Re: [dns-wg] follow up of "Update RIPE's DNS Zonemaster"

Sun, 20 Feb 2022 18:29:08 -0800

Nice catch! But who can resist the tempting smell of a brand new cryptographic building block? Speaking of the level of support, I personally have a low barrier on that: does major public resolvers support it? If that's a yes, we are good to go. 

On 2/21/22 09:58, Geoff Huston wrote:

ok - I’ll bite - why do you want to use Ed25519 or Ed448 for DNSSEC?

When I looked at the level of support for Ed25519 last June the measurements showed 
that "slightly less than one half of all users who use DNS recursive resolvers 
that perform DNSSEC validation using ECDSA P-256 also treat ED25519 digital 
signatures as “unknown.” [1]

That study concluded with the Q&A:

"Is Ed25519 ready for use?

In my view, this data is telling us “No!” If you want to take advantage of the 
smaller signature sizes offered by these curve-based crypto algorithms, then 
ECDSA P-256 appears to offer similar cryptographic strength with the same key 
sizes as Ed25519, but with a far more widespread support base for validation.” 
[1]

Hence my question - why are you wanting to sign with an algorithm that does not 
have enywhere near the level of validating resolver support as ECDSA P-256?

thanks,

  Geoff


[1] https://www.potaroo.net/ispcol/2021-06/eddi.html





On 19 Feb 2022, at 1:37 am, Tyrasuki via dns-wg <[email protected]> wrote:

Also curious myself,

I was trying to set up DNSSEC for my own and my workplace's network, and ran 
into the same issue, the same goes for Ed448.
The newest that seems to be accepted is protocol 14 (ECDSAP384SHA384), so I've 
been using this for now.

Would also be interested in the current status of this.

Cheers,
Jori (Tyrasuki)
REDP-RIPE

On 2/18/2022 2:41 PM, Nick Cao via dns-wg wrote:

When doing a DNSSEC algorithm rollover from ecdsap256sha256 to ed25519 today, I 
got the error 'Unknown cryptographic algorithm' when updating ds-rdata field. A 
quick google search led me to 
https://www.ripe.net/ripe/mail/archives/dns-wg/2021-January/003796.html, which 
dates back to more than a year ago. It seems that the zonemaster deployment has 
not been updated to day, thus I would like to ask about the current progress.



--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/dns-wg




--

To unsubscribe from this mailing list, get a password reminder, or change your 
subscription options, please visit: 
https://lists.ripe.net/mailman/listinfo/dns-wg

Reply via email to