04-18-2018 01:29 AM
We have some DNSSEC signed zones and using Infoblox NIOS 8.2.3 at the moment.
I'm wondering, why it is not possible to use ECDSA algorithms for signing a zone? The resolver is capable to verify ECDSA algorithms, but NIOS is not capable to sign zones with ECDSA algortihms. Are there any plans of supporting also ECDSA algortihms for the signing process?
Using ECDSA algorithm helps reducing the fragmentation of DNS packets and could reduce the DNS amplification factor of DNS-based DDoS attacks.
04-18-2018 06:30 AM
If it were me, I'd call into the support line and ask to be added to RFE-6068 and RFE-7648. These RFE's are to address adding ECDSA to the signing side of NIIOS. I would also contact your Account Team to let them know you would like to see it in the product.
04-30-2018 12:07 AM
The Infoblox account team has already added us for the RFE-6068 last year. What is RFE-7648 for?
Meanwhile I received an update, that RFE-6068 won't be implemented. This feature has apparently the status "not under consideration". So I interpret this update to mean that ECDSA for signing won't be available in NIOS in the near future. Is that true?
Supporting ECDSA algorithms for signing could help pushing DNSSEC. However I hope that Infoblox change their minds and implement ECDSA for signing in the near future.
04-30-2018 11:48 AM
You’re right about RFE-6068. An RFE is considered based on several aspects by the Infoblox product management team. RFE-7648 is for the support of Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC(RFC8080). For any updates about a feature request, please synch up with your Infoblox accounts team. They would be able to work with Infoblox product management & let you know the reason why a feature is not considered for implementation.
08-31-2018 01:01 PM
Sad part, that this is already implented in BIND we are running. This is just a GUI change to implement it.
09-30-2020 02:49 AM
Quite interesting demo there, thanks for sharing. A little more than 20 % of all .dk domains are DNSSEC signed (due to the efforts of One.com, who have started to DNSSSEC sign all customer domains as default) and almost 93 % are signed using algorithm 13! 93 %, using an algorithm that hasn't been implemented by Infoblox for signing yet. Though the RFC is from April 2012. In conclusion, Infoblox DNS is currently only recommendable for internal DNS zones without DNSSEC and as (DNSSEC validating) resolver - if a customer wants to handle their own external DNS, they'll need something else.