04-18-2018 01:29 AM
We have some DNSSEC signed zones and using Infoblox NIOS 8.2.3 at the moment.
I'm wondering, why it is not possible to use ECDSA algorithms for signing a zone? The resolver is capable to verify ECDSA algorithms, but NIOS is not capable to sign zones with ECDSA algortihms. Are there any plans of supporting also ECDSA algortihms for the signing process?
Using ECDSA algorithm helps reducing the fragmentation of DNS packets and could reduce the DNS amplification factor of DNS-based DDoS attacks.
04-18-2018 06:30 AM
If it were me, I'd call into the support line and ask to be added to RFE-6068 and RFE-7648. These RFE's are to address adding ECDSA to the signing side of NIIOS. I would also contact your Account Team to let them know you would like to see it in the product.
04-30-2018 12:07 AM
The Infoblox account team has already added us for the RFE-6068 last year. What is RFE-7648 for?
Meanwhile I received an update, that RFE-6068 won't be implemented. This feature has apparently the status "not under consideration". So I interpret this update to mean that ECDSA for signing won't be available in NIOS in the near future. Is that true?
Supporting ECDSA algorithms for signing could help pushing DNSSEC. However I hope that Infoblox change their minds and implement ECDSA for signing in the near future.
04-30-2018 11:48 AM
You’re right about RFE-6068. An RFE is considered based on several aspects by the Infoblox product management team. RFE-7648 is for the support of Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC(RFC8080). For any updates about a feature request, please synch up with your Infoblox accounts team. They would be able to work with Infoblox product management & let you know the reason why a feature is not considered for implementation.
08-31-2018 01:01 PM
Sad part, that this is already implented in BIND we are running. This is just a GUI change to implement it.