Concerns in using the same Infoblox grid master for both external and internal DNS

Thank you for the comment could you please explain more about dnssec? How is it related to grid?

I am seeing the grid handling the pki aspect of dnssec. This extension ensures the integrity of data returned by domain name lookups by incorporating a chain of trust in the DNS hierarchy. The basis is pki. Normally, a chain of trust is built with public-private keys at each layer of the DNS architecture. Dnssec provides origin authenticity, data integrity and secure denial of existence. So, grid supposed to make sure that the dns servers can verify that data has originated from the correct authoritative source, and maintain data integrity to verify that responses are not modified in-flight.

Overall, the whole grid should provide resilient network services, failover, recovery, and seamless maintenance for such a deployment regardless of location e.g. inside a single building, across a networked campus, or between remote locations.

Thank You for your comment! Regarding dnssec, were you pointing about the fact that the grid master might be changed for failover so that dnssec source might be changed or dnssec should not be offered from hidden master? Please help me to understand.

First, dnssec does not provide DDoS protection, availability, data encryption, or confidentiality. However, the chain of trust to establish the dns response to client but be able to be resilient and secure. Hence since grid master is overseeing all dns server, it should not be revealed to the outside (ext). Treat is like a root CA which you also will not expose to ext or internet. The subordinate or delegated server will be exposed. Hence grid master should be obscured or "hidden" away .

Secondly, dnssec is using pki and there are multiple keys involved that should not be exposed like the private key. These key is for the dnssec use to ascertain that the zone and record is of good integrity. So if the key are stored in grid master server, it should not be exposed or hidden otherwise if there is any reason it cannot be hidden, the key  should be stored in hsm (harden box). So default is that grid master is "hidden" away from direct access where possible. Once it is compromised, the pki running will not be trusted and dnssec will be tainted too.

Thirdly, back to why grid master is used is primarily also that pki management of individual dns server having their own key is operationally tedious and subjected to misconfirguration or overlook to renew key timely - that can cause unnecessarily denial of service or delay to dns response to client. Therefore grid master is used for the central management and oversight to relief this fatigue and (hopefully) avoiding inadvertent administrative action done. Grid master server becomes critical piece and need to be safeguarded and not exposed unnecessary for unauthorised access. So being hidden away is a mean to end to secure the dns infrastructure.

Overall, knowing the criticality of the master server, proxy to offload verifying of dnssec signature to response to the delegated dns server or client will keep master server away from being denial of service. I know F5 and Infoblox are partner to such setup. No matters what, if we treat grid master as critical, secure by default is not to even expose it to any possible attack attempt..

Hope it helps and pardon if it is not diving into the details as it rather should be the vendor saying and applying to your environment