Protocols

Reply
Highlighted

DNSSEC ECDSA algortihm for signing a zone

thushjandan
Not applicable
Posts: 0
5196     1

We have some DNSSEC signed zones and using Infoblox NIOS 8.2.3 at the moment.

I'm wondering, why it is not possible to use ECDSA algorithms for signing a zone? The resolver is capable to verify ECDSA algorithms, but NIOS is not capable to sign zones with ECDSA algortihms. Are there any plans of supporting also ECDSA algortihms for the signing process?

 

Using ECDSA algorithm helps reducing the fragmentation of DNS packets and could reduce the DNS amplification factor of DNS-based DDoS attacks.

Re: DNSSEC ECDSA algortihm for signing a zone

Authority
Posts: 25
5197     1

If it were me, I'd call into the support line and ask to be added to RFE-6068 and RFE-7648.  These RFE's are to address adding ECDSA to the signing side of NIIOS.  I would also contact your Account Team to let them know you would like to see it in the product.

Re: DNSSEC ECDSA algortihm for signing a zone

thushjandan
Not applicable
Posts: 0
5197     1

The Infoblox account team has already added us for the RFE-6068 last year. What is RFE-7648 for?

Meanwhile I received an update, that RFE-6068 won't be implemented. This feature has apparently the status "not under consideration". So I interpret this update to mean that ECDSA for signing won't be available in NIOS in the near future. Is that true?

Supporting ECDSA algorithms for signing could help pushing DNSSEC. However I hope that Infoblox change their minds and implement ECDSA for signing in the near future. 

Re: DNSSEC ECDSA algortihm for signing a zone

Adviser
Posts: 77
5197     1

Hello There,

 

You’re right about RFE-6068. An RFE is considered based on several aspects by the Infoblox product management team. RFE-7648 is for the support of Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC(RFC8080). For any updates about a feature request, please synch up with your Infoblox accounts team. They would be able to work with Infoblox product management & let you know the reason why a feature is not considered for implementation.

 

Best regards,

Mohammed Alman.

Re: DNSSEC ECDSA algortihm for signing a zone

hobz
Techie
Posts: 3
5197     1

Sad part, that this is already implented in BIND we are running. This is just a GUI change to implement it. 

Showing results for 
Search instead for 
Do you mean 

Recommended for You