Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

You can configure the name servers in a Grid to support DNSSEC. You can configure the Grid Master as the primary server for a signed zone and the Grid members as secondary servers. (For more information, see Configuring Grid Members to Support DNSSEC as Secondary Servers .) Note that only the Grid Master can serve as the primary server for a signed zone.
You can enable the Grid Master to sign zones and manage the DNSSEC keys, or you can configure the Grid Master as a client to a third-party, network-attached Hardware Security Module (HSM) that performs the key generation, zone signing, and key safekeeping. You must use either the Grid Master or HSM for zone signing and key management; you cannot use both. Note that each method may have different performance implications, depending on the hardware platform, number of zones and other factors. For information about using HSMs, see About HSM Signing on page 1028.
Any authoritative forward-mapping or reverse-mapping zone can be signed according to the following criteria:

  • The zone does not contain any bulk host records.
  • DNSSEC is enabled on the Grid Master.
  • The primary server of the zone must be a Grid member. If the zone is assigned to an NS group, the primary server in the group must be a Grid member that has DNSSEC enabled.

Note that you can use DNS views to separate internal and external zone data, to manage your zones more efficiently and reduce the size of the zones that require signing. For information about DNS views, see Using Infoblox DNS Views Chapter 18_DNS Views.

Grid Master as Primary Server

When you sign a zone whose primary server is a Grid member, that member becomes a secondary server and the Grid Master becomes the hidden primary server. If the zone is assigned to an NS group, the Grid Master removes the association with the NS group. The previous primary server becomes a secondary server for the zone.
If a Master Candidate is promoted to Grid Master and the previous Grid Master was the primary server for signed zones, the new Grid Master becomes the hidden primary server for all signed zones. The previous Grid Master, which was the primary server for the zone, becomes a secondary server for the zone.
As the primary server, the Grid Master sends zone data to the secondary servers through zone transfers; or, if the secondary servers are Grid members, the Grid Master transfers data to all Grid members through the database replication process, by default. The Grid Master transfers all records in that zone, including all NSEC/NSEC3, RRSIG, DNSKEY and DS records with owner names that belong to that zone. The RRSIG RRs are included in zone transfers of the zone in which they are authoritative data. The Grid Master also performs incremental zone transfers to secondary servers as a result of incremental zone signings.
In addition, the Grid Master automatically performs an incremental signing of the zone data sets when their contents change. Incremental signing refers to signing just those parts of a zone that change when RRs are added, modified, or deleted. The Grid Master uses the private key of the ZSK when it incrementally signs a zone. In addition, the Grid Master adds, modifies or deletes the corresponding RRSIG records and the appropriate NSEC/NSEC3 records.
For example, Figure 22.2 shows a Grid Master as the primary server of a signed zone and its Grid members as secondary servers. The Grid Master, ns1.corpxyz.com, is the hidden primary DNS server for the corpxyz.com zone. As the hidden primary name server for corpxyz.com, the Grid Master does not respond to queries from other name servers. Instead, it provides data to its secondary servers, ns2.corpxyz.com and ns3.corpxyz.com, which use this data to respond to DNS queries. Because the secondary servers are Grid members, they receive zone data from the Grid Master through the Grid database replication process.
The name server ns1.corp200.com is a recursive name server. It has configured the DNSKEY of the corpxyz.com zone as a trust anchor. Therefore, it is able to validate the data it receives when it sends a query for the corpxyz.com zone.







NIOS 8.1NIOS Administrator Guide (Rev. A) 1013
DNSSEC

Figure 22.2
















corpxyz.com
1A DNS client sends a query for data in the corpxyz.com zone.
2 ns1.corp200.com sends a query to ns2.corpxyz.com. It sets the EDNS DO bit in the query to indicate that it is requesting
DNSSEC data.
ns1.corpxyz.com Hidden Primary Server Grid Master
Aserver1.corp100.com
Aftp.corp100.com
Asales.corp100.com RRSIGA 5 2 86400....






DNSKEY 256
DNSKEY 257
Zone Data
Internet

DNS client


ns1.corp200.com The DNSKEY of the corpxyz.com zone is
3configured as a trust anchor.
ns2.corpxyz.com Secondary Server Grid Member
ns3.corpxyz.com Secondary Server Grid Member
4ns1.corp200.com uses the DNSKEY RR of corpxyz.com to validate the response. It then sends the response to the DNS client, with the AD bit set, indicating that it validated the response.
ns2.corpxyz.com responds with the requested data and the appropriate DNSSEC RRs.
Following are the tasks to configure the Grid Master to sign zones:

  1. Create the zones. For information, see Configuring Authoritative Zones .

— Specify the Grid Master as the primary server.

  1. Enable DNSSEC, as described in Enabling DNSSEC.
  2. Optionally, change the default DNSSEC settings. For information, see Setting DNSSEC Parameters .
  3. Sign the zone. The appliance automatically generates the DNSSEC RRs when you sign a zone. For information, see Signing a Zone .





  • No labels