...
When you sign a zone whose primary server is a Grid member, that member becomes a secondary server and the Grid Master becomes the hidden primary server. If the zone is assigned to an NS group, the Grid Master removes the association with the NS group. The previous primary server becomes a secondary server for the zone.
If a Master Candidate is promoted to Grid Master and the previous Grid Master was the primary server for signed zones, the new Grid Master becomes the hidden primary server for all signed zones. The previous Grid Master, which was the primary server for the zone, becomes a secondary server for the zone.
As the primary server, the Grid Master sends zone data to the secondary servers through zone transfers; or, if the secondary servers are Grid members, the Grid Master transfers data to all Grid members through the database replication process, by default. The Grid Master transfers all records in that zone, including all NSEC/NSEC3, RRSIG, DNSKEY and DS records with owner names that belong to that zone. The RRSIG RRs are included in zone transfers of the zone in which they are authoritative data. The Grid Master also performs incremental zone transfers to secondary servers as a result of incremental zone signings.
In addition, the Grid Master automatically performs an incremental signing of the zone data sets when their contents change. Incremental signing refers to signing just those parts of a zone that change when RRs are added, modified, or deleted. The Grid Master uses the private key of the ZSK when it incrementally signs a zone. In addition, the Grid Master adds, modifies or deletes the corresponding RRSIG records and the appropriate NSEC/NSEC3 records.
For example, Figure 22.2 shows a Grid Master as the primary server of a signed zone and its Grid members as secondary servers. The Grid Master, ns1.corpxyz.com, is the hidden primary DNS server for the corpxyz.com zone. As the hidden primary name server for corpxyz.com, the Grid Master does not respond to queries from other name servers. Instead, it provides data to its secondary servers, ns2.corpxyz.com and ns3.corpxyz.com, which use this data to respond to DNS queries. Because the secondary servers are Grid members, they receive zone data from the Grid Master through the Grid database replication process.
The name server ns1.corp200.com is a recursive name server. It has configured the DNSKEY of the corpxyz.com zone as a trust anchor. Therefore, it is able to validate the data it receives when it sends a query for the corpxyz.com zone.
| Anchor | ||||
|---|---|---|---|---|
|
| Drawio | ||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Following are the tasks to configure the Grid Master to sign zones:
...