Infoblox offers a nice product which completely serves the DHCP/DNS/IPAM aka DDI area. I really love it. Especially the centralized management aka Grid works quite stable and is easy to use (though the GUI looks a bit outdated).
However, sometimes I am little beyond the daily business and labbing with next-generation features such as #IPv6, #DNSSEC, #NTP authentication, CAA, SSHFP, and so on. Not everything within these topics is included, hence a couple of feature requests. Just a living list from my perspective.
At first I want to point out that Infoblox *in fact* is listening to bug reports passed over Twitter. This is great and I highly appreciate it since I have many experiences with other security companies that are not interested in reports arising from my lab as long as there is no big customer paying lots of money behind it.
Wow, I just got a personal mail from an @Infoblox SE that they have fixed this issue I posted on Twitter last year. (NIOS 8.3.3) This is awesome. Way better than other security companies that do not care about my feature requests at all. Thanks @cricketondns et al.! https://t.co/ICkWGRLvwJ
— Johannes Weber 🎸 (@webernetz) February 14, 2019
My Feature Requests
- [HA] The high availability HA cluster takes about 1-2 minutes to failover, depending on the configuration, especially when RPZs are used. Refer to: Infoblox Failover Debacle (Works as Designed).
- [GUI] I’m ok about the little bit outdated GUI. Actually annoying is the fact, that *every* window that opens is way too small within the screen. I have to lengthen every single pane after I opened it to use the whole display. This could be better.
- [Grid Master] The reporting app is not working if your HTTPS certificate on the Grid Master has an RSA key longer than 2048 bits. Uh. Yes, this might be related to Java which is used in there, but I don’t care. It’s 2019 and keys should be 4096 bits or even longer.
- [Grid] NTP authentication is missing SHA-1. Currently it only supports DES (WTF?) and MD5. Report.
- [Grid] The “show ntp” command does not reveal which NTP servers are using valid NTP authentication. A more detailed command as on Cisco IOS such as “show ntp associations detail” would be great.
- [DNSSEC] You cannot add SSHFP via the GUI. (I know that you can add almost every DNS RR manually, but, you know, this is not the user experience you want to have with a state-of-the art product.) More information about SSHFP here: SSHFP: Authenticate SSH Fingerprints via DNSSEC.
- [DNS] Authentication for OSPFv3 is missing completely. It is only implemented for OSPFv2 for legacy IP. Report.
Bug Reports
- [Grid Master] After enabling IPv6 on the Grid Master (before: IPv4 only, now: dual stack), the GM reboots and generates a new self-signed HTTPS certificate, even though a custom and signed cert was already in place. Seen in NIOS 8.3.4. Report.
- [CLI] Pinging an IPv6 hostname is not working. Seen in NIOS 8.3.4. Report.
[DNSSEC] Trying to add TLSA records (DANE) isn’t working correctly. You either can’t set the FQDN or the underscore. Seen in NIOS 8.3.1. Report.Fixed in NIOS 8.3.3. Thanks![DNSSEC] You can’t add CAA records for a whole domain, only for FQDNs. That obviously doesn’t scale. Seen in NIOS 8.3.0. Report.Fixed in NIOS 8.3.1. Thanks!
Featured image “Hanomag @ Theodor-Heuss-Bridge” by Frank Friedrichs is licensed under CC BY-NC-ND 2.0.
My biggest bugbear in Infoblox IPAM s that there is no linkage between IPv4 subnets and IPv6 subnets that are on the same L2 network.
This bites e.g. when defining a new Host with statically-assigned IPv4 address, and then add an IPv6 address – the IPv6 address isn’t guided to be on the same L2.
If I’m adding a router at the .1 host address in a subnet, why not make it easy to assign the ::1 interface identifier in the IPv6 subnet that is on the same L2 ??
===
Yes, I could pair things up by adding an Extended Attribute to all IPv4 and IPv6 networks, and then make sure that one IPv4 network and one IPv6 network have a certain value for this EA …
But I’m not sure this helps.
I found a working way to add sshfp records on Infoblox (tried with version 8.4.4) via GUI and WAPI.
GUI:
Add -> Unknown Record
“TYPE44” or “SSHFP” (both versions seems to work)
Data Type HEX
Length None
and now the important part:
You have to add 4 leading digits to the actual key to specify algorithm and type of the key.
For example 0302 if the type ist ECDSA with SHA-256 (see https://en.wikipedia.org/wiki/SSHFP_record for the different types).
WAPI:
(minimum version 2.10 – thanks to official infoblox support for this information)
curl -k1 -u user:password -H ‘content-type: application/json’ -X POST https://yourinfobloxaddresshere/wapi/v2.10/record:unknown -d ‘{“name”: “sshfp.test”,”record_type”: “SSHFP”,”subfield_values”: [{“field_type”: “X”,”field_value”: “03020fd72c7883e65b5a3bdf8278cf1240b90131019aed9811ed03baa97c357ce273″,”include_length”: “NONE”}]}’
I also placed a feature request to add “SSHFP” as a predefined record Type in GUI though you won’t have to use “Unknown Record” anymore.