Reply
Highlighted

DNSSEC ECDSA algortihm for signing a zone

Not applicable
Posts: 2
2105     2

We have some DNSSEC signed zones and using Infoblox NIOS 8.2.3 at the moment.

I'm wondering, why it is not possible to use ECDSA algorithms for signing a zone? The resolver is capable to verify ECDSA algorithms, but NIOS is not capable to sign zones with ECDSA algortihms. Are there any plans of supporting also ECDSA algortihms for the signing process?

 

Using ECDSA algorithm helps reducing the fragmentation of DNS packets and could reduce the DNS amplification factor of DNS-based DDoS attacks.

Highlighted

Re: DNSSEC ECDSA algortihm for signing a zone

Authority
Posts: 45
2105     2

If it were me, I'd call into the support line and ask to be added to RFE-6068 and RFE-7648.  These RFE's are to address adding ECDSA to the signing side of NIIOS.  I would also contact your Account Team to let them know you would like to see it in the product.

Highlighted

Re: DNSSEC ECDSA algortihm for signing a zone

Not applicable
Posts: 2
2105     2

The Infoblox account team has already added us for the RFE-6068 last year. What is RFE-7648 for?

Meanwhile I received an update, that RFE-6068 won't be implemented. This feature has apparently the status "not under consideration". So I interpret this update to mean that ECDSA for signing won't be available in NIOS in the near future. Is that true?

Supporting ECDSA algorithms for signing could help pushing DNSSEC. However I hope that Infoblox change their minds and implement ECDSA for signing in the near future. 

Highlighted

Re: DNSSEC ECDSA algortihm for signing a zone

Adviser
Posts: 129
2105     2

Hello There,

 

You’re right about RFE-6068. An RFE is considered based on several aspects by the Infoblox product management team. RFE-7648 is for the support of Edwards-Curve Digital Security Algorithm (EdDSA) for DNSSEC(RFC8080). For any updates about a feature request, please synch up with your Infoblox accounts team. They would be able to work with Infoblox product management & let you know the reason why a feature is not considered for implementation.

 

Best regards,

Mohammed Alman.

Highlighted

Re: DNSSEC ECDSA algortihm for signing a zone

Techie
Posts: 12
2105     2

Sad part, that this is already implented in BIND we are running. This is just a GUI change to implement it. 

Re: DNSSEC ECDSA algortihm for signing a zone

Techie
Posts: 12
2105     2

It is the end of 2019 and ECDSA not even on the roadmap for 8.6 (It is definitely not in 8.5).

Highlighted

Re: DNSSEC ECDSA algortihm for signing a zone

Techie
Posts: 12
2106     2

2 years and counting. What's the point of the product, if RFEs are not even considered?

Highlighted

Re: DNSSEC ECDSA algortihm for signing a zone

Techie
Posts: 12
2106     2

https://www.youtube.com/watch?v=q1cnsIM1w7c

One more reason to get ECDSA support

Highlighted

Re: DNSSEC ECDSA algortihm for signing a zone

Techie
Posts: 1
2106     2

Quite interesting demo there, thanks for sharing. A little more than 20 % of all .dk domains are DNSSEC signed (due to the efforts of One.com, who have started to DNSSSEC sign all customer domains as default) and almost 93 % are signed using algorithm 13! 93 %, using an algorithm that hasn't been implemented by Infoblox for signing yet. Though the RFC is from April 2012. In conclusion, Infoblox DNS is currently only recommendable for internal DNS zones without DNSSEC and as (DNSSEC validating) resolver - if a customer wants to handle their own external DNS, they'll need something else.

 

 

Showing results for 
Search instead for 
Did you mean: 

Recommended for You