“tempting smell”? I love that expression! :-) The full report of where these algorithms are sup;orted canm be found at https://www.potaroo.net/ispcol/2021-06/eddi.html
Of the major DNSSEC-validating resolver networks we observed: Google 8.8.8.8 - Yes Comcast - No Reliance Jio - No so its a mixed package Geoff > On 21 Feb 2022, at 1:28 pm, Nick Cao via dns-wg <[email protected]> wrote: > > Nice catch! But who can resist the tempting smell of a brand new > cryptographic building block? Speaking of the level of support, I personally > have a low barrier on that: does major public resolvers support it? If that's > a yes, we are good to go. > > On 2/21/22 09:58, Geoff Huston wrote: >> ok - I’ll bite - why do you want to use Ed25519 or Ed448 for DNSSEC? >> When I looked at the level of support for Ed25519 last June the measurements >> showed that "slightly less than one half of all users who use DNS recursive >> resolvers that perform DNSSEC validation using ECDSA P-256 also treat >> ED25519 digital signatures as “unknown.” [1] >> That study concluded with the Q&A: >> "Is Ed25519 ready for use? >> In my view, this data is telling us “No!” If you want to take advantage of >> the smaller signature sizes offered by these curve-based crypto algorithms, >> then ECDSA P-256 appears to offer similar cryptographic strength with the >> same key sizes as Ed25519, but with a far more widespread support base for >> validation.” [1] >> Hence my question - why are you wanting to sign with an algorithm that does >> not have enywhere near the level of validating resolver support as ECDSA >> P-256? >> thanks, >> Geoff >> [1] https://www.potaroo.net/ispcol/2021-06/eddi.html >>> On 19 Feb 2022, at 1:37 am, Tyrasuki via dns-wg <[email protected]> wrote: >>> >>> Also curious myself, >>> >>> I was trying to set up DNSSEC for my own and my workplace's network, and >>> ran into the same issue, the same goes for Ed448. >>> The newest that seems to be accepted is protocol 14 (ECDSAP384SHA384), so >>> I've been using this for now. >>> >>> Would also be interested in the current status of this. >>> >>> Cheers, >>> Jori (Tyrasuki) >>> REDP-RIPE >>> >>> On 2/18/2022 2:41 PM, Nick Cao via dns-wg wrote: >>>> When doing a DNSSEC algorithm rollover from ecdsap256sha256 to ed25519 >>>> today, I got the error 'Unknown cryptographic algorithm' when updating >>>> ds-rdata field. A quick google search led me to >>>> https://www.ripe.net/ripe/mail/archives/dns-wg/2021-January/003796.html, >>>> which dates back to more than a year ago. It seems that the zonemaster >>>> deployment has not been updated to day, thus I would like to ask about the >>>> current progress. >>>> >>> >>> -- >>> >>> To unsubscribe from this mailing list, get a password reminder, or change >>> your subscription options, please visit: >>> https://lists.ripe.net/mailman/listinfo/dns-wg > > -- > > To unsubscribe from this mailing list, get a password reminder, or change > your subscription options, please visit: > https://lists.ripe.net/mailman/listinfo/dns-wg -- To unsubscribe from this mailing list, get a password reminder, or change your subscription options, please visit: https://lists.ripe.net/mailman/listinfo/dns-wg
