Or, "does any gTLD registrar support algs 13-14??" Or, "won't anyone validate my zone??"
So, currently, I use Dyn for some gTLD domains that I have that are all DNSSEC-signed. Recently, I decided to start signing some of them with ECDSAP384SHA348. Now I'll just update the DS records and...oh, no algorithm 14 is supported in the drop-down menu for Dyn. Neither are 12 or 13 for that matter. Okay, time to fire off a note to Dyn tech support and here's the gem of the reply: > Hello, > > Thank you for contacting Dyn Technical Support, > > Unfortunately, this maybe something implemented in the future but current > we only support what you find on that interface. > > If you have any other questions or concerns please contact us again at any > time. > > Thank you and take care, Leaving aside the unfortunate trend regarding the increasing inability of tech support people to construct grammatically-correct sentences, I am kind of surprised and disappointed about this. So I took a quick look at godaddy, and see that they support alg 12 but not 13 and 14. Then I tried ISC DLV and kept getting errors when trying to paste a alg 14 DNSKEY record and it said that the format was wrong. When I instead pasted in the DS record for said key, a big red error message came up (but it didn't say anything specific like "algorithm not supported"). I'll try to figure out what that means. It looks like we're starting to get the implementation issues and kinks worked out with signing software when it comes to using these new algorithms, but it seems that the registrars haven't caught up (and I am not sure how many of them want to get caught up). I understand market forces in the registrar business, but I am wondering if this market isn't suffering from a "race to the bottom" dynamic. I am hoping someone can prove me wrong and suggest a registrar that keeps up with DNSSEC evolution, along with other security best practices. Any takers? michael
