Hi Anand,
Thank you for your quick reply!
* Anand Buddhdev <[email protected]> [2020-12-23 13:14 (+0100)]:
On 21/12/2020 11:31, Arsen STASIC wrote:
RIPE's DNS Zonemaster version might be outdated, because it does not
support DNSSEC algorithm ED25519. This is the error message:
Signature for DNSKEY with tag 52537 failed to verify with error 'Unknown
cryptographic algorithm'.
https://dnscheck.ripe.net/test/328db6c75665721b
You are correct. We are using an older version of Zonemaster, and it
does not support ED25519.
But the Zonemaster software (Versions: engine 4.0.3, backend 6.0.2, GUI
3.2.1) has already support for DNSSEC algorithm ED2551:
https://www.zonemaster.net/result/c1607f01d96a8d60
It would be good if RIPE's Zonemaster could also list its version numbers.
We are already testing the latest version of Zonemaster, but we also
need to update the OS it runs on, since we need newer versions of
OpenSSL with support for ED25519.
I don't have a date for you, but we hope to update Zonemaster to the
latest version very soon.
I highly appreciate your efforts.
In the meantime, if you need to add or update a DS record for your
zones, please email [email protected] with a complete copy of your domain
object, and we will do the updates for you manually.
This worked out very well.
Now is the first reverse DNS zone out of RIPE's address space signed with
ED25519.
cheers
-arsen
