Hi,
regarding to RFC 8624 is the support of DNSSEC algorithm ED25519 is only
RECOMMENDED [0].
This is the current distribution of DNSSEC algorithms across all 224 RIPE's
in-addr.arpa. zones (some of them are counted multiple times because different
hashing algorithms might be used per zone):
awk '$2=="DS" && $4=="5" { print $0 }' *.in-addr.arpa-RIP | wc -l
18
awk '$2=="DS" && $4=="7" { print $0 }' *.in-addr.arpa-RIP | wc -l
30
awk '$2=="DS" && $4=="8" { print $0 }' *.in-addr.arpa-RIP | wc -l
114
awk '$2=="DS" && $4=="10" { print $0 }' *.in-addr.arpa-RIP | wc -l
9
awk '$2=="DS" && $4=="13" { print $0 }' *.in-addr.arpa-RIP | wc -l
208
awk '$2=="DS" && $4=="14" { print $0 }' *.in-addr.arpa-RIP | wc -l
20
awk '$2=="DS" && $4=="15" { print $0 }' *.in-addr.arpa-RIP | wc -l
0
DNSSEC algorithm 5 "RSASHA1" is NOT RECOMMENDED [0], but is still used 18 times.
Please add support for DNSSEC algorithm ED25519.
cheers,
-arsen
[0] https://tools.ietf.org/html/rfc8624#section-3.1
* Arsen STASIC <[email protected]> [2020-12-21 11:31 (+0100)]:
Hi,
RIPE's DNS Zonemaster version might be outdated, because it does not support
DNSSEC algorithm ED25519. This is the error message:
Signature for DNSKEY with tag 52537 failed to verify with error 'Unknown
cryptographic algorithm'.
https://dnscheck.ripe.net/test/328db6c75665721b
But the Zonemaster software (Versions: engine 4.0.3, backend 6.0.2, GUI 3.2.1)
has already support for DNSSEC algorithm ED2551:
https://www.zonemaster.net/result/c1607f01d96a8d60
It would be good if RIPE's Zonemaster could also list its version numbers.
cheers,
-Arsen
