using the Add Authoritative Zone wizard and when you edit an existing zone using the Authoritative Zone editor. For information on how to add a new zone through the wizard, see Configuring Authoritative Zones. The following procedure describes how to access the editor of a zone.
To specify a secondary server for an existing zone:
From the Data Management tab -> DNS tab -> Zones tab -> zone checkbox, and then click the Edit icon.
In the Authoritative Zone editor, click Name Servers.
Select Use this set of name servers.
Click the Add icon and select one of the following options:
Grid Secondary: Selects the local appliance as the secondary server (or if the appliance is deployed in a Grid and you want to make a different member the secondary server). See Adding Grid Secondaries below.
Microsoft Secondary: Select this option if you want to specify a managed Microsoft DNS server as a secondary server. See Specifying Microsoft Secondary Servers below.
External Secondary: Select this option if the appliance is in a Grid and you want to specify a secondary server outside the Grid ("external" to the Grid), or if the appliance is deployed independently from a Grid. See Specifying External Secondaries below.
Save the configuration and click Restart if it appears at the top of the screen. or
Click the Schedule icon at the top of the wizard to schedule this task. In the Schedule Change panel, enter a date, time, and time zone. For information, see Scheduling Tasks.
Adding Grid Secondaries
When adding Grid secondaries to a zone that has multiple primary servers, the appliance selects a primary server as the active server based on the method that you have selected. If you select Automatic, the primary is selected based on latency determination, which occurs separately on each primary. When available, the primary server that has the lowest latency is preferred. When you select Manual, latency determination is ignored, and the first available primary server in the list is selected as the active server. Thus if the first primary on the list is not available, the next available primary is used. Depending on which primary server is selected, the Grid secondary returns the FQDN of the primary in the MNAME field of the zone SOA record. It also includes the version of the zone content that it serves.
In the Add Grid Secondary panel, enter the following, and then click Add to add the Grid secondary server to the list of name servers for the zone:
...
Name: Enter a resolvable domain name for the external secondary server.
Address: Enter the IP address of the external secondary server.
Stealth: This setting applies only if the primary server is a Grid member or a Microsoft server. Click this checkbox to hide the NS record for the secondary name server from DNS queries. The NIOS appliance does not create an NS record for the secondary name server in the zone data. Select the checkbox again to display the NS record for the secondary name server in response to queries.
Note that to avoid an impact on your database performance, Infoblox recommends that you do not configure a large number of external secondary servers in stealth mode. To ensure that these secondary servers receive notifications about zone updates, you can allow zone transfers for these IP addresses and then enable the appliance to add them to the also-notify statement. For information about how to configure this feature, see Configuring Zone Transfers.
Use TSIG: To authenticate zone transfers between the local appliance and the external secondary server using a TSIG (transaction signature), select this checkbox. Infoblox TSIGs use HMAC-MD5 hashes. These are keyed one-way hashes for message authentication codes using the Message Digest 5 algorithm. For details, see RFC 1321, The MD5 Message-Digest Algorithm, and RFC 2104, HMAC: Keyed-Hashing for Message Authentication.
Key name: Type or paste the name of the TSIG key you want to use. This must be the same name as that of the TSIG key for this zone on the external secondary server.
Key: Type or paste a previously generated key. On the external secondary server, this key must also be present and associated with this zone. You can generate a TSIG key, or you can obtain the TSIG key name and key from the external name server, either by accessing the appliance yourself or by requesting the appliance administrator to deliver them to you through some out-of-band mechanism. Then, type or copy-and-paste the name and key into the appropriate fields.
Use 2.x TSIG: Select this checkbox to use TSIG authentication and the external secondary name server is a NIOS appliance running DNS One 2.x code. The local appliance generates the required TSIG key for authenticating DNS messages to and from appliances running DNS One 2.x code.
...