Infoblox offers a nice product which completely serves the DHCP/DNS/IPAM aka DDI area. I really love it. Especially the centralized management aka Grid works quite stable and is easy to use (though the GUI looks a bit outdated).
However, sometimes I am little beyond the daily business and labbing with next-generation features such as #IPv6, #DNSSEC, #NTP authentication, CAA, SSHFP, and so on. Not everything within these topics is included, hence a couple of feature requests. Just a living list from my perspective.
At first I want to point out that Infoblox *in fact* is listening to bug reports passed over Twitter. This is great and I highly appreciate it since I have many experiences with other security companies that are not interested in reports arising from my lab as long as there is no big customer paying lots of money behind it.
Wow, I just got a personal mail from an @Infoblox SE that they have fixed this issue I posted on Twitter last year. (NIOS 8.3.3) This is awesome. Way better than other security companies that do not care about my feature requests at all. Thanks @cricketondns et al.! https://t.co/ICkWGRLvwJ
— Johannes Weber
(@webernetz) February 14, 2019
(@webernetz) My Feature Requests
- [HA] The high availability HA cluster takes about 1-2 minutes to failover, depending on the configuration, especially when RPZs are used. Refer to: Infoblox Failover Debacle (Works as Designed).
- [GUI] I’m ok about the little bit outdated GUI. Actually annoying is the fact, that *every* window that opens is way too small within the screen. I have to lengthen every single pane after I opened it to use the whole display. This could be better.
- [Grid Master] The reporting app is not working if your HTTPS certificate on the Grid Master has an RSA key longer than 2048 bits. Uh. Yes, this might be related to Java which is used in there, but I don’t care. It’s 2019 and keys should be 4096 bits or even longer.
- [Grid] NTP authentication is missing SHA-1. Currently it only supports DES (WTF?) and MD5. Report.
- [Grid] The “show ntp” command does not reveal which NTP servers are using valid NTP authentication. A more detailed command as on Cisco IOS such as “show ntp associations detail” would be great.
- [DNSSEC] You cannot add SSHFP via the GUI. (I know that you can add almost every DNS RR manually, but, you know, this is not the user experience you want to have with a state-of-the art product.) More information about SSHFP here: SSHFP: Authenticate SSH Fingerprints via DNSSEC.
- [DNS] Authentication for OSPFv3 is missing completely. It is only implemented for OSPFv2 for legacy IP. Report.
Bug Reports
- [Grid Master] After enabling IPv6 on the Grid Master (before: IPv4 only, now: dual stack), the GM reboots and generates a new self-signed HTTPS certificate, even though a custom and signed cert was already in place. Seen in NIOS 8.3.4. Report.
- [CLI] Pinging an IPv6 hostname is not working. Seen in NIOS 8.3.4. Report.
[DNSSEC] Trying to add TLSA records (DANE) isn’t working correctly. You either can’t set the FQDN or the underscore. Seen in NIOS 8.3.1. Report.Fixed in NIOS 8.3.3. Thanks![DNSSEC] You can’t add CAA records for a whole domain, only for FQDNs. That obviously doesn’t scale. Seen in NIOS 8.3.0. Report.Fixed in NIOS 8.3.1. Thanks!
Featured image “Hanomag @ Theodor-Heuss-Bridge” by Frank Friedrichs is licensed under CC BY-NC-ND 2.0.